Actions Supported by Policy-based Authorization

This section describes the actions supported by DMS for RocketMQ in policy-based authorization.

Supported Actions

DMS provides system-defined policies that can be directly used in IAM. You can also create custom policies to supplement system-defined policies for more refined access control. Operations supported by policies are specific to APIs. The following are common concepts related to policies:

Permissions: statements in a policy that allow or deny certain operations
APIs: REST APIs that can be called by a user who has been granted specific permissions
Actions: specific operations that are allowed or denied in a custom policy
Dependencies: actions which a specific action depends on. When allowing an action for a user, you also need to allow any existing action dependencies for that user.
IAM projects/Enterprise projects: the authorization scope of a custom policy. A custom policy can be applied to IAM projects or enterprise projects or both. Policies that contain actions for both IAM and enterprise projects can be used and applied for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and applied to IAM only. Administrators can check whether an action supports IAM projects or enterprise projects in the action list. For details about the differences between IAM and enterprise management, see Differences Between IAM and Enterprise Management.

DMS for RocketMQ supports the following actions in custom policies:

Lifecycle management actions, including actions supported by RocketMQ lifecycle management APIs, such as the APIs for creating an instance, querying the instance list, and modifying instance information.
Consumer group management actions, including actions supported by consumer group management APIs, such as the APIs for modifying, creating, and deleting consumer groups.
Topic management actions, including actions supported by topic management APIs, such as APIs for creating, deleting, and modifying topics.
Message management actions, including actions supported by message management APIs, such as the APIs for querying messages and message traces.
User management actions, including actions supported by user management APIs, such as the APIs for creating, querying, and deleting users.
Tag management actions, including actions supported by tag management APIs, such as the APIs for querying instance tags and project tags.

Lifecycle Management

**Table 1** Lifecycle management actions
Permission	API	Action	IAM Project	Enterprise Project
Querying the instance list	GET /v2/{project_id}/instances	dms:instance:list	√	√
Creating an instance	POST /v2/{engine}/{project_id}/instances	dms:instance:create	√	√
Querying an instance	GET /v2/{project_id}/instances/{instance_id}	dms:instance:get	√	√
Deleting an instance	DELETE /v2/{project_id}/instances/{instance_id}	dms:instance:delete	√	√
Modifying instance information	PUT /v2/{project_id}/instances/{instance_id}	dms:instance:modify	√	√
Batch deleting instances	POST /v2/{project_id}/instances/action	dms:instance:delete	√	√
Querying the broker list	GET /v2/{project_id}/instances/{instance_id}/brokers	dms:instance:get	√	√

Consumer Group Management

**Table 2** Consumer group management actions
Permission	API	Action	IAM Project	Enterprise Project
Creating a consumer group or batch deleting consumer groups	POST /v2/{project_id}/instances/{instance_id}/groups	dms:instance:modify	√	√
Batch modifying consumer groups	PUT /v2/{project_id}/instances/{instance_id}/groups	dms:instance:modify	√	√
Deleting a consumer group	DELETE /v2/{project_id}/instances/{instance_id}/groups/{group}	dms:instance:modify	√	√
Querying a consumer group	GET /v2/{project_id}/instances/{instance_id}/groups/{group}	dms:instance:get	√	√
Modifying a consumer group	PUT /v2/{project_id}/instances/{instance_id}/groups/{group}	dms:instance:modify	√	√
Querying the consumer group list or details	GET /v2/{project_id}/instances/{instance_id}/groups/{group}/topics	dms:instance:get	√	√
Resetting the consumer offset	POST /v2/{engine}/{project_id}/instances/{instance_id}/groups/{group_id}/reset-message-offset	dms:instance:modify	√	√

