Permission Management
Last updated: 2025-09-19 17:35:32
Permission Management
Last updated: 2025-09-19 17:35:32
Tencent Cloud Message Queue TDMQ for CKafka provides a complete enterprise-level security protection system. Through master-sub account management and strict authorization and authentication mechanisms, it builds a multi-level, comprehensive security protection to ensure reliable protection for each step of message transmission and fully underwrite data security.
Account-Level Permission
Through Cloud Access Management (CAM) features such as root account, sub-account, and collaborator, it enables authorization between root account and sub-account as well as across organizational accounts. At the same time, it allows control over API calls to cloud resources through account's Access Key Management.
Identity Verification
Access CKafka resources via console or TencentCloud API calls. Both ways require identity authentication to access the corresponding resource.
Log in to the console: A login password is required for verification. It also provides login protection and login verification policy to enhance authentication security. For details, see change login password, set up login protection, and set login verification method.
Call TencentCloud API: Access key (AccessKey) verification is required. The access key consists of SecretId and SecretKey, serving as secure credentials for user access to Tencent Cloud API during identity verification. For details, see Access Key Management.
Access Control
By accessing the CAM (Cloud Access Management) management service, you can perform refined permission management for CKafka resources at the account level.
User and Permission Management: Based on the enterprise organizational structure, create standalone users or roles for members of different functional departments, and allocate exclusive security credentials (console login password, cloud API key, etc.) or temporary credentials to ensure secure and controllable access to CKafka resources.
Fine-grained access control: Set differentiated access policies based on employee functions to precisely control the executable operations and accessible resource scope for each user/role, achieving strict permission isolation.
CKafka Resource-Level Permission
CKafka provides double security protection through SASL authentication and ACL access control. SASL verifies user identity, while ACL enables granular control over Topic read/write permissions to achieve fine-grained resource-level access isolation.
Identity Verification
SASL is a security protocol for identity verification, supporting two authentication mechanisms:
PLAIN mechanism: Uses plaintext mode to perform simple verification of username and password.
SCRAM mechanism: The server and client use a hash algorithm to perform identity verification with username and password for secure authentication. CKafka supports two encryption algorithms with different strengths: SCRAM-SHA-256 and SCRAM-SHA-512.
CKafka uses the SASL protocol for authentication. After enabling SASL authentication, only authenticated users can access CKafka resources.
Access Control
The ACL (Access Control List) policy supports user Access Control at the resource layer. On the console, customize settings for users and configure policies similar to the following: allow/deny user Access to read/write Topic resources through IP. By leveraging "user + policy" double restrictions, it implements Topic-level production/consumption permission isolation and enhances user Access Control for public network/private network transmission. For detailed introduction and operation instructions, refer to Configure ACL policy.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback