RBAC 权限控制
AutoMQ 支持基于角色的访问控制 (RBAC),提供细粒度的权限管理,确保成员账户和服务账户能够以最小权限原则访问所需资源。通过 RBAC,环境管理员可以有效地管理和控制对 AutoMQ 资源的访问权限,确保系统的安全性和稳定性。
RBAC 原理
RBAC 的核心原理是将预置角色绑定到成员账户和服务账户上。每个角色包含一组预定义的权限,这些权限决定了账户可以执行的操作。通过这种方式,管理员可以灵活地分配和管理权限,确保用户只能访问和操作他们被授权的资源。
附录:��系统预置角色列表
AutoMQ 提供了一系列内置角色,每个角色对应不同的权限级别,满足不同场景下的权限需求。以下是 AutoMQ 支持的内置角色及其操作列表:
| Role | Action | 权限点和适用场景 |
|---|---|---|
| InstanceViewer | Instance:ListInstances |
|
Instance:GetInstance | ||
Instance:GetInstanceMetadata | ||
Instance:ListInstanceACLPolicies | ||
Instance:ListInstanceACLUsers | ||
ConsumerGroup:ListConsumerGroups | ||
ConsumerGroup:GetConsumerGroup | ||
Topic:GetTopic | ||
Topic:ListTopics | ||
Profile:GetDeployProfile | ||
Profile:ListDeployProfiles | ||
KafkaLinking:ListKafkaLinks | ||
KafkaLinking:GetKafkaLink | ||
| InstanceDeveloper | Instance:GetInstance |
|
Instance:ListInstances | ||
Instance:ListInstanceACLPolicies | ||
Instance:CreateInstanceACLPolicy | ||
Instance:DeleteInstanceACLPolicy | ||
Instance:GetInstanceMetadata | ||
Instance:ListInstanceACLUsers | ||
Instance:CreateInstanceACLUser | ||
Instance:DeleteInstanceACLUser | ||
ConsumerGroup:ListConsumerGroups | ||
ConsumerGroup:CreateConsumerGroup | ||
ConsumerGroup:GetConsumerGroup | ||
ConsumerGroup:UpdateConsumerGroup | ||
ConsumerGroup:DeleteConsumerGroup | ||
Topic:ListTopics | ||
Topic:CreateTopic | ||
Topic:GetTopic | ||
Topic:DeleteTopic | ||
Topic:UpdateTopic | ||
Topic:CreateMessage | ||
Profile:GetDeployProfile | ||
Profile:ListDeployProfiles | ||
Environment:GetMessage | ||
| InstanceAdmin | Instance:GetInstance |
|
Instance:ListInstances | ||
Instance:UpdateInstance | ||
Instance:GetInstanceMetadata | ||
Instance:DeleteInstance | ||
Instance:UpdateInstanceIntegration | ||
Instance:ListInstanceACLUsers | ||
Instance:CreateInstanceACLUser | ||
Instance:DeleteInstanceACLUser | ||
Instance:ListInstanceACLPolicies | ||
Instance:CreateInstanceACLPolicy | ||
Instance:DeleteInstanceACLPolicy | ||
ConsumerGroup:ListConsumerGroups | ||
ConsumerGroup:CreateConsumerGroup | ||
ConsumerGroup:GetConsumerGroup | ||
ConsumerGroup:UpdateConsumerGroup | ||
ConsumerGroup:DeleteConsumerGroup | ||
Topic:CreateTopic | ||
Topic:GetTopic | ||
Topic:DeleteTopic | ||
Topic:UpdateTopic | ||
Topic:ListTopics | ||
Topic:CreateMessage | ||
Profile:GetDeployProfile | ||
Profile:ListDeployProfiles | ||
Environment:GetMessage | ||
Integration:ListIntegrations | ||
Integration:ListIntegrationTypes | ||
KafkaLinking:CreateKafkaLink | ||
KafkaLinking:ListKafkaLinks | ||
KafkaLinking:GetKafkaLink | ||
KafkaLinking:DeleteKafkaLink | ||
| IntegrationAdmin | Integration:UpdateInstanceIntegration |
|
Integration:ListIntegrations | ||
Integration:GetIntegration | ||
Integration:UpdateIntegration | ||
Integration:DeleteIntegration | ||
Integration:ListIntegrationTypes | ||
