Configuring Resource Permissions

Last updated:2026-01-23 17:34:04

Configuring Resource Permissions

Last updated: 2026-01-23 17:34:04

TDMQ for RocketMQ controls permissions of producers and consumers in clusters through the access control list (ACL) policies. You can create multiple roles under a cluster and grant them production or consumption permissions for different resources, achieving permission isolation between different users. Each role has its unique token. Users can add tokens on their clients to access TDMQ for RocketMQ to produce or consume messages. When a client attempts to produce or consume messages, the system performs identity authentication, and unauthorized operations will be rejected.
This mechanism effectively implements permission isolation between different business units, ensuring message system security and meeting resource management requirements in multi-team collaboration scenarios. Adhering to the principle of least privilege, it fundamentally prevents data disorder caused by unauthorized access.
Scenarios
Users need to use TDMQ for RocketMQ to produce or consume messages securely.
Users need to set production and consumption permissions for different roles within the same cluster.
For example, a company has departments A and B. The system of department A generates transaction data, and the system of department B analyzes and displays the transaction data. Based on the principle of least privilege, two roles can be configured. The role of department A is granted only the permission to produce messages to the transaction system cluster, and the role of department B is granted only the permission to consume messages. This helps significantly avoid issues caused by unclear permission division, such as data disorder and dirty business data.
Use Limits
The following table describes the resource dimensions for permission configuration supported by different types of clusters.
Cluster Type
Resource Dimension for Permission Configuration
Configurable Permissions
5.x clusters of the Trial/Basic editions
Cluster
Producing and consuming messages
5.x clusters of the Pro/Platinum edition
Cluster
Producing and consuming messages
﻿
Topic
Producing and consuming messages
﻿
Group
Consuming messages
4.x General Clusters
Cluster
Producing and consuming messages
﻿
Topic
Producing and consuming messages
﻿
Group
Consuming messages
4.x exclusive clusters/virtual clusters
Cluster
Production and consumption
If permissions at topic or group granularity cannot be configured in 5.x clusters of the Pro/Platinum edition or 4.x general clusters, submit a ticket to apply for the permissions.
Operation Steps
Adding and Authorizing a Role
1. Log in to the TDMQ for RocketMQ console.
2. In the left sidebar, select Cluster, select a region, and click the ID of the cluster for which you want to configure a role to go to the Basic Information page.
3. On the top of the page, select the Cluster Permission (5.x Clusters) or Role Management (4.x Clusters) tab, click Add Role, enter the role name, and configure the production and consumption permissions.
Parameter
Description
Role
Name of a custom role, which identifies a user.
The name should comply with naming rules: The name must be no more than 32 characters in length and can contain only digits, letters, hyphens (-), and underscores (_).
After a role is created, its name cannot be modified.
Description
Description of a role, which cannot exceed 32 characters.
Resource Type
Cluster: Select whether to configure production or consumption permissions based on business requirements.
﻿
Topic&Group (supported only by 5.x clusters of the Pro/Platinum edition and 4.x general clusters): Configure production and consumption permissions for a topic or group.
Topic operation types (production and consumption):
Produce messages: A role is allowed to send messages to the selected topic.
Consume messages: A role is allowed to consume messages from the selected topic.
Not selected: A role cannot consume messages from the selected topic using any group (even if consumption permissions are configured in the group list).
Group operation types (consumption only):
Selected: A role is allowed to consume messages from the selected topic.
Not selected: A role cannot consume messages from the selected topic using any group (even if consumption permissions are configured in the topic list).
In summary, to enable a role to consume messages from Topic A using Group A, select Topic A in the topic list and select Consume messages; meanwhile, select Group A in the group list and select Consume messages.
4. Click Save to complete the role creation.
Checking Whether Permissions Take Effect
1. On the Role List page, copy the role token.
﻿
Note:
Token leakage may lead to data leakage. Keep your token securely.
2. Add the copied role token to the client parameters. For details on how to add token parameters in client code, see SDK Reference.
The following is an example:
2.1 Declare the ACL_SECRET_KEY and ACL_SECRET_ACCESS fields. If you use various frameworks, it is recommended that you read them from the configuration file.
private static final String ACL_ACCESS_KEY = "ak****";
private static final String ACL_SECRET_KEY = "sk****"; /
2.2 Declare a static function to load the RPCHook object of the TDMQ for RocketMQ client.
static RPCHook getAclRPCHook() {
    return new AclClientRPCHook(new SessionCredentials(ACL_ACCESS_KEY, ACL_SECRET_KEY));
}
2.3 When you create a RocketMQ producer, pushConsumer, or pullConsumer, import the RPCHook object.
2.4 The following is sample code for creating a producer:
DefaultMQProducer producer = new DefaultMQProducer("rocketmq-mw***", "ProducerGroupName", getAclRPCHo
3. Run the configured client to access the topic resources in the cluster, produce or consume messages based on the configured permissions, and check whether an error message indicating no permission is generated. If not, the configuration is successful.
Disabling the ACL Permissions
For 5.x clusters, you can disable ACL permission verification in the console. After it is disabled, the cluster no longer verifies the client for the permissions for sending and receiving messages. To ensure cluster security, go to the cluster management page to disable public network access before disabling the ACL permissions.
In the role list, click the ACL permissions switch in the upper-left corner, and confirm the operation in the pop-up window to disable ACL permission verification.
﻿
Editing Permissions
1. In the role list, locate the role whose permissions need to be edited, and click Edit in the operation column.
2. In the pop-up editing window, modify the permission information and click Save.
﻿
Deleting Role
Note
After a role is deleted, the token (AccessKey and SecretKey) previously used by the role for message production or consumption becomes invalid immediately. Ensure that the role is no longer used for message production or consumption in business operations; otherwise, exceptions may occur because the client cannot produce or consume messages.
1. In the permission list of the cluster, locate the role whose permissions need to be deleted, and click Delete in the operation column.
2. In the pop-up deletion window, click Delete to delete the role.
﻿
Importing/Exporting Roles
You can click the 
﻿
 icon in the upper-right corner of the Role List page to export metadata to an .xlsx file.
If you need to import roles and permissions from one cluster to another, you can click the 
﻿
 icon in the upper-right corner of the Role List page to import the permission data into the target cluster after you export metadata. If your data is not from TDMQ for RocketMQ of Tencent Cloud, click the file template link, locate the corresponding template, edit relevant fields, and import the file.
﻿
﻿

