Skip to main content

RBAC 权限控制

AutoMQ 支持基于角色的访问控制 (RBAC),提供细粒度的权限管理,确保成员账户和服务账户能够以最小权限原则访问所需资源。通过 RBAC,环境管理员可以有效地管理和控制对 AutoMQ 资源的访问权限,确保系统的安全性和稳定性。

RBAC 原理

RBAC 的核心原理是将预置角色绑定到成员账户和服务账户上。每个角色包含一组预定义的权限,这些权限决定了账户可以执行的操作。通过这种方式,管理员可以灵活地分配和管理权限,确保用户只能访问和操作他们被授权的资源。

附录:系统预置角色列表

AutoMQ 提供了一系列内置角色,每个角色对应不同的权限级别,满足不同场景下的权限需求。以下是 AutoMQ 支持的内置角色及其操作列表:

Role
Action
权限点和适用场景
InstanceViewer
Instance:ListInstances
  • 角色说明:实例查看人员角色
  • 权限范围:拥有环境内的指定实例的只读查看权限(不含查看消息)。
Instance:GetInstance
Instance:GetInstanceMetadata
Instance:ListInstanceACLPolicies
Instance:ListInstanceACLUsers
ConsumerGroup:ListConsumerGroups
ConsumerGroup:GetConsumerGroup
Topic:GetTopic
Topic:ListTopics
Profile:GetDeployProfile
Profile:ListDeployProfiles
KafkaLinking:ListKafkaLinks
KafkaLinking:GetKafkaLink
InstanceDeveloper
Instance:GetInstance
  • 角色说明:实例开发人员角色
  • 权限范围:拥有环境内的指定实例的查看以及实例内 Topic、Group 等资源的管理权限。实例开发人员不可实施实例变配、升级等操作。
Instance:ListInstances
Instance:ListInstanceACLPolicies
Instance:CreateInstanceACLPolicy
Instance:DeleteInstanceACLPolicy
Instance:GetInstanceMetadata
Instance:ListInstanceACLUsers
Instance:CreateInstanceACLUser
Instance:DeleteInstanceACLUser
ConsumerGroup:ListConsumerGroups
ConsumerGroup:CreateConsumerGroup
ConsumerGroup:GetConsumerGroup
ConsumerGroup:UpdateConsumerGroup
ConsumerGroup:DeleteConsumerGroup
Topic:ListTopics
Topic:CreateTopic
Topic:GetTopic
Topic:DeleteTopic
Topic:UpdateTopic
Topic:CreateMessage
Profile:GetDeployProfile
Profile:ListDeployProfiles
Environment:GetMessage
InstanceAdmin
Instance:GetInstance
  • 角色说明:实例管理员角色
  • 权限范围:拥有环境内的指定实例的查看、变更、删除等权限。
Instance:ListInstances
Instance:UpdateInstance
Instance:GetInstanceMetadata
Instance:DeleteInstance
Instance:UpdateInstanceIntegration
Instance:ListInstanceACLUsers
Instance:CreateInstanceACLUser
Instance:DeleteInstanceACLUser
Instance:ListInstanceACLPolicies
Instance:CreateInstanceACLPolicy
Instance:DeleteInstanceACLPolicy
ConsumerGroup:ListConsumerGroups
ConsumerGroup:CreateConsumerGroup
ConsumerGroup:GetConsumerGroup
ConsumerGroup:UpdateConsumerGroup
ConsumerGroup:DeleteConsumerGroup
Topic:CreateTopic
Topic:GetTopic
Topic:DeleteTopic
Topic:UpdateTopic
Topic:ListTopics
Topic:CreateMessage
Profile:GetDeployProfile
Profile:ListDeployProfiles
Environment:GetMessage
Integration:ListIntegrations
Integration:ListIntegrationTypes
KafkaLinking:CreateKafkaLink
KafkaLinking:ListKafkaLinks
KafkaLinking:GetKafkaLink
KafkaLinking:DeleteKafkaLink
IntegrationAdmin
Integration:UpdateInstanceIntegration
  • 角色说明:集成管理员角色
  • 权限范围:拥有环境内的指定集成的查看、编辑等权限。
Integration:ListIntegrations
Integration:GetIntegration
Integration:UpdateIntegration
Integration:DeleteIntegration
Integration:ListIntegrationTypes
Profile:ListDeployProfiles
Profile:GetDeployProfile
EnvironmentViewer
Instance:GetInstance
  • 角色说明:环境只读成员角色
  • 权限范围:拥有环境内的实例资源的读操作权限,不能管理环境和其他成员。(不含查看消息)。
    • 实例查看
    • 集成查看
Instance:ListInstances
Instance:ListInstanceACLPolicies
Instance:GetInstanceMetadata
Instance:ListInstanceACLUsers
ConsumerGroup:ListConsumerGroups
ConsumerGroup:GetConsumerGroup
Topic:ListTopics
Topic:GetTopic
Integration:ListIntegrations
Integration:GetIntegration
Integration:ListIntegrationTypes
Migration:ListMigrations
Migration:GetMigration
Profile:ListDeployProfiles
Profile:GetDeployProfile
Environment:ListProductVersions
Environment:ListProviders
Environment:ListRegions
Environment:ListZones
Environment:ListSubnets
Environment:ListNodeGroups
Environment:GetNodeGroup
Environment:GetEnvironment
KafkaLinking:ListKafkaLinks
KafkaLinking:GetKafkaLink
EnvironmentOperator
Instance:GetInstance
  • 角色说明:环境操作成员角色
  • 权限范围:拥有环境内的实例资源的写操作权限,不能管理环境和其他成员:
    • 集成管理
    • 实例管理
Instance:ListInstances
Instance:ListInstanceACLPolicies
Instance:CreateInstanceACLPolicy
Instance:DeleteInstanceACLPolicy
Instance:CreateInstance
Instance:UpdateInstance
Instance:DeleteInstance
Instance:GetInstanceMetadata
Instance:UpdateInstanceIntegration
Instance:ListInstanceACLUsers
Instance:CreateInstanceACLUser
Instance:DeleteInstanceACLUser
Topic:ListTopics
Topic:CreateTopic
Topic:GetTopic
Topic:DeleteTopic
Topic:UpdateTopic
Topic:CreateMessage
ConsumerGroup:ListConsumerGroups
ConsumerGroup:CreateConsumerGroup
ConsumerGroup:GetConsumerGroup
ConsumerGroup:UpdateConsumerGroup
ConsumerGroup:DeleteConsumerGroup
Integration:ListIntegrations
Integration:CreateIntegration
Integration:GetIntegration
Integration:UpdateIntegration
Integration:DeleteIntegration
Integration:ListIntegrationTypes
Migration:CreateMigration
Migration:UpdateMigration
Migration:ListMigrations
Migration:GetMigration
Migration:DeleteMigration
Profile:ListDeployProfiles
Profile:GetDeployProfile
Profile:CreateDeployProfile
Profile:UpdateDeployProfile
Profile:DeleteDeployProfile
Environment:CreateProductVersion
Environment:GetDeploymentOrder
Environment:ListProductVersions
Environment:ListProviders
Environment:ListRegions
Environment:ListZones
Environment:ListSubnets
Environment:ListNodeGroups
Environment:GetNodeGroup
Environment:GetMessage
Environment:DeleteEndPoint
Environment:CreateEndPoint
KafkaLinking:CreateKafkaLink
KafkaLinking:ListKafkaLinks
KafkaLinking:GetKafkaLink
KafkaLinking:DeleteKafkaLink
EnvironmentAdmin
全部
  • 角色说明:环境管理员角色
  • 权限范围:拥有环境内的所有资源的操作权限,包括不限于:
    • 成员管理
    • 集成管理
    • 实例管理

通过内置角色和操作列表,管理员可以灵活地管理 AutoMQ 控制台的访问权限,确保系统的安全性和高效性。