Granting Sub-Account Resource-Level Permissions
Last updated: 2024-08-19 16:41:48
Overview
This task guides you to grant resource-level permissions to a sub-account using the root account. The sub-account with the granted permissions can have control capability over a specific resource.
Prerequisites
You have a Tencent Cloud root account and have already activated the CAM service.
You have at least one sub-account under the root account, and the authorization has been completed according to sub-account access authorization.
You have at least one Pulsar instance.
Directions
You can use the policy feature of the CAM console to authorize the Pulsar resources owned by the root account to sub-accounts. Detailed Pulsar resource authorization to sub-accounts is as follows. This example demonstrates how to authorize a cluster resource to a sub-account, with similar directions for other types of resources.
Step 1: Obtaining a Pulsar Cluster ID
1. Log in to the TDMQ for Apache Pulsar console using the root account, select an existing cluster instance, and click to enter its details page.
2. In the Basic Information, the field ID represents the ID of the current Pulsar cluster.
Step 2: Creating a Authorization Policy
1. Enter the CAM Console, and click Policies in the left sidebar.
2. Click Create custom Policy, and select Create by Policy Generator.
3. In the visual policy generator, keep the Effect as Allow. In the Service field, enter TDMQ for filtering, and select Message Queue TDMQ (tdmq) from the results.
4. In Action, choose All actions, or you can select the operation types according to your needs.
Note:
Some APIs do not support resource-level authorization at the moment, which is based on the display on the console page. For a list of APIs that support resource-level authorization, you can see the list of APIs that support resource-level authorization in the appendix of this document.
5. In Resources, select specific resource, and find Add Custom Resources in six stages. In the pop-up sidebar dialog, enter the cluster prefix and resource ID. For the obtaining process, see Step 1.
6. Click Next, and fill in the policy name as required.
7. Click select user or select user group, and choose the user or user group to grant resource permissions to.
8. Click Complete, and the sub-account that is granted the resource permissions has the capability to access the related resource.
List of APIs Supporting Authorization at Resource-Level
TDMQ for Apache Pulsar supports resource-level authorization. You can grant a specified sub-account API permissions for specific resources.
APIs supporting resource-level authorization include:
API Name | API Description | Resource Type | Six-Segment Example of Resource |
DescribeClusterDetail | Gets the cluster detail. | cluster | qcs::tdmq:${region}:uin/${uin}:cluster/${clusterId} |
DescribeClusters | Gets the cluster list. | cluster | qcs::tdmq:${region}:uin/${uin}:cluster/${cluster} |
ModifyCluster | Modifies the cluster. | cluster | qcs::tdmq:${region}:uin/${uin}:cluster/${clusterId} |
DeleteCluster | Deletes the cluster. | cluster | qcs::tdmq:${region}:uin/${uin}:cluster/${clusterId} |
CreateRole | Creates a role. | cluster | qcs::tdmq:${region}:uin/${uin}:cluster/${clusterId} |
DeleteRoles | Deletes a role. | cluster | qcs::tdmq:${region}:uin/${uin}:cluster/${clusterId} |
CreateEnvironment | Creates an environment. | cluster | qcs::tdmq:${region}:uin/${uin}:cluster/${clusterId} |
CreateTopic | Creates a topic. | environment | qcs::tdmq:${region}:uin/${uin}:environment/${clusterId}/${environmentId} |
ModifyEnvironmentAttributes | Modifies the environmental attribute. | environment | qcs::tdmq:${region}:uin/${uin}:environment/${clusterId}/${environmentId} |
DeleteEnvironments | Deletes the environment. | environment | qcs::tdmq:${region}:uin/${uin}:environment/${clusterId}/${environmentId} |
DescribeEnvironments | Gets the environment list. | environmentId | qcs::tdmq:${region}:uin/${uin}:environmentId/${clusterId}/${environmentId} |
DescribeEnvironmentAttributes | Gets the environment attribute. | environmentId | qcs::tdmq:${region}:uin/${uin}:environmentId/${clusterId}/${environmentId} |
DescribeEnvironmentRoles | Gets the environment role list. | environmentRoles | qcs::tdmq:${region}:uin/${uin}:environmentRoles/${clusterId}/${environmentId}/${roleName} |
CreateEnvironmentRole | Creates the environment role authorization. | environmentRole | qcs::tdmq:${region}:uin/${uin}:environmentRole/${clusterId}/${environmentId}/${roleName} |
DeleteEnvironmentRoles | Deletes the environment role authorization. | environmentRole | qcs::tdmq:${region}:uin/${uin}:environmentRole/${clusterId}/${environmentId}/${roleName} |
ModifyEnvironmentRole | Modifies the environment role authorization. | environmentRole | qcs::tdmq:${region}:uin/${uin}:environmentRole/${clusterId}/${environmentId}/${roleName} |
DescribeMsgTrace | Message trace. | topic | qcs::tdmq:${region}:uin/${uin}:topic/${clusterId}/${environmentId}/${topicName} |
DescribeMsg | Message details. | topic | qcs::tdmq:${region}:uin/${uin}:topic/${clusterId}/${environmentId}/${topicName} |
DescribeTopicMsgs | Message query. | topic | qcs::tdmq:${region}:uin/${uin}:topic/${clusterId}/${environmentId}/${topicName} |
DescribeTopics | Queries the topic list. | topic | qcs::tdmq:${region}:uin/${uin}:topic/${clusterId}/${environmentId}/${topicName} |
DescribeProducers | Gets the producer list. | topic | qcs::tdmq:${region}:uin/${uin}:topic/${clusterId}/${environmentId}/${topicName} |
DeleteTopics | Batch deletes topics. | topic | qcs::tdmq:${region}:uin/${uin}:topic/${clusterId}/${environmentId}/${topicSets.topicName} |
ModifyTopic | Modifies the topic. | topic | qcs::tdmq:${region}:uin/${uin}:topic/${clusterId}/${environmentId}/${topicName} |
CreateSubscription | Creates a subscription relationship for a topic. | topic | qcs::tdmq:${region}:uin/${uin}:topic/${clusterId}/${environmentId}/${topicName} |
ResetMsgSubOffsetByTimestamp | Performs message retrospection based on timestamp, accurate to milliseconds. | subscription | qcs::tdmq:${region}:uin/${uin}:subscription/$clusterId/$environmentId/$topicName/$subscriptionName |
DeleteSubscriptions | Deletes the subscription relationship. | subscription | qcs::tdmq:${region}:uin/${uin}:subscription/${clusterId}/${environmentId}/${topicName}/${subscriptionName} |
DescribeRealTimeSubscription | Real-time consumption and subscription list. | subscription | qcs::tdmq:${region}:uin/${uin}:subscription/${clusterId}/${environmentId}/${topicName}/${subscriptionName} |
DescribeSubscriptions | Consumption and subscription list. | subscription | qcs::tdmq:${region}:uin/${uin}:subscription/${clusterId}/${environmentId}/${topicName}/${subscriptionName} |
ModifyRole | Modifies the role. | role | qcs::tdmq:${region}:uin/${uin}:role/${clusterId}/${roleName} |
DescribeRoles | Obtains the list of the role. | role | qcs::tdmq:${region}:uin/${uin}:role/${clusterId}/${roleName} |
List of APIs not Supporting Authorization at Resource-Level
API Name | API Description |
CreateCluster | Creates a cluster. |
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No