Permission Management
Last updated:2026-01-20 17:19:22
TDMQ for CKafka (CKafka) provides a comprehensive enterprise-level security protection system. Through root account/sub-account management and strict authorization and authentication mechanisms, it builds multi-layered and all-round security protection, ensuring reliable protection for each stage in message transmission and comprehensively safeguarding data security.
Control Plane Permissions (Account-Level)
Cross-account authorization services between root accounts/sub-accounts and across enterprises are achieved through root accounts/sub-accounts, collaborators, and other features of Cloud Access Management (CAM). In addition, account access key management can be used to control cloud resources called using APIs.
Identity Authentication
To access CKafka resources through the console or by calling cloud APIs, identity authentication is required, and resources can be accessed after authentication is successful.
Logging in to the console: The login password needs to be verified, and login protection and login verification policies are provided to enhance identity authentication security. For detailed information, see Changing the Login Password and Setting Login Protection.
Calling cloud APIs: The AccessKey needs to be verified. AccessKeys are security credentials used for identity authentication when users access TencentCloud APIs, which consist of SecretId and SecretKey. For detailed information, see Account AccessKey Management.
Access Control
Through CAM, fine-grained permission management for TDMQ for CKafka resources can be implemented at the account level.
User and permission assignment: Based on the enterprise organizational structure, independent users or roles are created for members of different functional departments, and dedicated security credentials (such as the console login password and cloud API key) or temporary credentials are assigned to ensure secure and controlled access to CKafka resources.
Fine-grained permission control: Set differentiated access policies based on employee responsibilities to precisely control the types of operations each user or role can perform and the scope of resources they can access, achieving strict permission isolation.
Data Plane Permissions (Resource-Level)
CKafka provides dual-layer security protection through Simple Authentication and Security Layer (SASL) authentication and access control lists (ACLs). SASL verifies user identities, while ACLs enable fine-grained management of topic read/write permissions, ensuring access isolation at the resource level.
Identity Authentication
SASL is a security protocol used for identity authentication, supporting two verification mechanisms:
PLAIN mechanism: uses simple authentication where usernames and passwords are transmitted in plain text.
SCRAM mechanism: uses hash algorithms to securely authenticate usernames and passwords between the server and client. CKafka supports two SCRAM encryption algorithms with different security strengths: SCRAM-SHA-256 and SCRAM_SHA_512.
CKafka performs authentication through the SASL protocol. After SASL authentication is enabled, only authenticated users can access CKafka resources.
Access Control
ACL policies enable resource-level access control by customizing user settings in the console and configuring rules, such as allowing or denying specific users to read or write topic resources based on IP addresses. By combining user identities with ACL policies, CKafka enforces isolation of production and consumption permissions at the topic level, enhancing access control for both public and private network transmissions. For detailed introductions and operation methods, see Configuring Topic Read/Write Permissions.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback