Permissions and Supported Actions
This chapter describes fine-grained permissions management for your Kafka instances. If your Huawei ID does not need individual IAM users, then you may skip over this chapter.
By default, new IAM users do not have permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.
Permissions are classified into roles and policies based on the authorization granularity. Roles are a type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. Policies define API-based permissions for operations on specific resources under certain conditions, allowing for more fine-grained, secure access control of cloud resources.
For details about DMS for Kafka system policies, see Permissions Management.
Policy-based authorization is useful if you want to allow or deny the access to an API.
An account has all of the permissions required to call all APIs, but IAM users must be assigned the required permissions. The permissions required for calling an API are determined by the actions supported by the API. Only users who have been granted permissions allowing the actions can call the API successfully. For example, if an IAM user wants to query Kafka instances using an API, the user must have been granted permissions that allow the dms:instance:create action.
Supported Actions
DMS for Kafka provides system-defined policies that can be directly used in IAM. You can also create custom policies and use them to supplement system-defined policies, implementing more refined access control. Operations supported by policies are specific to APIs. The following are common concepts related to policies:
- Permission: a statement in a policy that allows or denies certain operations.
- APIs: REST APIs that can be called by a user who has been granted specific permissions.
- Action: Specific operations that are allowed or denied.
- IAM projects or enterprise projects: A custom policy can be applied to IAM projects or enterprise projects or both. Policies that contain actions for both IAM and enterprise projects can be used and take effect for both IAM and Enterprise Management. Policies that only contain actions for IAM projects can be used and only take effect for IAM. Administrators can check whether an action supports IAM projects or enterprise projects in the action list. For details about the differences between IAM and enterprise projects, see What Are the Differences Between IAM and Enterprise Management?
DMS for Kafka supports the following actions in custom policies:
- Lifecycle management actions, including actions supported by Kafka instance lifecycle management APIs, such as the APIs for creating an instance, querying the instance list, modifying instance information, and batch restarting or deleting instances.
- Instance management actions, including actions supported by Kafka instance management APIs, such as the APIs for resetting passwords and querying Kafka cluster metadata.
- Smart Connect actions, including actions supported by Smart Connect APIs, such as the APIs for enabling or disabling Smart Connect, creating a Smart Connect task.
- Specification modification management action, supported by the specification modification management APIs, such as the APIs for scaling up an instance and querying the product information for instance specification modification.
- Topic management actions, including actions supported by topic management APIs, such as the APIs for creating, querying, and modifying topics.
- Consumer group management actions, including actions supported by consumer group management APIs, such as the APIs for creating, querying, and deleting consumer groups.
- User management actions, including actions supported by user management APIs, such as the APIs for creating users, querying users, and configuring user permissions.
- Message management actions, including actions supported by message management APIs, such as the API for querying and deleting messages.
- Background task management actions, including actions supported by background task management APIs, such as the APIs for querying the background task list of an instance and querying a specified background task.
- Tag management actions, including actions supported by tag management APIs, such as the APIs for querying instance tags and project tags.
- Diagnosis management actions, including actions supported by diagnosis management APIs, such as the APIs for creating a message stack diagnosis task and querying a diagnosis report list.
- Others, including actions supported by APIs for querying the maintenance time window and querying AZs.
