Updated on 2025-07-28 GMT+08:00

Configuring RocketMQ ACL Users

To produce and consume messages to RocketMQ instances with ACL enabled, add ACL users. You can create multiple users and assign different topic and consumer group permissions to them.

Prerequisites

  • A RocketMQ instance has been purchased.
  • ACL has been enabled.

Creating a User

  1. Log in to the console.
  2. Click in the upper left corner to select a region.

    DMS for RocketMQ instances in different regions cannot communicate with each other over an intranet. Select a nearest location for low latency and fast access.

  3. Click and choose Middleware > Distributed Message Service for RocketMQ to open the console of DMS for RocketMQ.
  4. Click a RocketMQ instance name to go to the instance details page.
  5. In the navigation pane, choose Instance > Users.
  6. Click Create User.
  7. Configure the user's name and other parameters by referring to Table 1.

    Table 1 User parameters

    Parameter

    Description

    Name

    Name of the user.

    A username must meet the following requirements:
    • Contains 7 to 64 characters.
    • Only letters, digits, hyphens (-), and underscores (_) are allowed. The value must start with a letter.
    • The name must be unique.

    The name cannot be changed after the user is created.

    IP Whitelist

    Users from whitelisted IP addresses have publish/subscribe permissions for all topics and consumer groups, and their secret keys will not be verified.

    The IP whitelist can be set to specific IP addresses or network segments.

    • Use commas (,) to separate multiple IP addresses, for example, 192.168.1.2,192.168.2.3.
    • IP network segment, for example, 192.*.*.*.

    Accessing a RocketMQ instance using IPv6 in the CN East2 region disables the IP address whitelist.

    Administrator

    Enabled by default and fixed for the 5.x basic edition.

    A user configured as the administrator will have publish and subscribe permissions for all topics, and the subscribe permission for consumer groups.

    Default Topic Permissions

    Unavailable when the administrator is enabled.

    Specifies the default topic permission of a user.

    Options:

    • None: The topic is disabled.
    • Publish: Users can only send messages to the topic.
    • Subscribe: Users can only consume messages from the topic.
    • Publish/Subscribe: Users can send messages to or consume them from the topic.

    The default permissions will be overwritten by the permissions configured for specific topics, if any. For example, if Default Topic Permissions is set to Subscribe, but a topic is configured with the Publish/Subscribe permissions, the topic's actual permissions will be Publish/Subscribe.

    Default Consumer Group Permissions

    Unavailable when the administrator is enabled.

    Specifies the default consumer group permission of a user.

    Options:

    • None: the consumer group is disabled.
    • Subscribe: The consumer group is enabled.

    The default permissions will be overwritten by the permissions configured for specific consumer groups, if any. For example, if a consumer group is configured with the None permissions, the user will not have permissions for the consumer group, even if Default Consumer Group Permissions is set to Subscribe.

    Secret Key

    The user's secret key.

    The key setting rules are as follows:
    • Contains 8 to 32 characters.
    • Cannot start with "-", contains at least three types of the following characters: uppercase letters, lowercase letters, digits, and special characters `~!@#$%^&*()-_=+\|[{}];:'",<.>/?
    • Cannot be the username or the username spelled backwards.

  8. Click OK.

(Optional) Assigning Topic or Consumer Group Permissions to a User

Users are created with default topic and consumer group permissions. To modify the default permissions, reset them here. By default, the administrator has all permissions.

Unavailable for v5.x basic edition.

  1. Log in to the console.
  2. Click in the upper left corner to select a region.

    DMS for RocketMQ instances in different regions cannot communicate with each other over an intranet. Select a nearest location for low latency and fast access.

  3. Click and choose Middleware > Distributed Message Service for RocketMQ to open the console of DMS for RocketMQ.
  4. Click a RocketMQ instance name to go to the instance details page.
  5. In the navigation pane, choose Instance > Users.
  6. Click a user to go to the user details page.
  7. On the Topic Permissions or Consumer Group Permissions tab page, click Add.
  8. Select desired topics or consumer groups, select the required permissions, and click OK.

    These permissions overwrite the default permissions. For example, in Figure 1, users finally have publish/subscribe permissions for topic test01.

    Figure 1 User details page

    The following operations can also be performed on the Topic Permissions or Consumer Group Permissions tab page.

    • Exporting the topic or consumer group list: Choose Export > Export all data to an XLSX file or Export > Export selected data to an XLSX file.
    • Deleting topics or consumer groups in either of the following ways:
      • In the row containing the topic or consumer group to be deleted, click Delete.
      • Select the topics or consumer groups to be deleted and click Delete in the upper left corner.

Accessing the Server as a User

After ACL is enabled for an instance, user authentication information must be added to both the producer and consumer configurations. To enable ACL using Java, Go, or Python, refer to the following documents:

Modifying User Information

  1. Log in to the console.
  2. Click in the upper left corner to select a region.

    DMS for RocketMQ instances in different regions cannot communicate with each other over an intranet. Select a nearest location for low latency and fast access.

  3. Click and choose Middleware > Distributed Message Service for RocketMQ to open the console of DMS for RocketMQ.
  4. Click a RocketMQ instance name to go to the instance details page.
  5. In the navigation pane, choose Instance > Users.
  6. In the row containing the desired user, click Edit.
  7. Modify the user information as required.

    Usernames cannot be changed. For other parameters, see Table 1.

  8. Click OK.

Exporting Users

  1. Log in to the console.
  2. Click in the upper left corner to select a region.

    DMS for RocketMQ instances in different regions cannot communicate with each other over an intranet. Select a nearest location for low latency and fast access.

  3. Click and choose Middleware > Distributed Message Service for RocketMQ to open the console of DMS for RocketMQ.
  4. Click a RocketMQ instance name to go to the instance details page.
  5. In the navigation pane, choose Instance > Users.
  6. Export the user list in either of the following ways:

    • Select the desired users and choose Export > Export selected data to an XLSX file to export specified users.
    • Choose Export > Export all data to an XLSX file to export all users.

Deleting a User

Deleting a user will remove its authorization relationship and disconnect it from the instance.

  1. Log in to the console.
  2. Click in the upper left corner to select a region.

    DMS for RocketMQ instances in different regions cannot communicate with each other over an intranet. Select a nearest location for low latency and fast access.

  3. Click and choose Middleware > Distributed Message Service for RocketMQ to open the console of DMS for RocketMQ.
  4. Click a RocketMQ instance name to go to the instance details page.
  5. In the navigation pane, choose Instance > Users.
  6. In the row containing the desired user, click Delete.
  7. Click OK.

Related Documents