You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@rocketmq.apache.org by GitBox <gi...@apache.org> on 2022/07/28 03:05:53 UTC
[GitHub] [rocketmq] caigy commented on issue #4688: acl module support namespace
caigy commented on issue #4688:
URL: https://github.com/apache/rocketmq/issues/4688#issuecomment-1197600593
This design requires updating rocketmq-client, which might bring cost for users to update rocketmq-client. I've some suggestions:
1. `accessKey` should be defined as a globally unique string, so that complexity is reduced and users with older versions of rocketmq-client may adopt this feature.
Some uniqueness check of `accessKey` should be added in ACL mqadmin command to keep `accessKey` globally unique with best effort.
2. One `accessKey` can only be granted permissions to access resources in the same namespace.
3. Separate presentation with storage of namespace in ACL module. `{namespace}%{resource}` is just a presentation way of resources in a namespace. For the definition of `account` data structure, a new field should be added to store namespace. When checking permissions, resources defined in ACL account are converted as `{namespace}%{resource}`.
In that way, the ACL config file would like this:
```yaml
globalWhiteRemoteAddresses:
- 10.10.103.*
- 192.168.0.*
accounts:
- accessKey: RocketMQ # accessKey is globally unique
secretKey: 12345678
namespace: namespace1 # add namespace field in acount
whiteRemoteAddress:
admin: false
defaultTopicPerm: DENY
defaultGroupPerm: SUB
# All topics below are in namespace1
topicPerms:
- topicA=DENY
- topicB=PUB|SUB
- topicC=SUB
# All groups below are in namespace1
groupPerms:
- groupA=DENY
- groupB=PUB|SUB
- groupC=SUB
- accessKey: rocketmq2 # rocketmq2 is in a 'default' namespace
secretKey: 12345678
whiteRemoteAddress: 192.168.1.*
admin: true
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org