You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@rocketmq.apache.org by GitBox <gi...@apache.org> on 2022/07/28 03:05:53 UTC

[GitHub] [rocketmq] caigy commented on issue #4688: acl module support namespace

caigy commented on issue #4688:
URL: https://github.com/apache/rocketmq/issues/4688#issuecomment-1197600593

   This design requires updating rocketmq-client, which might bring cost for users to update rocketmq-client. I've some suggestions:
   
   1. `accessKey` should be defined as a globally unique string, so that complexity is reduced and users with older versions of rocketmq-client may adopt this feature. 
   Some uniqueness check of `accessKey` should be added in ACL mqadmin command to keep `accessKey` globally unique with best effort.
   
   2. One `accessKey` can only be granted permissions to access resources in the same namespace.
   
   3. Separate presentation with storage of namespace in ACL module. `{namespace}%{resource}` is just a presentation way of resources in a namespace. For the definition of `account` data structure, a new field should be added to store namespace. When checking permissions, resources defined in ACL account are converted as `{namespace}%{resource}`.
   
   In that way, the ACL config file would like this:
   
   ```yaml
   globalWhiteRemoteAddresses:
     - 10.10.103.*
     - 192.168.0.*
   accounts:
     - accessKey: RocketMQ  # accessKey is globally unique
       secretKey: 12345678
       namespace: namespace1  # add namespace field in acount
       whiteRemoteAddress:
       admin: false
       defaultTopicPerm: DENY
       defaultGroupPerm: SUB
       # All topics below are in namespace1
       topicPerms:
         - topicA=DENY
         - topicB=PUB|SUB
         - topicC=SUB
       # All groups below are in namespace1
       groupPerms:
         - groupA=DENY
         - groupB=PUB|SUB
         - groupC=SUB
   - accessKey: rocketmq2  # rocketmq2 is in a 'default' namespace
     secretKey: 12345678
     whiteRemoteAddress: 192.168.1.*
     admin: true
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org