Profile:ListDeployProfiles | ||
Profile:GetDeployProfile | ||
| EnvironmentViewer | Instance:GetInstance |
|
Instance:ListInstances | ||
Instance:ListInstanceACLPolicies | ||
Instance:GetInstanceMetadata | ||
Instance:ListInstanceACLUsers | ||
ConsumerGroup:ListConsumerGroups | ||
ConsumerGroup:GetConsumerGroup | ||
Topic:ListTopics | ||
Topic:GetTopic | ||
Integration:ListIntegrations | ||
Integration:GetIntegration | ||
Integration:ListIntegrationTypes | ||
Migration:ListMigrations | ||
Migration:GetMigration | ||
Profile:ListDeployProfiles | ||
Profile:GetDeployProfile | ||
Environment:ListProductVersions | ||
Environment:ListProviders | ||
Environment:ListRegions | ||
Environment:ListZones | ||
Environment:ListSubnets | ||
Environment:ListNodeGroups | ||
Environment:GetNodeGroup | ||
Environment:GetEnvironment | ||
KafkaLinking:ListKafkaLinks | ||
KafkaLinking:GetKafkaLink | ||
| EnvironmentOperator | Instance:GetInstance |
|
Instance:ListInstances | ||
Instance:ListInstanceACLPolicies | ||
Instance:CreateInstanceACLPolicy | ||
Instance:DeleteInstanceACLPolicy | ||
Instance:CreateInstance | ||
Instance:UpdateInstance | ||
Instance:DeleteInstance | ||
Instance:GetInstanceMetadata | ||
Instance:UpdateInstanceIntegration | ||
Instance:ListInstanceACLUsers | ||
Instance:CreateInstanceACLUser | ||
Instance:DeleteInstanceACLUser | ||
Topic:ListTopics | ||
Topic:CreateTopic | ||
Topic:GetTopic | ||
Topic:DeleteTopic | ||
Topic:UpdateTopic | ||
Topic:CreateMessage | ||
ConsumerGroup:ListConsumerGroups | ||
ConsumerGroup:CreateConsumerGroup | ||
ConsumerGroup:GetConsumerGroup | ||
ConsumerGroup:UpdateConsumerGroup | ||
ConsumerGroup:DeleteConsumerGroup | ||
Integration:ListIntegrations | ||
Integration:CreateIntegration | ||
Integration:GetIntegration | ||
Integration:UpdateIntegration | ||
Integration:DeleteIntegration | ||
Integration:ListIntegrationTypes | ||
Migration:CreateMigration | ||
Migration:UpdateMigration | ||
Migration:ListMigrations | ||
Migration:GetMigration | ||
Migration:DeleteMigration | ||
Profile:ListDeployProfiles | ||
Profile:GetDeployProfile | ||
Profile:CreateDeployProfile | ||
Profile:UpdateDeployProfile | ||
Profile:DeleteDeployProfile | ||
Environment:CreateProductVersion | ||
Environment:GetDeploymentOrder | ||
Environment:ListProductVersions | ||
Environment:ListProviders | ||
Environment:ListRegions | ||
Environment:ListZones | ||
Environment:ListSubnets | ||
Environment:ListNodeGroups | ||
Environment:GetNodeGroup | ||
Environment:GetMessage | ||
Environment:DeleteEndPoint | ||
Environment:CreateEndPoint | ||
KafkaLinking:CreateKafkaLink | ||
KafkaLinking:ListKafkaLinks | ||
KafkaLinking:GetKafkaLink | ||
KafkaLinking:DeleteKafkaLink | ||
| EnvironmentAdmin | 全部 |
|
通过内置角色和操作列表,管理员可以灵活地管理 AutoMQ 控制台的访问权限,确保系统的安全性和高效性。