You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@rocketmq.apache.org by GitBox <gi...@apache.org> on 2022/08/04 01:52:41 UTC
[GitHub] [rocketmq] sunxi92 commented on issue #4688: acl module support namespace
sunxi92 commented on issue #4688:
URL: https://github.com/apache/rocketmq/issues/4688#issuecomment-1204667296
> This design requires updating rocketmq-client, which might bring cost for users to update rocketmq-client. I've some suggestions:
>
> 1. `accessKey` should be defined as a globally unique string, so that complexity is reduced and users with older versions of rocketmq-client may adopt this feature.
> Some uniqueness check of `accessKey` should be added in ACL mqadmin command to keep `accessKey` globally unique with best effort.
> 2. One `accessKey` can only be granted permissions to access resources in the same namespace.
> 3. Separate presentation with storage of namespace in ACL module. `{namespace}%{resource}` is just a presentation way of resources in a namespace. For the definition of `account` data structure, a new field should be added to store namespace. When checking permissions, resources defined in ACL account are converted as `{namespace}%{resource}`.
>
> In that way, the ACL config file would like this:
>
> ```yaml
> globalWhiteRemoteAddresses:
> - 10.10.103.*
> - 192.168.0.*
> accounts:
> - accessKey: RocketMQ # accessKey is globally unique
> secretKey: 12345678
> namespace: namespace1 # add namespace field in acount
> whiteRemoteAddress:
> admin: false
> defaultTopicPerm: DENY
> defaultGroupPerm: SUB
> # All topics below are in namespace1
> topicPerms:
> - topicA=DENY
> - topicB=PUB|SUB
> - topicC=SUB
> # All groups below are in namespace1
> groupPerms:
> - groupA=DENY
> - groupB=PUB|SUB
> - groupC=SUB
> - accessKey: rocketmq2 # rocketmq2 is in a 'default' namespace
> secretKey: 12345678
> whiteRemoteAddress: 192.168.1.*
> admin: true
> ```
It is true that there is a little consideration to the client upgrades. So I adjust the design. The details are as follows:
1.Clients don't need to be upgraded, they can use this feature as follows:
`
public class ProducerAclWithNamespace {
public static final String NAMESPACE = "n";
public static final String PRODUCER_GROUP = "producerGroup";
public static final String DEFAULT_NAMESRVADDR = "127.0.0.1:9876";
public static final int MESSAGE_COUNT = 100;
public static final String TOPIC = "topicB";
public static final String TAG = "tagTest";
private static final String ACL_ACCESS_KEY = "RocketMQ";
private static final String ACL_SECRET_KEY = "12345678";
public static void main(String[] args) throws Exception {
DefaultMQProducer producer = new DefaultMQProducer(NAMESPACE, PRODUCER_GROUP, getAclRPCHook());
producer.setNamesrvAddr(DEFAULT_NAMESRVADDR);
producer.start();
for (int i = 0; i < MESSAGE_COUNT; i++) {
Message message = new Message(TOPIC, TAG, "Hello world".getBytes());
try {
SendResult result = producer.send(message);
System.out.printf("Topic:%s send success, misId is:%s%n", message.getTopic(), result.getMsgId());
} catch (Exception e) {
e.printStackTrace();
}
}
}
static RPCHook getAclRPCHook() {
return new AclClientRPCHook(new SessionCredentials(ACL_ACCESS_KEY,ACL_SECRET_KEY));
}
}
public class ConsumerAclWithNamespace {
public static final String NAMESPACE = "n";
public static final String CONSUMER_GROUP = "groupB";
public static final String DEFAULT_NAMESRVADDR = "127.0.0.1:9876";
public static final String TOPIC = "topicB";
private static final String ACL_ACCESS_KEY = "RocketMQ";
private static final String ACL_SECRET_KEY = "12345678";
public static void main(String[] args) throws Exception {
DefaultMQPushConsumer defaultMQPushConsumer = new DefaultMQPushConsumer(NAMESPACE, CONSUMER_GROUP, getAclRPCHook());
defaultMQPushConsumer.setNamesrvAddr(DEFAULT_NAMESRVADDR);
defaultMQPushConsumer.subscribe(TOPIC, "*");
defaultMQPushConsumer.registerMessageListener((MessageListenerConcurrently) (msgs, context) -> {
msgs.forEach(msg -> System.out.printf("Msg topic is:%s, MsgId is:%s, reconsumeTimes is:%s%n", msg.getTopic(), msg.getMsgId(), msg.getReconsumeTimes()));
return ConsumeConcurrentlyStatus.CONSUME_SUCCESS;
});
defaultMQPushConsumer.start();
}
static RPCHook getAclRPCHook() {
return new AclClientRPCHook(new SessionCredentials(ACL_ACCESS_KEY,ACL_SECRET_KEY));
}
}
`
2."namesppace%ak" is globally unique and the config of acl is modified as follows:
`
globalWhiteRemoteAddresses:
- 10.10.103.*
- 192.168.0.*
accounts:
- accessKey: namespace1%RocketMQ
secretKey: 12345678
whiteRemoteAddress:
admin: false
defaultTopicPerm: DENY
defaultGroupPerm: SUB
topicPerms:
- namespace1%topicA=DENY
- namespace1%topicB=PUB|SUB
- namespace1%topicC=SUB
groupPerms:
- namespace1%groupA=DENY
- namespace1%groupB=PUB|SUB
- namespace1%groupC=SUB
- accessKey: rocketmq2
secretKey: 12345678
whiteRemoteAddress: 192.168.1.*
admin: true
`
3.To support this feature, the code in acl module needs to be modified as follows
When broker parse the request from client, the broker needs to get the namespace from the request. When namespace is not null, broker can set the accesskey
4.ACL mqadmin commands also need to be modified, updateAclConfig and deleteAccessConfig should add a optional parameter called namespace to support namespace
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org