RBAC 权限控制
AutoMQ 支持基于角色的访问控制 (RBAC),提供细粒度的权限管理,确保成员账户和服务账户能够以最小权限原则访问所需资源。通过 RBAC,环境管理员可以有效地管理和控制对 AutoMQ 资源的访问权限,确保系统的安全性和稳定性。
RBAC 原理
RBAC 的核心原理是将预置角色绑定到成员账户和服务账户上。每个角色包含一组预定义的权限,这些权限决定了账户可以执行的操作。通过这种方式,管理员可以灵活地分配和管理权限,确保用户只能访问和操作他们被授权的资源。
附录:系统预置角色列表
AutoMQ 提供了一系列内置角色,每个角色对应不同的权限级别,满足不同场景下的权限需求。以下是 AutoMQ 支持的内置角色及其操作列表:
| Role | Action | 权限点和适用场景 |
|---|---|---|
| InstanceViewer | Instance:ListInstances |
|
| Instance:GetInstance | ||
| Instance:GetInstanceMetadata | ||
| Instance:ListInstanceACLPolicies | ||
| Instance:ListInstanceACLUsers | ||
| ConsumerGroup:ListConsumerGroups | ||
| ConsumerGroup:GetConsumerGroup | ||
| Topic:GetTopic | ||
| Topic:ListTopics | ||
| Profile:GetDeployProfile | ||
| Profile:ListDeployProfiles | ||
| KafkaLinking:ListKafkaLinks | ||
| KafkaLinking:GetKafkaLink | ||
| InstanceDeveloper | Instance:GetInstance |
|
| Instance:ListInstances | ||
| Instance:ListInstanceACLPolicies | ||
| Instance:CreateInstanceACLPolicy | ||
| Instance:DeleteInstanceACLPolicy | ||
| Instance:GetInstanceMetadata | ||
| Instance:ListInstanceACLUsers | ||
| Instance:CreateInstanceACLUser | ||
| Instance:DeleteInstanceACLUser | ||
| ConsumerGroup:ListConsumerGroups | ||
| ConsumerGroup:CreateConsumerGroup | ||
| ConsumerGroup:GetConsumerGroup | ||
| ConsumerGroup:UpdateConsumerGroup | ||
| ConsumerGroup:DeleteConsumerGroup | ||
| Topic:ListTopics | ||
| Topic:CreateTopic | ||
| Topic:GetTopic | ||
| Topic:DeleteTopic | ||
| Topic:UpdateTopic | ||
| Topic:CreateMessage | ||
| Profile:GetDeployProfile | ||
| Profile:ListDeployProfiles | ||
| Environment:GetMessage | ||
| InstanceAdmin | Instance:GetInstance |
|
| Instance:ListInstances | ||
| Instance:UpdateInstance | ||
| Instance:GetInstanceMetadata | ||
| Instance:DeleteInstance | ||
| Instance:UpdateInstanceIntegration | ||
| Instance:ListInstanceACLUsers | ||
| Instance:CreateInstanceACLUser | ||
| Instance:DeleteInstanceACLUser | ||
| Instance:ListInstanceACLPolicies | ||
| Instance:CreateInstanceACLPolicy | ||
| Instance:DeleteInstanceACLPolicy | ||
| ConsumerGroup:ListConsumerGroups | ||
| ConsumerGroup:CreateConsumerGroup | ||
| ConsumerGroup:GetConsumerGroup | ||
| ConsumerGroup:UpdateConsumerGroup | ||
| ConsumerGroup:DeleteConsumerGroup | ||
| Topic:CreateTopic | ||
| Topic:GetTopic | ||
| Topic:DeleteTopic | ||
| Topic:UpdateTopic | ||
| Topic:ListTopics | ||
| Topic:CreateMessage | ||
| Profile:GetDeployProfile | ||
| Profile:ListDeployProfiles | ||
| Environment:GetMessage | ||
| Integration:ListIntegrations | ||
| Integration:ListIntegrationTypes | ||
| KafkaLinking:CreateKafkaLink | ||
| KafkaLinking:ListKafkaLinks | ||
| KafkaLinking:GetKafkaLink | ||
| KafkaLinking:DeleteKafkaLink | ||
| IntegrationAdmin | Integration:UpdateInstanceIntegration |
|
| Integration:ListIntegrations | ||
| Integration:GetIntegration | ||
| Integration:UpdateIntegration | ||
| Integration:DeleteIntegration | ||
| Integration:ListIntegrationTypes | ||
