Configuring RocketMQ ACL Users
To produce and consume messages to RocketMQ instances with ACL enabled, add ACL users. You can create multiple users and assign different topic and consumer group permissions to them.
Prerequisites
- A RocketMQ instance has been purchased.
- ACL has been enabled.
Creating a User
- Log in to the console.
- Click
in the upper left corner to select a region.
DMS for RocketMQ instances in different regions cannot communicate with each other over an intranet. Select a nearest location for low latency and fast access.
- Click
and choose Middleware > Distributed Message Service for RocketMQ to open the console of DMS for RocketMQ.
- Click a RocketMQ instance name to go to the instance details page.
- In the navigation pane, choose Instance > Users.
- Click Create User.
- Configure the user's name and other parameters by referring to Table 1.
Table 1 User parameters Parameter
Description
Name
Name of the user.
A username must meet the following requirements:- Contains 7 to 64 characters.
- Only letters, digits, hyphens (-), and underscores (_) are allowed. The value must start with a letter.
- The name must be unique.
The name cannot be changed after the user is created.
IP Whitelist
Users from whitelisted IP addresses have publish/subscribe permissions for all topics and consumer groups, and their secret keys will not be verified.
The IP whitelist can be set to specific IP addresses or network segments.
- Use commas (,) to separate multiple IP addresses, for example, 192.168.1.2,192.168.2.3.
- IP network segment, for example, 192.*.*.*.
Accessing a RocketMQ instance using IPv6 in the CN East2 region disables the IP address whitelist.
Administrator
Enabled by default and fixed for the 5.x basic edition.
A user configured as the administrator will have publish and subscribe permissions for all topics, and the subscribe permission for consumer groups.
Default Topic Permissions
Unavailable when the administrator is enabled.
Specifies the default topic permission of a user.
Options:
- None: The topic is disabled.
- Publish: Users can only send messages to the topic.
- Subscribe: Users can only consume messages from the topic.
- Publish/Subscribe: Users can send messages to or consume them from the topic.
The default permissions will be overwritten by the permissions configured for specific topics, if any. For example, if Default Topic Permissions is set to Subscribe, but a topic is configured with the Publish/Subscribe permissions, the topic's actual permissions will be Publish/Subscribe.
Default Consumer Group Permissions
Unavailable when the administrator is enabled.
Specifies the default consumer group permission of a user.
Options:
- None: the consumer group is disabled.
- Subscribe: The consumer group is enabled.
The default permissions will be overwritten by the permissions configured for specific consumer groups, if any. For example, if a consumer group is configured with the None permissions, the user will not have permissions for the consumer group, even if Default Consumer Group Permissions is set to Subscribe.
Secret Key
The user's secret key.
The key setting rules are as follows:- Contains 8 to 32 characters.
- Cannot start with "-", contains at least three types of the following characters: uppercase letters, lowercase letters, digits, and special characters `~!@#$%^&*()-_=+\|[{}];:'",<.>/?
- Cannot be the username or the username spelled backwards.
- Click OK.
(Optional) Assigning Topic or Consumer Group Permissions to a User
Users are created with default topic and consumer group permissions. To modify the default permissions, reset them here. By default, the administrator has all permissions.
Unavailable for v5.x basic edition.
- Log in to the console.
- Click
in the upper left corner to select a region.
DMS for RocketMQ instances in different regions cannot communicate with each other over an intranet. Select a nearest location for low latency and fast access.
- Click
and choose Middleware > Distributed Message Service for RocketMQ to open the console of DMS for RocketMQ.
- Click a RocketMQ instance name to go to the instance details page.
- In the navigation pane, choose Instance > Users.
- Click a user to go to the user details page.
- On the Topic Permissions or Consumer Group Permissions tab page, click Add.
- Select desired topics or consumer groups, select the required permissions, and click OK.
These permissions overwrite the default permissions. For example, in Figure 1, users finally have publish/subscribe permissions for topic test01.
The following operations can also be performed on the Topic Permissions or Consumer Group Permissions tab page.
- Exporting the topic or consumer group list: Choose Export > Export all data to an XLSX file or Export > Export selected data to an XLSX file.
- Deleting topics or consumer groups in either of the following ways:
- In the row containing the topic or consumer group to be deleted, click Delete.
- Select the topics or consumer groups to be deleted and click Delete in the upper left corner.
Accessing the Server as a User
After ACL is enabled for an instance, user authentication information must be added to both the producer and consumer configurations. To enable ACL using Java, Go, or Python, refer to the following documents:
Modifying User Information
- Log in to the console.
- Click
in the upper left corner to select a region.
DMS for RocketMQ instances in different regions cannot communicate with each other over an intranet. Select a nearest location for low latency and fast access.
- Click
and choose Middleware > Distributed Message Service for RocketMQ to open the console of DMS for RocketMQ.
- Click a RocketMQ instance name to go to the instance details page.
- In the navigation pane, choose Instance > Users.
- In the row containing the desired user, click Edit.
- Modify the user information as required.
Usernames cannot be changed. For other parameters, see Table 1.
- Click OK.
Exporting Users
- Log in to the console.
- Click
in the upper left corner to select a region.
DMS for RocketMQ instances in different regions cannot communicate with each other over an intranet. Select a nearest location for low latency and fast access.
- Click
and choose Middleware > Distributed Message Service for RocketMQ to open the console of DMS for RocketMQ.
- Click a RocketMQ instance name to go to the instance details page.
- In the navigation pane, choose Instance > Users.
- Export the user list in either of the following ways:
- Select the desired users and choose Export > Export selected data to an XLSX file to export specified users.
- Choose Export > Export all data to an XLSX file to export all users.
Deleting a User
Deleting a user will remove its authorization relationship and disconnect it from the instance.
- Log in to the console.
- Click
in the upper left corner to select a region.
DMS for RocketMQ instances in different regions cannot communicate with each other over an intranet. Select a nearest location for low latency and fast access.
- Click
and choose Middleware > Distributed Message Service for RocketMQ to open the console of DMS for RocketMQ.
- Click a RocketMQ instance name to go to the instance details page.
- In the navigation pane, choose Instance > Users.
- In the row containing the desired user, click Delete.
- Click OK.
Related Documents
- To create a user by calling an API, see Creating a User.
- To access a RocketMQ instance with ACL enabled on a client, authentication is required. For details, see Accessing RocketMQ on a Client (Without SSL) and Accessing RocketMQ on a Client (With SSL).
- To produce and consume messages using Java, Go, and Python when ACL is enabled, authentication is required. For details, see Controlling Access with ACL, Controlling Access with ACL, and Controlling Access with ACL.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot