Help Center/ Distributed Message Service for RocketMQ/ User Guide/ Accessing an Instance/ Configuring RocketMQ Access Control/ Configuring RocketMQ ACL Users
Updated on 2024-09-20 GMT+08:00
View PDF
Share

Configuring RocketMQ ACL Users

To produce and consume messages to RocketMQ instances with ACL enabled, add ACL users. You can create multiple users and assign different topic and consumer group permissions to them.

Prerequisites

  • A RocketMQ instance has been purchased.
  • ACL has been enabled.

Creating a User

  1. Log in to the console.
  2. Click in the upper left corner to select a region.

    Select the region where your RocketMQ instance is located.

  3. Click and choose Middleware > Distributed Message Service for RocketMQ to open the console of DMS for RocketMQ.
  4. In the navigation pane, choose Users.
  5. Click Create User.
  6. Configure the user's name and other parameters by referring to Table 1.

    Table 1 User parameters

    Parameter

    Description

    Name

    Name of the user.

    A username must meet the following requirements:
    • Contains 7 to 64 characters.
    • Only letters, digits, hyphens (-), and underscores (_) are allowed. The value must start with a letter.
    • The name must be unique.

    The name cannot be changed after the user is created.

    IP Whitelist

    Users from whitelisted IP addresses have publish/subscribe permissions for all topics and consumer groups, and their secret keys will not be verified.

    The IP whitelist can be set to specific IP addresses or network segments.

    • Use commas (,) to separate multiple IP addresses, for example, 192.168.1.2,192.168.2.3.
    • IP network segment, for example, 192.*.*.*.

    Administrator

    A user configured as the administrator will have publish/subscribe permissions for all topics and consumer groups.

    Default Topic Permissions

    Specifies the default topic permission of a user.

    Options:

    • None: The topic is disabled.
    • Publish: Users can only send messages to the topic.
    • Subscribe: Users can only consume messages from the topic.
    • Publish/Subscribe: Users can send messages to or consume them from the topic.

    The default permissions will be overwritten by the permissions configured for specific topics, if any. For example, if Default Topic Permissions is set to Subscribe, but a topic is configured with the Publish/Subscribe permissions, the topic's actual permissions will be Publish/Subscribe.

    Default Consumer Group Permissions

    Specifies the default consumer group permission of a user.

    Options:

    • None: the consumer group is disabled.
    • Subscribe: The consumer group is enabled.

    The default permissions will be overwritten by the permissions configured for specific consumer groups, if any. For example, if a consumer group is configured with the None permissions, the user will not have permissions for the consumer group, even if Default Consumer Group Permissions is set to Subscribe.

    Secret Key

    The user's secret key.

    The key setting rules are as follows:
    • Contains 8 to 32 characters.
    • Contains at least three types of the following characters: uppercase letters, lowercase letters, digits, and special characters `~!@#$%^&*()-_=+\|[{}];:'",<.>/?
    • Cannot be the username or the username spelled backwards.

  7. Click OK.

(Optional) Assigning Topic or Consumer Group Permissions to a User

Users are created with default topic and consumer group permissions. To modify the default permissions, reset them here. By default, the administrator has all permissions.

  1. Click a user to go to the user details page.
  2. On the Topic Permissions or Consumer Group Permissions tab page, click Add.
  3. Select desired topics or consumer groups, select the required permissions, and click OK.

    These permissions overwrite the default permissions. For example, in Figure 1, users finally have publish/subscribe permissions for topic test01.
    Figure 1 User details page

Accessing the Server as a User

After ACL is enabled for an instance, user authentication information must be added to both the producer and consumer configurations. For details, see the following instructions:

Modifying User Information

  1. Log in to the console.
  2. Click in the upper left corner to select a region.

    Select the region where your RocketMQ instance is located.

  3. Click and choose Middleware > Distributed Message Service for RocketMQ to open the console of DMS for RocketMQ.
  4. Click a RocketMQ instance to go to the instance details page.
  5. In the navigation pane, choose Users.
  6. In the row containing the desired user, click Edit.
  7. Modify the user information as required.

    Usernames cannot be changed. For other parameters, see Table 1.

  8. Click OK.

Deleting a User

Deleting a user will remove its authorization relationship and disconnect it from the instance.

  1. Log in to the console.
  2. Click in the upper left corner to select a region.

    Select the region where your RocketMQ instance is located.

  3. Click and choose Middleware > Distributed Message Service for RocketMQ to open the console of DMS for RocketMQ.
  4. Click a RocketMQ instance to go to the instance details page.
  5. In the navigation pane, choose Users.
  6. In the row containing the desired user, click Delete.
  7. Click OK.