Help Center/ Distributed Message Service for RocketMQ/ User Guide/ Accessing an Instance/ Configuring RocketMQ Access Control/ Configuring RocketMQ ACL Users
Updated on 2024-07-10 GMT+08:00
View PDF

Configuring RocketMQ ACL Users

Scenario

RocketMQ instances support ACL-based permission isolation among users. You can create multiple users, and grant topic and consumption permissions to them.

Prerequisites

  • A RocketMQ instance has been purchased.
  • ACL has been enabled.

Creating a User

  1. Log in to the console.
  2. Click in the upper left corner to select a region.

    Select the region where your RocketMQ instance is located.

  3. Click and choose Middleware > Distributed Message Service for RocketMQ to open the console of DMS for RocketMQ.
  4. In the navigation pane, choose Users.
  5. Click Create User.
  6. Configure the user's name and other parameters by referring to Table 1.

    Table 1 User parameters

    Parameter

    Description

    Name

    Name of the user.

    The name cannot be changed after the user is created.

    IP Whitelist

    Users from whitelisted IP addresses have publish/subscribe permissions for all topics and consumer groups, and their secret keys will not be verified.

    The IP whitelist can be set to specific IP addresses or network segments. Example: 192.168.1.2,192.168.2.3 or 192.*.*.*

    Administrator

    A user configured as the administrator will have publish/subscribe permissions for all topics and consumer groups.

    Default Topic Permissions

    The user's default permissions for topics.

    The default permissions will be overwritten by the permissions configured for specific topics, if any. For example, if Default Topic Permissions is set to Subscribe, but a topic is configured with the Publish/Subscribe permissions, the topic's actual permissions will be Publish/Subscribe.

    Default Consumer Group Permissions

    The user's default permissions for consumer groups.

    The default permissions will be overwritten by the permissions configured for specific consumer groups, if any. For example, if a consumer group is configured with the None permissions, the user will not have permissions for the consumer group, even if Default Consumer Group Permissions is set to Subscribe.

    Secret Key

    The user's secret key.

  7. Click OK.

(Optional) Setting Special Permissions for a Specified Topic or Consumer Group

  1. Click a user to go to the user details page.
  2. On the Topic Permissions or Consumer Group Permissions tab page, click Add.
  3. Select desired topics or consumer groups, select the required permissions, and click OK.

    These permissions overwrite the default permissions. For example, in Figure 1, users finally have publish/subscribe permissions for topic test01.
    Figure 1 User details page

Accessing the Server as a User

After ACL is enabled for an instance, user authentication information must be added to both the producer and consumer configurations. For details, see the following instructions:

Modifying User Information

  1. Log in to the console.
  2. Click in the upper left corner to select a region.

    Select the region where your RocketMQ instance is located.

  3. Click and choose Middleware > Distributed Message Service for RocketMQ to open the console of DMS for RocketMQ.
  4. Click a RocketMQ instance to go to the instance details page.
  5. In the navigation pane, choose Users.
  6. In the row containing the desired user, click Edit.
  7. Modify the information shown in Table 2 as required.

    Table 2 User parameters

    Parameter

    Description

    IP Whitelist

    Users from whitelisted IP addresses have publish/subscribe permissions for all topics and consumer groups, and their secret keys will not be verified.

    The IP whitelist can be set to specific IP addresses or network segments. Example: 192.168.1.2,192.168.2.3 or 192.*.*.*

    Administrator

    A user configured as the administrator will have publish/subscribe permissions for all topics and consumer groups.

    Default Topic Permissions

    The user's default permissions for topics.

    The default permissions will be overwritten by the permissions configured for specific topics, if any. For example, if Default Topic Permissions is set to Subscribe, but a topic is configured with the Publish/Subscribe permissions, the topic's actual permissions will be Publish/Subscribe.

    Default Consumer Group Permissions

    The user's default permissions for consumer groups.

    The default permissions will be overwritten by the permissions configured for specific consumer groups, if any. For example, if a consumer group is configured with the None permissions, the user will not have permissions for the consumer group, even if Default Consumer Group Permissions is set to Subscribe.

    Secret Key

    The user's secret key.

  8. Click OK.

Deleting a User

Deleting a user will remove its authorization relationship and disconnect it from the instance.

  1. Log in to the console.
  2. Click in the upper left corner to select a region.

    Select the region where your RocketMQ instance is located.

  3. Click and choose Middleware > Distributed Message Service for RocketMQ to open the console of DMS for RocketMQ.
  4. Click a RocketMQ instance to go to the instance details page.
  5. In the navigation pane, choose Users.
  6. In the row containing the desired user, click Delete.
  7. Click OK.