You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@rocketmq.apache.org by GitBox <gi...@apache.org> on 2018/11/16 09:14:02 UTC
[GitHub] vongosling closed pull request #414: [ISSUE#403]Add ACL control by
No.3
vongosling closed pull request #414: [ISSUE#403]Add ACL control by No.3
URL: https://github.com/apache/rocketmq/pull/414
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/broker/src/main/java/org/apache/rocketmq/broker/processor/SendMessageProcessor.java b/broker/src/main/java/org/apache/rocketmq/broker/processor/SendMessageProcessor.java
index b7e7a6187..b4c5a1d56 100644
--- a/broker/src/main/java/org/apache/rocketmq/broker/processor/SendMessageProcessor.java
+++ b/broker/src/main/java/org/apache/rocketmq/broker/processor/SendMessageProcessor.java
@@ -49,14 +49,20 @@
import org.apache.rocketmq.store.config.StorePathConfigHelper;
import org.apache.rocketmq.store.stats.BrokerStatsManager;
+import java.io.FileInputStream;
+import java.io.IOException;
import java.net.SocketAddress;
import java.util.List;
import java.util.Map;
+import java.util.Properties;
public class SendMessageProcessor extends AbstractSendMessageProcessor implements NettyRequestProcessor {
private List<ConsumeMessageHook> consumeMessageHookList;
+ private static final String ROCKETMQ_USERS="rocketmq.users";
+
+ private static final String ROCKETMQ_USER="rocketmq.user";
public SendMessageProcessor(final BrokerController brokerController) {
super(brokerController);
}
@@ -78,6 +84,28 @@ public RemotingCommand processRequest(ChannelHandlerContext ctx,
this.executeSendMessageHookBefore(ctx, request, mqtraceContext);
RemotingCommand response;
+
+ Properties properties=new Properties();
+ try {
+ properties.load(new FileInputStream(brokerController.getBrokerConfig().getRocketmqHome()+"/conf"
+ + "/acl.conf"));
+ } catch (IOException e) {
+ log.error("load acl conf file {} failed",brokerController.getBrokerConfig().getRocketmqHome()+"/conf"
+ + "/acl.conf");
+
+ }
+
+ if(!properties.isEmpty()){
+ if(!((String)properties.get(ROCKETMQ_USERS)).contains(request.getExtFields().get(ROCKETMQ_USER))){
+ response=RemotingCommand.createResponseCommand(SendMessageResponseHeader.class);
+ response.setCode(ResponseCode.NO_PERMISSION);
+ response.setRemark("the broker has open acl control [" + "the user:"+request.getExtFields().get(ROCKETMQ_USER)
+ + "] do not have permission, sending message is forbidden");
+ return response;
+ }
+ }
+
+
if (requestHeader.isBatch()) {
response = this.sendBatchMessage(ctx, request, mqtraceContext, requestHeader);
} else {
diff --git a/distribution/NOTICE-BIN b/distribution/NOTICE-BIN
index c91dc225f..eb91d6cd6 100644
--- a/distribution/NOTICE-BIN
+++ b/distribution/NOTICE-BIN
@@ -32,5 +32,5 @@ the 'license' directory of the distribution file, for the license terms of the
components that this product depends on.
------
-This product has a bundle commons-lang, which includes software from the Spring Framework,
+This product has a bundle commons-lang, which includes software from the Framework,
under the Apache License 2.0 (see: StringUtils.containsWhitespace())
\ No newline at end of file
diff --git a/distribution/conf/acl.conf b/distribution/conf/acl.conf
new file mode 100644
index 000000000..e376d0596
--- /dev/null
+++ b/distribution/conf/acl.conf
@@ -0,0 +1 @@
+rocketmq.users=michael,jordan
\ No newline at end of file
diff --git a/remoting/src/main/java/org/apache/rocketmq/remoting/AclRPCHook.java b/remoting/src/main/java/org/apache/rocketmq/remoting/AclRPCHook.java
new file mode 100644
index 000000000..331095ac9
--- /dev/null
+++ b/remoting/src/main/java/org/apache/rocketmq/remoting/AclRPCHook.java
@@ -0,0 +1,21 @@
+package org.apache.rocketmq.remoting;
+
+import org.apache.rocketmq.remoting.protocol.RemotingCommand;
+
+public class AclRPCHook implements RPCHook {
+
+ private static final String ROCKETMQ_USER="rocketmq.user";
+ @Override
+ public void doBeforeRequest(String remoteAddr, RemotingCommand request) {
+
+ String userName=System.getProperty(ROCKETMQ_USER,"");
+ request.addExtField(ROCKETMQ_USER,userName);
+
+ }
+
+ @Override
+ public void doAfterResponse(String remoteAddr, RemotingCommand request,
+ RemotingCommand response) {
+
+ }
+}
diff --git a/remoting/src/main/java/org/apache/rocketmq/remoting/netty/NettyRemotingClient.java b/remoting/src/main/java/org/apache/rocketmq/remoting/netty/NettyRemotingClient.java
index 33c2eed8d..4a9f7d845 100644
--- a/remoting/src/main/java/org/apache/rocketmq/remoting/netty/NettyRemotingClient.java
+++ b/remoting/src/main/java/org/apache/rocketmq/remoting/netty/NettyRemotingClient.java
@@ -56,6 +56,7 @@
import org.apache.rocketmq.remoting.ChannelEventListener;
import org.apache.rocketmq.remoting.InvokeCallback;
import org.apache.rocketmq.remoting.RPCHook;
+import org.apache.rocketmq.remoting.AclRPCHook;
import org.apache.rocketmq.remoting.RemotingClient;
import org.apache.rocketmq.remoting.common.Pair;
import org.apache.rocketmq.remoting.common.RemotingHelper;
@@ -364,6 +365,7 @@ public RemotingCommand invokeSync(String addr, final RemotingCommand request, lo
final Channel channel = this.getAndCreateChannel(addr);
if (channel != null && channel.isActive()) {
try {
+ this.rpcHook=new AclRPCHook();
if (this.rpcHook != null) {
this.rpcHook.doBeforeRequest(addr, request);
}
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services