tencent cloud

Feedback

Granting Sub-Account Resource-Level Permissions

Last updated: 2024-08-19 16:41:48

    Overview

    This task guides you to grant resource-level permissions to a sub-account using the root account. The sub-account with the granted permissions can have control capability over a specific resource.

    Prerequisites

    You have a Tencent Cloud root account and have already activated the CAM service.
    You have at least one sub-account under the root account, and the authorization has been completed according to sub-account access authorization.
    You have at least one Pulsar instance.

    Directions

    You can use the policy feature of the CAM console to authorize the Pulsar resources owned by the root account to sub-accounts. Detailed Pulsar resource authorization to sub-accounts is as follows. This example demonstrates how to authorize a cluster resource to a sub-account, with similar directions for other types of resources.

    Step 1: Obtaining a Pulsar Cluster ID

    1. Log in to the TDMQ for Apache Pulsar console using the root account, select an existing cluster instance, and click to enter its details page.
    2. In the Basic Information, the field ID represents the ID of the current Pulsar cluster.
    

    Step 2: Creating a Authorization Policy

    1. Enter the CAM Console, and click Policies in the left sidebar.
    2. Click Create custom Policy, and select Create by Policy Generator.
    3. In the visual policy generator, keep the Effect as Allow. In the Service field, enter TDMQ for filtering, and select Message Queue TDMQ (tdmq) from the results.
    
    4. In Action, choose All actions, or you can select the operation types according to your needs.
    Note:
    Some APIs do not support resource-level authorization at the moment, which is based on the display on the console page. For a list of APIs that support resource-level authorization, you can see the list of APIs that support resource-level authorization in the appendix of this document.
    
    5. In Resources, select specific resource, and find Add Custom Resources in six stages. In the pop-up sidebar dialog, enter the cluster prefix and resource ID. For the obtaining process, see Step 1.
    
    6. Click Next, and fill in the policy name as required.
    7. Click select user or select user group, and choose the user or user group to grant resource permissions to.
    
    8. Click Complete, and the sub-account that is granted the resource permissions has the capability to access the related resource.