Lifecycle Management
|
Permission |
API |
Action |
IAM (Project) |
Enterprise (Enterprise Project) |
|---|---|---|---|---|
|
Creating an instance |
POST /v2/{project_id}/kafka/instances |
dms:instance:create |
√ |
√ |
|
Querying all instances |
GET /v2/{project_id}/instances |
dms:instance:list |
√ |
√ |
|
Querying an instance |
GET /v2/{project_id}/instances/{instance_id} |
dms:instance:get |
√ |
√ |
|
Deleting an instance |
DELETE /v2/{project_id}/instances/{instance_id} |
dms:instance:delete |
√ |
√ |
|
Modifying instance information |
PUT /v2/{project_id}/instances/{instance_id} |
dms:instance:modify |
√ |
√ |
|
Batch restarting or deleting instances |
POST /v2/{project_id}/instances/action |
Restart: dms:instance:modifyStatus Delete: dms:instance:delete |
√ |
√ |
|
Obtaining Instance Configurations |
GET /v2/{project_id}/instances/{instance_id}/configs |
dms:instance:get |
√ |
√ |
|
Modifying Instance Configurations |
PUT /v2/{project_id}/instances/{instance_id}/configs |
dms:instance:modify |
√ |
√ |
|
Upgrading an Instance |
POST /v2/{project_id}/kafka/instances/{instance_id}/upgrade |
dms:instance:modify |
√ |
√ |
|
Querying the Kafka Instance Version |
GET /v2/{project_id}/kafka/instances/{instance_id}/upgrade |
dms:instance:get |
√ |
√ |
Instance Management
|
Permission |
API |
Action |
IAM (Project) |
Enterprise (Enterprise Project) |
|---|---|---|---|---|
|
Resetting a password |
POST /v2/{project_id}/instances/{instance_id}/password |
dms:instance:resetAuthInfo |
√ |
√ |
|
Resetting the Kafka Manager password |
PUT /v2/{project_id}/instances/{instance_id}/kafka-manager-password |
dms:instance:resetAuthInfo |
√ |
√ |
|
Restarting Kafka Manager |
PUT /v2/{project_id}/instances/{instance_id}/restart-kafka-manager |
dms:instance:modifyStatus |
√ |
√ |
|
Modifying the private IP address for cross-VPC access |
POST /v2/{project_id}/instances/{instance_id}/crossvpc/modify |
dms:instance:modify |
√ |
√ |
|
Querying Kafka Cluster Metadata |
GET /v2/{project_id}/instances/{instance_id}/management/cluster |
dms:instance:get |
√ |
√ |
|
Querying Coordinator Details of a Kafka Instance |
GET /v2/{project_id}/instances/{instance_id}/management/coordinators |
dms:instance:get |
√ |
√ |
|
Modifying Kafka Access Modes |
POST /v2/{project_id}/{engine}/instances/{instance_id}/plain-ssl-switch |
dms:ssl |
√ |
√ |
|
Querying the Disk Usage Status of Topics |
GET /v2/{project_id}/instances/{instance_id}/topics/diskusage |
dms:instance:get |
√ |
√ |
|
Disabling Kafka Manager |
DELETE /v2/{project_id}/kafka/instances/{instance_id}/management |
dms:instance:modify |
√ |
√ |
|
Querying Kafka Instance Rebalancing Log Details |
GET /v2/kafka/{project_id}/instances/{instance_id}/log/rebalance-log |
dms:instance:get |
√ |
√ |
|
Enabling Kafka Instance Rebalancing Logging |
POST /v2/kafka/{project_id}/instances/{instance_id}/log/rebalance-log |
dms:instance:modify |
√ |
√ |
|
Disabling Kafka Instance Rebalancing Logging |
DELETE /v2/kafka/{project_id}/instances/{instance_id}/log/rebalance-log |
dms:instance:modify |
√ |
√ |
|
Configuring Public Access to a Kafka Instance |
POST /v1/{project_id}/instances/{instance_id}/public-boundwidth |
dms:instance:modify |
√ |
√ |
|
Querying Kafka Cluster Information |
GET /v2/{project_id}/instances/{instance_id}/manage/cluster |
dms:instance:get |
√ |
√ |
Smart Connect
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Querying Resource Information Required for Enabling Smart Connect |
GET /v2/{project_id}/instances/{instance_id}/connector |
dms:instance:get |
√ |
√ |
|
Enabling Smart Connect |
POST /v2/{project_id}/instances/{instance_id}/connector |
dms:instance:connector |
√ |
√ |
|
Disabling Smart Connect |
POST /v2/{project_id}/kafka/instances/{instance_id}/delete-connector |
dms:instance:connector |
√ |
√ |
|
Creating a Smart Connect task |
POST /v2/{project_id}/instances/{instance_id}/connector/tasks |
dms:instance:createConnectorSinkTask |
√ |
√ |
|
Listing Smart Connect tasks |
GET /v2/{project_id}/instances/{instance_id}/connector/tasks |
dms:instance:listConnectorSinkTask |
√ |
√ |
|
Querying Smart Connect task details |
GET /v2/{project_id}/instances/{instance_id}/connector/tasks/{task_id} |
dms:instance:getConnectorSinkTask |
√ |
√ |
|
Deleting Smart Connect tasks |
DELETE /v2/{project_id}/instances/{instance_id}/connector/tasks/{task_id} |
dms:instance:deleteConnectorSinkTask |
√ |
√ |
|
Modifying the Smart Connect Task Configuration |
PUT /v2/{project_id}/instances/{instance_id}/connector/tasks/{task_id} |
dms:instance:modifyConnectorSinkTask |
√ |
√ |
|
Verifying Connector Connectivity |
POST /v2/{project_id}/instances/{instance_id}/connector/validate |
dms:instance:connector |
√ |
√ |
|
Pausing Smart Connect tasks |
PUT /v2/{project_id}/instances/{instance_id}/connector/tasks/{task_id}/pause |
dms:instance:updateConnectorTask |
√ |
√ |
|
Restarting Smart Connect tasks |
PUT /v2/{project_id}/instances/{instance_id}/connector/tasks/{task_id}/resume |
dms:instance:updateConnectorTask |
√ |
√ |
|
Starting a Smart Connect task or restarting a paused or running Smart Connect task |
PUT /v2/{project_id}/kafka/instances/{instance_id}/connector/tasks/{task_id}/restart |
dms:instance:updateConnectorTask |
√ |
√ |
Specification Modification Management
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Increasing Instance Specifications |
POST /v2/{project_id}/kafka/instances/{instance_id}/extend |
dms:instance:scale |
√ |
√ |
|
Querying Product Information for Instance Specification Modification |
GET /v2/{project_id}/kafka/instances/{instance_id}/extend |
dms:instance:get |
√ |
√ |
|
Obtaining Pre-check Information Before Expanding a Kafka Instance |
GET /v2/{project_id}/kafka/instances/{instance_id}/extend-check |
dms:instance:get |
√ |
√ |
Topic Management
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Configuring Automatic Topic Creation |
POST /v2/{project_id}/instances/{instance_id}/autotopic |
dms:instance:modify |
√ |
√ |
|
Producing Messages to Kafka |
POST /v2/{project_id}/instances/{instance_id}/messages/action |
dms:instance:modify |
√ |
√ |
|
Creating a Topic in a Kafka Instance |
POST /v2/{project_id}/instances/{instance_id}/topics |
dms:instance:modify |
√ |
√ |
|
Querying a topic in a Kafka instance |
GET /v2/{project_id}/instances/{instance_id}/topics |
dms:instance:get |
√ |
√ |
|
Modifying topics of a Kafka instance |
PUT /v2/{project_id}/instances/{instance_id}/topics |
dms:instance:modify |
√ |
√ |
|
Obtaining Kafka Topic Details |
GET /v2/kafka/{project_id}/instances/{instance_id}/topics-detail/{topic} |
dms:instance:get |
√ |
√ |
|
Deleting topics in a Kafka instance in batches |
POST /v2/{project_id}/instances/{instance_id}/topics/delete |
dms:instance:modify |
√ |
√ |
|
Querying the Partition List of a Topic |
GET /v2/{project_id}/kafka/instances/{instance_id}/topics/{topic}/partitions |
dms:instance:get |
√ |
√ |
|
Querying the Current Producer List of a Topic |
GET /v2/{project_id}/kafka/instances/{instance_id}/topics/{topic}/producers |
dms:instance:get |
√ |
√ |
|
Deleting Topic Quotas |
DELETE /v2/kafka/{project_id}/instances/{instance_id}/kafka-topic-quota |
dms:instance:modify |
√ |
√ |
|
Creating a Topic Quota |
POST /v2/kafka/{project_id}/instances/{instance_id}/kafka-topic-quota |
dms:instance:modify |
√ |
√ |
|
Modifying Topic Quotas |
PUT /v2/kafka/{project_id}/instances/{instance_id}/kafka-topic-quota |
dms:instance:modify |
√ |
√ |
|
Querying Topic Quotas |
GET /v2/kafka/{project_id}/instances/{instance_id}/kafka-topic-quota |
dms:instance:get |
√ |
√ |
|
Initiating Partition Reassignment for a Kafka Instance |
