You can use the user and permission management feature to configure independent user identities for each producer and consumer, and grant different operation permissions for different vhosts and various resources under vhosts to different users, thereby achieving permission isolation between users. When a client produces or consumes messages, the system performs authentication, and unauthorized operations will be rejected.
This mechanism effectively implements permission isolation between different business units. It ensures the security of the message system and also meets resource management requirements in multi-team collaboration scenarios. By adhering to the principle of least privilege, it fundamentally prevents data disorder caused by unauthorized access.
Terms
User: The smallest unit for access control in a TDMQ for RabbitMQ cluster. You can configure permissions for users to grant them configuration and read/write permissions under different vhosts.
User password: Users can add a username and password in a client to access TDMQ for RabbitMQ clusters for message production and consumption.
Permissions: Users' operation permissions for exchanges and queues under this vhost, including configuration permissions and read/write permissions.
Configuration permissions: Affect the declaration and deletion of exchanges and queues.
Read/Write permissions: Affect reading messages from queues, sending messages to exchanges, and binding queues and exchanges.
Use Limits
The maximum number of users in a single cluster is 20.
Each Managed Edition cluster has a default user named "admin" that cannot be deleted or have its password modified. You can use this user directly or create a user. Serverless Edition clusters do not have a default user.
Scenarios
Users need to securely use TDMQ for RabbitMQ to produce and consume messages.
Users need to set production and consumption permissions of different vhosts for different users.
For example, a company has department A and department B. The system of department A generates transaction data, and the system of department B analyzes and displays the transaction data. Therefore, two users can be created in compliance with the principle of least privilege. Specifically, grant the user in department A only the permission to produce messages to the transaction system vhost, and grant the user in department B only the permission to consume messages. This helps significantly avoid issues caused by unclear division of permissions, such as data disorder and dirty business data.
2. In the left sidebar, choose Cluster > User And Permission. Select the target region and select the target cluster to go to the User and Permission Management page for the cluster.
3. On the Create User page, enter a username, password, and description.
Managed Edition
Serverless Edition
Parameter
Description
Username
Cannot be empty. The username can be customized. It cannot contain periods (.) only. It must be 1 to 64 characters in length and can contain only letters, digits, periods (.), hyphens (-), and underscores (_). A username cannot be modified after being created.
Password
Set a user password. It must be 8 to 64 characters in length and contain at least two of the following items: lowercase letters, uppercase letters, digits, and special characters ()`~!@#$%^&*_=|{}[]:;',.?/.
Role
Select a role to assign to the user. Different roles have different permission levels. When assigning roles to users, follow the principle of least privilege to avoid security risks caused by excessive permissions.
none
Cannot log in to the web console. Such roles are typically ordinary producers and consumers.
management
Can log in to the web console.
Can view vhosts under their names, as well as the queues, exchanges, and Bindings within them.
Can view and close channels and connections under their names.
policymaker
On the basis of all management permissions:
Can view, modify, and delete policies and parameters of vhosts under their names.
monitoring
On the basis of all management permissions:
Can view the list of all vhosts, connections, and channels.
Can view node-related information (such as disk usage, memory usage, and number of processes).
administrator
The super administrator, on the basis of all Policymaker and Monitoring permissions:
Can create and delete vhosts.
Can view, create, and delete users and permissions.
Can disable connections of other users.
Maximum Connections
Maximum number of connections for this user. If it is not configured, the default value is unlimited.
Maximum Number of channels
Maximum number of channels for this user. If it is not configured, the default value is unlimited.
Description
Optional. Enter a user description.
Parameter
Description
Username
Cannot be empty. The username can be customized. It cannot contain periods (.) only. It must be 1 to 64 characters in length and can contain only letters, digits, periods (.), hyphens (-), and underscores (_). A username cannot be modified after being created.
User Password
Set a user password. It must be 8 to 64 characters in length and contain at least two of the following items: lowercase letters, uppercase letters, digits, and special characters ()`~!@#$%^&*_=|{}[]:;',.?/.
Confirm Password
Confirm the password again to ensure it is set correctly.
Description
Optional. Enter a user description.
4. Click Submit to complete user creation in the current cluster.
Configuring Permissions
1. On the User and Permission page, select the Permission List tab to go to the permission list, and click Configure Permission.
2. On the permission configuration page, select the vhost and user whose permissions need to be configured and set the permission rules.
Permission rules can match resources through regular expressions. For example, if you check Configuration and enter "test.-*" in the input box, the user will be granted the permission to configure all resources with a name starting with "test-" under the current vhost.
Configuring permissions supports declaring and deleting exchanges and queues.
Read/Write permissions support reading messages from queues, sending messages to exchanges, and binding queues and exchanges.
3. Click Submit to complete the permission configuration.
4. Add the username and password to the client parameters. For how to add key parameters in client code, see the username and password sections in SDK Reference for TDMQ for RabbitMQ.
5. Check whether the permission is effective. You can run the configured client to access the exchange and queue resources in the corresponding vhost and produce or consume messages according to the configured permission. Check whether a no-permission error is reported. If no such error is reported, it indicates that the permission has been configured successfully.
Editing Permissions
Before editing permissions, ensure that the current business no longer uses the user to produce or consume messages. Otherwise, a client exception may occur due to the failure to produce or consume messages.
1. On the User and Permission page, select the Permission List tab to go to the permission list, and click Configure Permission.
2. On the permission configuration page, select the vhost and user for which the permission needs to be edited, select (or deselect) the permission, and click Submit to modify the permission.
Deleting Permissions
Before deleting permissions, ensure that the current business no longer uses the user to produce or consume messages. Otherwise, a client exception may occur due to the failure to produce or consume messages.
1. On the user and permission list page, locate the target permission and click Delete in the Operation column.
2. In the deletion dialog box, click Delete to delete the permission.