| Profile:ListDeployProfiles | ||
| Profile:GetDeployProfile | ||
| EnvironmentViewer | Instance:GetInstance |
|
| Instance:ListInstances | ||
| Instance:ListInstanceACLPolicies | ||
| Instance:GetInstanceMetadata | ||
| Instance:ListInstanceACLUsers | ||
| ConsumerGroup:ListConsumerGroups | ||
| ConsumerGroup:GetConsumerGroup | ||
| Topic:ListTopics | ||
| Topic:GetTopic | ||
| Integration:ListIntegrations | ||
| Integration:GetIntegration | ||
| Integration:ListIntegrationTypes | ||
| Migration:ListMigrations | ||
| Migration:GetMigration | ||
| Profile:ListDeployProfiles | ||
| Profile:GetDeployProfile | ||
| Environment:ListProductVersions | ||
| Environment:ListProviders | ||
| Environment:ListRegions | ||
| Environment:ListZones | ||
| Environment:ListSubnets | ||
| Environment:ListNodeGroups | ||
| Environment:GetNodeGroup | ||
| Environment:GetEnvironment | ||
| KafkaLinking:ListKafkaLinks | ||
| KafkaLinking:GetKafkaLink | ||
| EnvironmentOperator | Instance:GetInstance |
|
| Instance:ListInstances | ||
| Instance:ListInstanceACLPolicies | ||
| Instance:CreateInstanceACLPolicy | ||
| Instance:DeleteInstanceACLPolicy | ||
| Instance:CreateInstance | ||
| Instance:UpdateInstance | ||
| Instance:DeleteInstance | ||
| Instance:GetInstanceMetadata | ||
| Instance:UpdateInstanceIntegration | ||
| Instance:ListInstanceACLUsers | ||
| Instance:CreateInstanceACLUser | ||
| Instance:DeleteInstanceACLUser | ||
| Topic:ListTopics | ||
| Topic:CreateTopic | ||
| Topic:GetTopic | ||
| Topic:DeleteTopic | ||
| Topic:UpdateTopic | ||
| Topic:CreateMessage | ||
| ConsumerGroup:ListConsumerGroups | ||
| ConsumerGroup:CreateConsumerGroup | ||
| ConsumerGroup:GetConsumerGroup | ||
| ConsumerGroup:UpdateConsumerGroup | ||
| ConsumerGroup:DeleteConsumerGroup | ||
| Integration:ListIntegrations | ||
| Integration:CreateIntegration | ||
| Integration:GetIntegration | ||
| Integration:UpdateIntegration | ||
| Integration:DeleteIntegration | ||
| Integration:ListIntegrationTypes | ||
| Migration:CreateMigration | ||
| Migration:UpdateMigration | ||
| Migration:ListMigrations | ||
| Migration:GetMigration | ||
| Migration:DeleteMigration | ||
| Profile:ListDeployProfiles | ||
| Profile:GetDeployProfile | ||
| Profile:CreateDeployProfile | ||
| Profile:UpdateDeployProfile | ||
| Profile:DeleteDeployProfile | ||
| Environment:CreateProductVersion | ||
| Environment:GetDeploymentOrder | ||
| Environment:ListProductVersions | ||
| Environment:ListProviders | ||
| Environment:ListRegions | ||
| Environment:ListZones | ||
| Environment:ListSubnets | ||
| Environment:ListNodeGroups | ||
| Environment:GetNodeGroup | ||
| Environment:GetMessage | ||
| Environment:DeleteEndPoint | ||
| Environment:CreateEndPoint | ||
| KafkaLinking:CreateKafkaLink | ||
| KafkaLinking:ListKafkaLinks | ||
| KafkaLinking:GetKafkaLink | ||
| KafkaLinking:DeleteKafkaLink | ||
| EnvironmentAdmin | 全部 |
|
通过内置角色和操作列表,管理员可以灵活地管理 AutoMQ 控制台的访问权限,确保系统的安全性和高效性。