POST /v2/{project_id}/kafka/instances/{instance_id}/reassign |
dms:instance:modify |
√ |
√ |
Managing Consumer Groups
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Querying Consumer Group Details |
GET /v2/{project_id}/instances/{instance_id}/management/groups/{group} |
dms:instance:get |
√ |
√ |
|
Querying All Consumer Groups |
GET /v2/{project_id}/instances/{instance_id}/groups |
dms:instance:get |
√ |
√ |
|
Deleting Consumer Groups of a Kafka Instance in Batches |
POST /v2/{project_id}/instances/{instance_id}/groups/batch-delete |
dms:instance:modify |
√ |
√ |
|
Creating a Consumer Group |
POST /v2/{project_id}/kafka/instances/{instance_id}/group |
dms:instance:modify |
√ |
√ |
|
API for resetting consumer group offset to the specified position |
PUT /v2/kafka/{project_id}/instances/{instance_id}/groups/{group}/reset-message-offset |
dms:instance:modify |
√ |
√ |
|
Querying the Offset of a Consumer Group |
GET /v2/{engine}/{project_id}/instances/{instance_id}/groups/{group}/message-offset |
dms:instance:get |
√ |
√ |
|
Modifying All Consumer Groups |
PUT /v2/{engine}/{project_id}/instances/{instance_id}/groups |
dms:instance:modify |
√ |
√ |
|
Querying a Specified Consumer Group |
GET /v2/{engine}/{project_id}/instances/{instance_id}/groups/{group} |
dms:instance:get |
√ |
√ |
|
Deleting a Specified Consumer Group |
DELETE /v2/{engine}/{project_id}/instances/{instance_id}/groups/{group} |
dms:instance:modify |
√ |
√ |
|
Modifying a Specified Consumer Group |
PUT /v2/{engine}/{project_id}/instances/{instance_id}/groups/{group} |
dms:instance:modify |
√ |
√ |
|
Querying Topics of a Specified Consumer Group |
GET /v2/{engine}/{project_id}/instances/{instance_id}/groups/{group}/topics |
dms:instance:get |
√ |
√ |
|
Deleting Consumer Offset in a Specified Topic |
POST /v2/kafka/{project_id}/instances/{instance_id}/groups/{group}/delete-offset |
dms:instance:modify |
√ |
√ |
|
Querying Consumers in a Specified Consumer Group |
GET /v2/{engine}/{project_id}/instances/{instance_id}/groups/{group}/members |
dms:instance:get |
√ |
√ |
User Management
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Deleting a User or Client Quota |
DELETE /v2/kafka/{project_id}/instances/{instance_id}/kafka-user-client-quota |
dms:instance:modify |
√ |
√ |
|
Querying User or Client Quotas |
GET /v2/kafka/{project_id}/instances/{instance_id}/kafka-user-client-quota |
dms:instance:get |
√ |
√ |
|
Creating User or Client Quotas |
POST /v2/kafka/{project_id}/instances/{instance_id}/kafka-user-client-quota |
dms:instance:modify |
√ |
√ |
|
Modifying User or Client Quotas |
PUT /v2/kafka/{project_id}/instances/{instance_id}/kafka-user-client-quota |
dms:instance:modify |
√ |
√ |
|
Querying the user list |
GET /v2/{project_id}/instances/{instance_id}/users |
dms:instance:get |
√ |
√ |
|
Creating a user |
POST /v2/{project_id}/instances/{instance_id}/users |
dms:instance:modify |
√ |
√ |
|
Deleting users in batches |
PUT /v2/{project_id}/instances/{instance_id}/users |
dms:instance:modify |
√ |
√ |
|
Resetting a user password |
PUT /v2/{project_id}/instances/{instance_id}/users/{user_name} |
dms:instance:get |
√ |
√ |
|
Modifying User Parameters |
PUT /v2/{engine}/{project_id}/instances/{instance_id}/users/{user_name} |
dms:instance:modify |
√ |
√ |
|
Querying user permissions |
GET /v1/{project_id}/instances/{instance_id}/topics/{topic_name}/accesspolicy |
dms:instance:get |
√ |
√ |
|
Granting user permissions |
POST /v1/{project_id}/instances/{instance_id}/topics/accesspolicy |
dms:instance:modify |
√ |
√ |
Message Management
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Querying messages |
GET /v2/{project_id}/instances/{instance_id}/messages |
dms:instance:get |
√ |
√ |
|
Querying a Message with the Specified Offset |
GET /v2/{project_id}/instances/{instance_id}/management/topics/{topic}/partitions/{partition}/message |
