TDMQ for Apache Pulsar provides a comprehensive enterprise-level security protection system. Through root account/sub-account management and strict authorization and authentication mechanisms, it builds multi-layered and all-round security protection, ensuring reliable protection for each stage in message transmission and comprehensively safeguarding data security.
Control Plane Permissions (Account-Level)
Cross-account authorization services between root accounts/sub-accounts and across enterprises are achieved through root accounts/sub-accounts, collaborators, and other features of Cloud Access Management (CAM). In addition, account access key management can be used to control cloud resources called using APIs.
Identity Authentication
To access TDMQ for Apache Pulsar resources through the console or by calling cloud APIs, identity authentication is required, and resources can be accessed after authentication is successful.
Logging in to the console: The login password needs to be verified, and login protection and login verification policies are provided to enhance identity authentication security. For detailed information, see Changing the Login Password and Setting Login Protection. Calling cloud APIs: The access key (AccessKey) needs to be verified. Access keys are security credentials used for identity authentication when users access TencentCloud APIs, which consist of SecretId and SecretKey. For detailed information, see Account Access Key Management. Access Control
Through CAM, fine-grained permission management for TDMQ for Apache Pulsar resources can be implemented at the account level.
User and permission assignment: Based on the enterprise organizational structure, independent users or roles are created for members of different functional departments, and dedicated security credentials (such as the console login password and cloud API key) or temporary credentials are assigned to ensure secure and controlled access to TDMQ for Apache Pulsar resources.
Fine-grained permission control: Set differentiated access policies based on employee responsibilities to precisely control the types of operations each user or role can perform and the scope of resources they can access, achieving strict permission isolation.
Data Plane Permissions (Resource-Level)
The role and authentication feature of TDMQ for Apache Pulsar allows you to configure independent roles for each producer and consumer and grant production and consumption permissions on different namespace resources to different roles to achieve permission isolation between roles. When clients produce or consume messages, the system performs authentication. Unauthorized operations will be rejected.
This mechanism effectively implements permission isolation between different business units. It ensures the security of the message system and also meets resource management requirements in multi-team collaboration scenarios. By adhering to the principle of least privilege, it fundamentally prevents data disorder caused by unauthorized access.