Configuring the Namespace Permission

Last updated:2025-12-24 14:59:00
Configuring the Namespace Permission
Last updated: 2025-12-24 14:59:00
The role and authentication feature allows you to configure independent roles for each producer and consumer, granting production and consumption permissions on different namespace resources to different roles to achieve permission isolation between roles. When clients produce or consume messages, the system performs authentication. Any unauthorized operations will be rejected.
This mechanism effectively implements permission isolation between different business units. It ensures the security of the message system and also meets resource management requirements in multi-team collaboration scenarios. By adhering to the principle of least privilege, it fundamentally prevents data disorder caused by unauthorized access.
Terms
Role: The concept of role in TDMQ for Apache Pulsar is an exclusive concept within TDMQ for Apache Pulsar and is different from that in Tencent Cloud. A role is the smallest unit for permission management within TDMQ. Users can add multiple roles and grant them production and consumption permissions on different namespaces.
Token: A token in TDMQ for Apache Pulsar is used for authentication. Users can add a token in the client to access TDMQ for Apache Pulsar for message production and consumption. Tokens and roles have a one-to-one mapping. Each role has its own unique token.
Scenarios
Users need to securely use TDMQ for Apache Pulsar to produce and consume messages.
Users need to grant production and consumption permissions on different namespaces to different roles.
For example, a company has department A and department B. The system of department A generates transaction data, and the system of department B analyzes and displays the transaction data. Therefore, two roles can be configured in compliance with the principle of least privilege. Specifically, grant the role in department A only the permission to produce messages to the namespace of the transaction system and grant the role in department B only the permission to consume messages. This helps significantly avoid issues caused by unclear division of permissions, such as data disorder and dirty business data.
Operation Steps
Adding a Role
1. Log in to the TDMQ for Apache Pulsar console.
2. In the left sidebar, choose Role Management, select a region and the current cluster, and then click Create to go to the Create Role page.
3. On the Create Role page, fill in the role name and description.
Role: It can contain a maximum of 32 characters and supports digits, uppercase and lowercase letters, and delimiters, including underscores (_) and hyphens (-).
Description (optional): It can contain a maximum of 128 characters.
4. Click Submit to complete the creation of the current role.
  
﻿
﻿
Granting Permissions to a Role
1. On the Role Management page of the TDMQ for Apache Pulsar console, find the newly created role and copy the role token by using either of the following methods:
Method 1: Copying from the Token Column
Method 2: Viewing and Copying from the Operation Column
   Click Copy in the token column.
   
﻿
﻿
   Click View Token in the operation column. In the View Token dialog box, click the copy icon.
   
﻿
﻿
2. Add the copied role token to the parameters of the client.
Note
Token leakage may lead to data leakage. Keep your token securely.
Configure JWT authentication in the Java client.
Cluster Access Example of Version 2.7.1 and Later
Cluster Access Example of Version 2.6.1
PulsarClient client = PulsarClient.builder()
     //Access address. Copy the access address in the operation column of the Cluster page.
     .serviceUrl("http://*") 
        //Replace it with the role token displayed on the Role Management page.
     .authentication(AuthenticationFactory.token("eyJh****")) 
     .build();
PulsarClient client = PulsarClient.builder()
      //Access address. Copy the complete access address from the Access Point List on the Cluster page.
         .serviceUrl("pulsar://*.*.*.*:6000/")
         //Replace it with the role token displayed on the Role Management page.
      .authentication(AuthenticationFactory.token("eyJh****")) 
         //Replace the value after custom: with the router ID displayed in the Access Point List on the Cluster page.
      .listenerName("custom:1********0/vpc-******/subnet-********")
      .build();
Configure JWT authentication in the Go client.
Cluster Access Example of Version 2.7.1 and Later
Cluster Access Example of Version 2.6.1
client, err := NewClient(ClientOptions{
      //Access address. Copy the complete access address from the Access Point List on the Cluster page.
         URL: "http://*",  
         //Replace it with the role token displayed on the Role Management page.
      Authentication: NewAuthenticationToken("eyJh****"),  
})
client, err := NewClient(ClientOptions{
      //Access address. Copy the complete access address from the Access Point List on the Cluster page.
         URL: "pulsar://*.*.*.*:6000",  
         //Replace it with the role token displayed on the Role Management page.
      Authentication: NewAuthenticationToken("eyJh****"),  
         //Replace the value after custom: with the router ID displayed in the Access Point List on the Cluster page.
      ListenerName: "custom:1300*****0/vpc-******/subnet-********",  
})
﻿
3. On the Namespace page in the TDMQ for Apache Pulsar console, select a namespace for which production and consumption permissions need to be configured, and click Configure Permission in the operation column.
4. Click Add Role, find the newly created role in the drop-down list, select the required permissions, and then click Save.
﻿
﻿
5. Check whether the permissions have taken effect.
You can run the configured client to access topic resources in the corresponding namespace and produce or consume messages according to the configured permissions. If no permission error message occurs, the configuration is successful.
Importing Roles in Batches
In a scenario where the business system is complex and multiple role permissions need to be configured, TDMQ for Apache Pulsar provides the batch role import feature. You can fill in field information such as roles and permissions based on the provided configuration template and upload the information to the console. TDMQ for Apache Pulsar will automatically create roles and configure relevant permissions, reducing repetitive operations.
Note:
All fields except the Description field are required.
Only the "produce messages" and "consume messages" permissions are supported. Multiple permissions should be separated by commas.
A maximum of 300 data entries can be imported at a time.
1. In the upper-left corner of the Role Management list page, click Batch Import.
2. In the pop-up dialog box, download the configuration template, fill in the relevant fields as needed, and then save the information. The following example shows the configuration information.
Role Name
Description
Cluster Name
Cluster ID
Namespace
Permission
role-test
test
cluster-test
pulsar-xxxxxxxxxxxxx
env-test
Produce messages and consume messages.
3. In the File Upload section, upload the completed role template. TDMQ for Apache Pulsar will automatically create roles and configure relevant permissions for you.
Editing Permissions
1. On the Namespace page in the TDMQ for Apache Pulsar console, find the namespace for which the production and consumption permissions need to be configured, and click Configure Permission in the operation column to go to the permission configuration list.
2. In the permission configuration list, find the role whose permissions need to be edited, and click Edit in the operation column.
3. In the editing dialog box, modify the permission information, and click Save.
Deleting Permissions
Note
Deleting permissions is a risky operation. Before you delete a permission, make sure that the current business no longer uses the role to produce or consume messages. Otherwise, the client may become abnormal due to the failure to produce or consume messages.
Permissions cannot be deleted if the role assigned the permissions in any namespace still exists.
1. On the Namespace page in the TDMQ for Apache Pulsar console, find the namespace for which the production and consumption permissions need to be configured, and click Configure Permission in the operation column to go to the permission configuration list.
2. In the permission configuration list, find the role whose permissions need to be deleted, and click Delete in the operation column.
3. In the deletion dialog box, click Confirm to delete the role.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
Feedback
Role Name	Description	Cluster Name	Cluster ID	Namespace	Permission
role-test	test	cluster-test	pulsar-xxxxxxxxxxxxx	env-test	Produce messages and consume messages.
tencent cloud

Terms

Scenarios

Operation Steps

Adding a Role

Granting Permissions to a Role

Importing Roles in Batches

Editing Permissions

Deleting Permissions