dms:instance:get |
√ |
√ |
|
Querying a Message with the Specified Time Period |
GET /v2/{project_id}/instances/{instance_id}/management/topics/{topic}/messages |
dms:instance:get |
√ |
√ |
|
Querying the Offset of the Earliest Message in a Partition |
GET /v2/{project_id}/instances/{instance_id}/management/topics/{topic}/partitions/{partition}/beginning-message |
dms:instance:get |
√ |
√ |
|
Querying the Offset of the Latest Message in a Partition |
GET /v2/{project_id}/instances/{instance_id}/management/topics/{topic}/partitions/{partition}/end-message |
dms:instance:get |
√ |
√ |
|
Deleting Kafka Messages |
POST /v2/{project_id}/kafka/instances/{instance_id}/topics/{topic}/messages/delete |
dms:instance:modify |
√ |
√ |
Background Task Management
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Listing background tasks |
GET /v2/{project_id}/instances/{instance_id}/tasks |
dms:instance:getBackgroundTask |
√ |
√ |
|
Querying a background task |
GET /v2/{project_id}/instances/{instance_id}/tasks/{task_id} |
dms:instance:getBackgroundTask |
√ |
√ |
|
Deleting a background task |
DELETE /v2/{project_id}/instances/{instance_id}/tasks/{task_id} |
dms:instance:deleteBackgroundTask |
√ |
√ |
|
Querying the Scheduled Task List of an Instance |
GET /v2/{project_id}/instances/{instance_id}/scheduled-tasks |
dms:instance:get |
√ |
√ |
|
Querying the Change Progress of a Specified Instance in a Background Task |
GET /v2/{project_id}/instances/{instance_id}/tasks/{task_id}/progress |
dms:instance:getBackgroundTask |
√ |
√ |
|
Deleting a Specified Scheduled Task |
DELETE /v2/{project_id}/instances/{instance_id}/scheduled-tasks/{task_id} |
dms:instance:modify |
√ |
√ |
|
Modifying a Specified Scheduled Task |
PUT /v2/{project_id}/instances/{instance_id}/scheduled-tasks/{task_id} |
dms:instance:modify |
√ |
√ |
Tag Management
|
Permission |
API |
Action |
IAM Projects |
Enterprise Project |
|---|---|---|---|---|
|
Batch adding or deleting tags |
POST /v2/{project_id}/kafka/{instance_id}/tags/action |
dms:instance:modify |
√ |
√ |
|
Listing tags of an instance |
GET /v2/{project_id}/kafka/{instance_id}/tags |
dms:instance:get |
√ |
√ |
|
Listing tags of a project |
GET /v2/{project_id}/kafka/tags |
dms:instance:get |
√ |
√ |
Diagnosis Management
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Pre-check Before Diagnosing Message Stack |
GET /v2/{project_id}/kafka/instances/{instance_id}/diagnosis-check |
dms:instance:modify |
√ |
√ |
|
Creating a Message Stack Diagnosis Task |
POST /v2/{project_id}/kafka/instances/{instance_id}/message-diagnosis-tasks |
dms:instance:modify |
√ |
√ |
|
Querying the Message Stack Diagnosis Report List |
GET /v2/{project_id}/kafka/instances/{instance_id}/message-diagnosis-tasks |
dms:instance:get |
√ |
√ |
|
Batch Deleting Message Stack Diagnosis Reports |
DELETE /v2/{project_id}/kafka/instances/{instance_id}/message-diagnosis-tasks |
dms:instance:modify |
√ |
√ |
|
Querying Diagnosis Report Details |
GET /v2/{project_id}/kafka/instances/{instance_id}/message-diagnosis/{report_id} |
dms:instance:get |
√ |
√ |
Other APIs
|
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
|
Querying Maintenance Time Windows |
GET /v2/instances/maintain-windows |
dms:instance:get |
√ |
√ |
|
Querying AZ Information |
GET /v2/available-zones |
dms:instance:get |
√ |
√ |
|
Querying Product Specifications |
GET /v2/{engine}/products |
dms:instance:get |
√ |
√ |
|
Querying Kafka Instance Monitoring Dimensions |
GET /v2/{project_id}/instances/{instance_id}/ces-hierarchy |
dms:instance:get |
√ |
√ |
|
Querying vCPUs of a Kafka Flavor |
GET /v2/kafka/products/cores |
dms:instance:get |
√ |
√ |
|
Querying the Feature Switch List |
GET /v2/config/features |
dms:instance:get |
√ |
√ |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
