tencent cloud

All product documents
TDMQ for Apache Pulsar
Role and Authentication
Last updated: 2024-12-02 17:10:17
Role and Authentication
Last updated: 2024-12-02 17:10:17

Glossary

Role: different from a role in Tencent Cloud, a role in TDMQ for Apache Pulsar is a proprietary concept. It is the smallest unit of permission division performed by you in TDMQ. You can add multiple roles and assign them the production/consumption permissions of different namespaces.
Token: it is an authentication tool in TDMQ for Apache Pulsar. You can add a token in a client to access TDMQ for Apache Pulsar for message production/consumption. Tokens correspond to roles one by one, and each role has its own unique token.

Use Cases

You need to securely use TDMQ for Apache Pulsar to produce/consume messages.
You need to set production/consumption permissions of different namespaces for different roles.
For example, your company has departments A and B, and department A's system produces transaction data and department B's system performs transaction data analysis and display. In line with the principle of least privilege, two roles can be configured to grant department A only the permission to produce messages to the transaction system namespace and grant department B only the permission to consume messages. This helps greatly avoid problems caused by unclear division of permissions, such as data disorder and dirty business data.

Directions

Creating role

1. Log in to the TDMQ for Apache Pulsar console and click Role Management on the left sidebar to enter the Role Management page.
2. On the Role Management page, select the region and cluster and click Create to enter the Create Role page.
3. On the Create Role page, enter the role name and remarks:
Role Name: it can contain up to 32 digits, letters, and delimiters (underscore or hyphen).
Remarks (optional): enter remarks of up to 100 characters.
4. Click Submit.


Granting permission to role

1. Find the newly created role in Role Management in the TDMQ for Apache Pulsar console and copy the role token in the following methods:
Method 1. Copy in the Token column
Method 2. View and copy in the Operation column
Click Copy in the Token column.



Click View Token in the Operation column and click Copy in the pop-up window.



2. Add the copied role token to the client parameters. For directions on how to add the token parameter to the client code, see JWT Authentication Configuration.
Note:
Token leakage may lead to data leakage; therefore, you should keep your token confidential.
3. In Namespace in the TDMQ for Apache Pulsar console, select the target namespace and click Configure Permission in the Operation column.

4. Click Add Role, find the role just created in the drop-down list, select the required permission, and click Save.

5. Check whether the permission has taken effect.
6. You can run the configured client to access the topic resources in the namespace and produce/consume messages according to the configured permission. Check whether a no permission error is reported, and if not, the permission has been configured successfully.

Batch Importing Roles

In scenarios where user business systems are complex and require the configuration of multiple roles, TDMQ for Apache Pulsar provides a batch import roles feature. You can use the provided configuration template to fill in fields such as roles and permissions. After the file is uploaded to the console, TDMQ for Apache Pulsar will automatically create the roles and configure the corresponding permissions for you, reducing repetitive operational costs.
Note:
All fields are mandatory except for the description field.
Permissions only support Produce Messages and Consume Messages, and multiple permissions should be separated by commas.
A maximum of 300 entries can be imported at a time.
1. On the Role Management List page, click Batch Import Roles in the top-left corner.
2. In the pop-up dialog box, download the configuration template, complete the relevant fields as required, and save it. Below is an example of a completed template:
Role Name
Description
Cluster Name
Cluster ID
Namespace
Permissions
role-test
test
cluster-test
pulsar-xxxxxxxxxxxxx
env-test
Produce messages and consume messages.
3. During file upload, submit the completed role template. TDMQ for Apache Pulsar will automatically create the roles and configure the associated permissions for you.

Editing permission

1. In Namespace in the TDMQ for Apache Pulsar console, find the target namespace and click Configure Permission in the Operation column to enter the permission configuration list.
2. In the permission configuration list, click Edit in the Operation column of the target role.
3. In the pop-up window, modify the permission information and click Save.

Deleting permission

Note:
Before deleting a permission, make sure that the current business no longer uses the role to produce/consume messages; otherwise, a client exception may occur due to the failure to produce/consume messages.
A role cannot be deleted if it has permissions configured in namespaces.
1. In Namespace in the TDMQ for Apache Pulsar console, find the target namespace and click Configure Permission in the Operation column to enter the permission configuration list.
2. In the permission configuration list, click Delete in the Operation column of the target role.
3. In the pop-up window, click OK.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No

Feedback

Contact Us

Contact our sales team or business advisors to help your business.

Technical Support

Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

7x24 Phone Support