    List of APIs Supporting Authorization at Resource-Level

    TDMQ for Apache Pulsar supports resource-level authorization. You can grant a specified sub-account API permissions for specific resources.
    APIs supporting resource-level authorization include:
    API Name
    API Description
    Resource Type
    Six-Segment Example of Resource
    DescribeClusterDetail
    Gets the cluster detail.
    cluster
    qcs::tdmq:${region}:uin/${uin}:cluster/${clusterId}
    DescribeClusters
    Gets the cluster list.
    cluster
    qcs::tdmq:${region}:uin/${uin}:cluster/${cluster}
    ModifyCluster
    Modifies the cluster.
    cluster
    qcs::tdmq:${region}:uin/${uin}:cluster/${clusterId}
    DeleteCluster
    Deletes the cluster.
    cluster
    qcs::tdmq:${region}:uin/${uin}:cluster/${clusterId}
    CreateRole
    Creates a role.
    cluster
    qcs::tdmq:${region}:uin/${uin}:cluster/${clusterId}
    DeleteRoles
    Deletes a role.
    cluster
    qcs::tdmq:${region}:uin/${uin}:cluster/${clusterId}
    CreateEnvironment
    Creates an environment.
    cluster
    qcs::tdmq:${region}:uin/${uin}:cluster/${clusterId}
    CreateTopic
    Creates a topic.
    environment
    qcs::tdmq:${region}:uin/${uin}:environment/${clusterId}/${environmentId}
    ModifyEnvironmentAttributes
    Modifies the environmental attribute.
    environment
    qcs::tdmq:${region}:uin/${uin}:environment/${clusterId}/${environmentId}
    DeleteEnvironments
    Deletes the environment.
    environment
    qcs::tdmq:${region}:uin/${uin}:environment/${clusterId}/${environmentId}
    DescribeEnvironments
    Gets the environment list.
    environmentId
    qcs::tdmq:${region}:uin/${uin}:environmentId/${clusterId}/${environmentId}
    DescribeEnvironmentAttributes
    Gets the environment attribute.
    environmentId
    qcs::tdmq:${region}:uin/${uin}:environmentId/${clusterId}/${environmentId}
    DescribeEnvironmentRoles
    Gets the environment role list.
    environmentRoles
    qcs::tdmq:${region}:uin/${uin}:environmentRoles/${clusterId}/${environmentId}/${roleName}
    CreateEnvironmentRole
    Creates the environment role authorization.
    environmentRole
    qcs::tdmq:${region}:uin/${uin}:environmentRole/${clusterId}/${environmentId}/${roleName}
    DeleteEnvironmentRoles
    Deletes the environment role authorization.
    environmentRole
    qcs::tdmq:${region}:uin/${uin}:environmentRole/${clusterId}/${environmentId}/${roleName}
    ModifyEnvironmentRole
    Modifies the environment role authorization.
    environmentRole
    qcs::tdmq:${region}:uin/${uin}:environmentRole/${clusterId}/${environmentId}/${roleName}
    DescribeMsgTrace
    Message trace.
    topic
    qcs::tdmq:${region}:uin/${uin}:topic/${clusterId}/${environmentId}/${topicName}
    DescribeMsg
    Message details.
    topic
    qcs::tdmq:${region}:uin/${uin}:topic/${clusterId}/${environmentId}/${topicName}
    DescribeTopicMsgs
    Message query.
    topic
    qcs::tdmq:${region}:uin/${uin}:topic/${clusterId}/${environmentId}/${topicName}
    DescribeTopics
    Queries the topic list.
    topic
    qcs::tdmq:${region}:uin/${uin}:topic/${clusterId}/${environmentId}/${topicName}
    DescribeProducers
    Gets the producer list.
    topic
    qcs::tdmq:${region}:uin/${uin}:topic/${clusterId}/${environmentId}/${topicName}
    DeleteTopics
    Batch deletes topics.
    topic
    qcs::tdmq:${region}:uin/${uin}:topic/${clusterId}/${environmentId}/${topicSets.topicName}
    ModifyTopic
    Modifies the topic.
    topic
    qcs::tdmq:${region}:uin/${uin}:topic/${clusterId}/${environmentId}/${topicName}
    CreateSubscription
    Creates a subscription relationship for a topic.
    topic
    qcs::tdmq:${region}:uin/${uin}:topic/${clusterId}/${environmentId}/${topicName}
    ResetMsgSubOffsetByTimestamp
    Performs message retrospection based on timestamp, accurate to milliseconds.
    subscription
    qcs::tdmq:${region}:uin/${uin}:subscription/$clusterId/$environmentId/$topicName/$subscriptionName
    DeleteSubscriptions
    Deletes the subscription relationship.
    subscription
    qcs::tdmq:${region}:uin/${uin}:subscription/${clusterId}/${environmentId}/${topicName}/${subscriptionName}
    DescribeRealTimeSubscription
    Real-time consumption and subscription list.
    subscription
    qcs::tdmq:${region}:uin/${uin}:subscription/${clusterId}/${environmentId}/${topicName}/${subscriptionName}
    DescribeSubscriptions
    Consumption and subscription list.
    subscription
    qcs::tdmq:${region}:uin/${uin}:subscription/${clusterId}/${environmentId}/${topicName}/${subscriptionName}
    ModifyRole
    Modifies the role.
    role
    qcs::tdmq:${region}:uin/${uin}:role/${clusterId}/${roleName}
    DescribeRoles
    Obtains the list of the role.
    role
    qcs::tdmq:${region}:uin/${uin}:role/${clusterId}/${roleName}

    List of APIs not Supporting Authorization at Resource-Level

    API Name
    API Description
    CreateCluster
    Creates a cluster.
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support