Was this page helpful?

You can also Contact Sales or Submit a Ticket for help.

Yes

Feedback

Cluster Type	Resource Dimension for Permission Configuration	Configurable Permissions
5.x clusters of the Trial/Basic editions	Cluster	Producing and consuming messages
5.x clusters of the Pro/Platinum edition	Cluster	Producing and consuming messages
		Topic	Producing and consuming messages
		Group	Consuming messages
4.x General Clusters	Cluster	Producing and consuming messages
		Topic	Producing and consuming messages
		Group	Consuming messages
4.x exclusive clusters/virtual clusters	Cluster	Production and consumption

Parameter	Description
Role	Name of a custom role, which identifies a user. The name should comply with naming rules: The name must be no more than 32 characters in length and can contain only digits, letters, hyphens (-), and underscores (_). After a role is created, its name cannot be modified.
Description	Description of a role, which cannot exceed 32 characters.
Resource Type	Cluster: Select whether to configure production or consumption permissions based on business requirements.
Resource Type		Topic&Group (supported only by 5.x clusters of the Pro/Platinum edition and 4.x general clusters): Configure production and consumption permissions for a topic or group. Topic operation types (production and consumption): Produce messages: A role is allowed to send messages to the selected topic. Consume messages: A role is allowed to consume messages from the selected topic. Not selected: A role cannot consume messages from the selected topic using any group (even if consumption permissions are configured in the group list). Group operation types (consumption only): Selected: A role is allowed to consume messages from the selected topic. Not selected: A role cannot consume messages from the selected topic using any group (even if consumption permissions are configured in the topic list). In summary, to enable a role to consume messages from Topic A using Group A, select Topic A in the topic list and select Consume messages; meanwhile, select Group A in the group list and select Consume messages.

tencent cloud

Scenarios

Use Limits

Operation Steps

Adding and Authorizing a Role

Checking Whether Permissions Take Effect

Disabling the ACL Permissions

Editing Permissions

Deleting Role

Importing/Exporting Roles