You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@rocketmq.apache.org by GitBox <gi...@apache.org> on 2022/06/28 08:41:18 UTC
[GitHub] [rocketmq] ChenAllen0305 opened a new issue, #4524: Set aclEnable=true in broker.conf, but acl looks like doesn't work
ChenAllen0305 opened a new issue, #4524:
URL: https://github.com/apache/rocketmq/issues/4524
The issue tracker is used for bug reporting purposes **ONLY** whereas feature request needs to follow the [RIP process](https://github.com/apache/rocketmq/wiki/RocketMQ-Improvement-Proposal). To avoid unnecessary duplication, please check whether there is a previous issue before filing a new one.
It is recommended to start a discussion thread in the [mailing lists](http://rocketmq.apache.org/about/contact/) in cases of discussing your deployment plan, API clarification, and other non-bug-reporting issues.
We welcome any friendly suggestions, bug fixes, collaboration, and other improvements.
Please ensure that your bug report is clear and self-contained. Otherwise, it would take additional rounds of communication, thus more time, to understand the problem itself.
Generally, fixing an issue goes through the following steps:
1. Understand the issue reported;
1. Reproduce the unexpected behavior locally;
1. Perform root cause analysis to identify the underlying problem;
1. Create test cases to cover the identified problem;
1. Work out a solution to rectify the behavior and make the newly created test cases pass;
1. Make a pull request and go through peer review;
As a result, it would be very helpful yet challenging if you could provide an isolated project reproducing your reported issue. Anyway, please ensure your issue report is informative enough for the community to pick up. At a minimum, include the following hints:
**BUG REPORT**
1. Please describe the issue you observed:
- What did you do (The steps to reproduce)?
- edit conf/broker.conf with aclEnable=true
- didn't change conf/acl/plain_acl.yml (just have two accounts : RocketMQ and rocketmq2)
- start broker and specify config file( change the name of broker and it work, I can see the broker name actually changed)
- create producer with RPCHook with account "RocketMQ" and set group value "groupA", and try to send message with topic "topicA"
- What is expected to see?
this producer should be send message unsuccessfully, and report permission error
- What did you see instead?
this producer send message successfully
2. Please tell us about your environment:
rocketmq-4.9.3
3. Other information (e.g. detailed explanation, logs, related issues, suggestions on how to fix, etc):
when check ACL by using getAccessConfigSubCommand, it can give the accounts details:
globalWhiteRemoteAddresses: [10.0.0.*, 192.168.0.*, 10.0.0.*, 192.168.0.*]
accounts:
accessKey : RocketMQ
secretKey : 12345678
whiteRemoteAddress:
admin : false
defaultTopicPerm : DENY
defaultGroupPerm : SUB
topicPerms : [topicA=DENY, topicB=PUB|SUB, topicC=SUB]
groupPerms : [groupA=DENY, groupB=PUB|SUB, groupC=SUB]
accessKey : rocketmq2
secretKey : 12345678
whiteRemoteAddress:
admin : true
defaultTopicPerm :
defaultGroupPerm :
topicPerms :
groupPerms :
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] ChenAllen0305 commented on issue #4524: Set aclEnable=true in broker.conf, but acl looks like doesn't work
Posted by GitBox <gi...@apache.org>.
ChenAllen0305 commented on issue #4524:
URL: https://github.com/apache/rocketmq/issues/4524#issuecomment-1169474880
> > >
> >
> >
> > Yes, the globalWhiteRemoteAddress contains my client ip. I retry with deleting my local client ip in globalWhiteRemoteAddress, and acl works. So it means the ip address in globalWhiteRemoteAddress doesn't need to check the acl account?
>
> @ChenAllen0305 Yes, clients from `globalWhiteRemoteAddress` always pass ACL check. You could find more details [here](https://github.com/apache/rocketmq/blob/develop/docs/cn/acl/user_guide.md).
Thanks, I got it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] caigy commented on issue #4524: Set aclEnable=true in broker.conf, but acl looks like doesn't work
Posted by GitBox <gi...@apache.org>.
caigy commented on issue #4524:
URL: https://github.com/apache/rocketmq/issues/4524#issuecomment-1169470441
> >
>
> Yes, the globalWhiteRemoteAddress contains my client ip. I retry with deleting my local client ip in globalWhiteRemoteAddress, and acl works. So it means the ip address in globalWhiteRemoteAddress doesn't need to check the acl account?
@ChenAllen0305 Yes, clients from `globalWhiteRemoteAddress` always pass ACL check. You could find more details [here](https://github.com/apache/rocketmq/blob/develop/docs/cn/acl/user_guide.md).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] caigy closed issue #4524: Set aclEnable=true in broker.conf, but acl looks like doesn't work
Posted by GitBox <gi...@apache.org>.
caigy closed issue #4524: Set aclEnable=true in broker.conf, but acl looks like doesn't work
URL: https://github.com/apache/rocketmq/issues/4524
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] lizhiboo commented on issue #4524: Set aclEnable=true in broker.conf, but acl looks like doesn't work
Posted by GitBox <gi...@apache.org>.
lizhiboo commented on issue #4524:
URL: https://github.com/apache/rocketmq/issues/4524#issuecomment-1169440293
@ChenAllen0305 maybe globalWhiteRemoteAddress contains your client ip, check defaultAclFile for global white remote address.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [rocketmq] ChenAllen0305 commented on issue #4524: Set aclEnable=true in broker.conf, but acl looks like doesn't work
Posted by GitBox <gi...@apache.org>.
ChenAllen0305 commented on issue #4524:
URL: https://github.com/apache/rocketmq/issues/4524#issuecomment-1169455896
>
Yes, the globalWhiteRemoteAddress contains my client ip.
I retry with deleting my local client ip in globalWhiteRemoteAddress, and acl works.
So it means the ip address in globalWhiteRemoteAddress doesn't need to check the acl account?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org