Topic Management

**Table 3** Topic management actions
Permission	API	Action	IAM Project	Enterprise Project
Creating a topic or deleting topics in batches	POST /v2/{project_id}/instances/{instance_id}/topics	dms:instance:modify	√	√
Querying the topic list	GET /v2/{project_id}/instances/{instance_id}/topics	dms:instance:get	√	√
Deleting a topic	DELETE /v2/{project_id}/instances/{instance_id}/topics/{topic}	dms:instance:modify	√	√
Querying a topic	GET /v2/{project_id}/instances/{instance_id}/topics/{topic}	dms:instance:get	√	√
Modifying a topic	PUT /v2/{project_id}/instances/{instance_id}/topics/{topic}	dms:instance:modify	√	√
Querying the topic consumer group list	GET /v2/{project_id}/instances/{instance_id}/topics/{topic}/groups	dms:instance:get	√	√
Querying the number of messages in a topic	GET /v2/{project_id}/instances/{instance_id}/topics/{topic}/status	dms:instance:get	√	√

Message Management

**Table 4** Message management actions
Permission	API	Action	IAM Project	Enterprise Project
Querying messages	GET /v2/{engine}/{project_id}/instances/{instance_id}/messages	dms:instance:get	√	√
Querying message traces	GET /v2/{engine}/{project_id}/instances/{instance_id}/trace	dms:instance:get	√	√
Exporting dead letter messages	POST /v2/{project_id}/instances/{instance_id}/messages/export	dms:instance:modify	√	√

User Management

**Table 5** User management actions
Permission	API	Action	IAM Project	Enterprise Project
Creating a user	POST /v2/{project_id}/instances/{instance_id}/users	dms:instance:modify	√	√
Querying the user list	GET /v2/{project_id}/instances/{instance_id}/users	dms:instance:get	√	√
Modifying user parameters	PUT /v2/{project_id}/instances/{instance_id}/users/{user_name}	dms:instance:modify	√	√
Querying user details	GET /v2/{project_id}/instances/{instance_id}/users/{user_name}	dms:instance:get	√	√
Deleting a user	DELETE /v2/{project_id}/instances/{instance_id}/users/{user_name}	dms:instance:modify	√	√
Querying users granted permissions for a topic	GET /v2/{project_id}/instances/{instance_id}/topics/{topic}/accesspolicy	dms:instance:get	√	√
Querying users granted permissions for a consumer group	GET /v2/{engine}/{project_id}/instances/{instance_id}/groups/{group_id}/accesspolicy	dms:instance:get	√	√

Tag Management

**Table 6** Tag management actions
Permission	API	Action	IAM Project	Enterprise Project
Batch adding or deleting tags	POST /v2/{project_id}/rocketmq/{instance_id}/tags/action	dms:instance:modify	√	√
Listing tags of an instance	GET /v2/{project_id}/rocketmq/{instance_id}/tags	dms:instance:get	√	√
Listing tags of a project	GET /v2/{project_id}/rocketmq/tags	dms:instance:get	√	√

Table 7 shows fine-grained permission dependencies of DMS for RocketMQ.

**Table 7** Fine-grained permission dependencies of DMS for RocketMQ
Action	Description	Dependencies
dms:instance:get	Viewing instance details	None
dms:instance:scale	Enabling instance scale-up	vpc:vpcs:get vpc:ports:create vpc:securityGroups:get vpc:ports:get vpc:subnets:get vpc:vpcs:list vpc:publicIps:get vpc:publicIps:list vpc:ports:update vpc:publicIps:update
dms:instance:modify	Modifying an instance	vpc:vpcs:get vpc:ports:create vpc:securityGroups:get vpc:ports:get vpc:subnets:get vpc:vpcs:list vpc:publicIps:get vpc:publicIps:list vpc:ports:update vpc:publicIps:update
dms:instance:modifyStatus	Restarting an instance	None
dms:instance:delete	Deleting an instance	None
dms:instance:create	Creating an instance	vpc:vpcs:get vpc:ports:create vpc:securityGroups:get vpc:ports:get vpc:subnets:get vpc:vpcs:list vpc:publicIps:get vpc:publicIps:list vpc:ports:update vpc:publicIps:update
dms:instance:list	Viewing the instance list	None