You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@rocketmq.apache.org by GitBox <gi...@apache.org> on 2018/12/26 10:51:25 UTC
[GitHub] dongeforever closed pull request #632: [ISSUE#403] fix some bugs
and Optimization code for rocketmq's acl feature.
dongeforever closed pull request #632: [ISSUE#403] fix some bugs and Optimization code for rocketmq's acl feature.
URL: https://github.com/apache/rocketmq/pull/632
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/acl/src/main/java/org/apache/rocketmq/acl/common/Permission.java b/acl/src/main/java/org/apache/rocketmq/acl/common/Permission.java
index c608f05da..7a95ee053 100644
--- a/acl/src/main/java/org/apache/rocketmq/acl/common/Permission.java
+++ b/acl/src/main/java/org/apache/rocketmq/acl/common/Permission.java
@@ -64,12 +64,10 @@ public static byte parsePermFromString(String permString) {
return Permission.PUB;
case "SUB":
return Permission.SUB;
- case "ANY":
- return Permission.ANY;
case "PUB|SUB":
- return Permission.ANY;
+ return Permission.PUB | Permission.SUB;
case "SUB|PUB":
- return Permission.ANY;
+ return Permission.PUB | Permission.SUB;
case "DENY":
return Permission.DENY;
default:
diff --git a/acl/src/main/java/org/apache/rocketmq/acl/plain/PlainAccessValidator.java b/acl/src/main/java/org/apache/rocketmq/acl/plain/PlainAccessValidator.java
index d71509846..bb1c0a11c 100644
--- a/acl/src/main/java/org/apache/rocketmq/acl/plain/PlainAccessValidator.java
+++ b/acl/src/main/java/org/apache/rocketmq/acl/plain/PlainAccessValidator.java
@@ -47,7 +47,11 @@ public PlainAccessValidator() {
@Override
public AccessResource parse(RemotingCommand request, String remoteAddr) {
PlainAccessResource accessResource = new PlainAccessResource();
- accessResource.setWhiteRemoteAddress(remoteAddr);
+ if (remoteAddr != null && remoteAddr.contains(":")) {
+ accessResource.setWhiteRemoteAddress(remoteAddr.split(":")[0]);
+ } else {
+ accessResource.setWhiteRemoteAddress(remoteAddr);
+ }
accessResource.setRequestCode(request.getCode());
accessResource.setAccessKey(request.getExtFields().get(SessionCredentials.ACCESS_KEY));
accessResource.setSignature(request.getExtFields().get(SessionCredentials.SIGNATURE));
diff --git a/acl/src/test/java/org/apache/rocketmq/acl/common/PermissionTest.java b/acl/src/test/java/org/apache/rocketmq/acl/common/PermissionTest.java
index 2d998cc4e..31820ad7d 100644
--- a/acl/src/test/java/org/apache/rocketmq/acl/common/PermissionTest.java
+++ b/acl/src/test/java/org/apache/rocketmq/acl/common/PermissionTest.java
@@ -35,14 +35,11 @@ public void fromStringGetPermissionTest() {
perm = Permission.parsePermFromString("SUB");
Assert.assertEquals(perm, Permission.SUB);
- perm = Permission.parsePermFromString("ANY");
- Assert.assertEquals(perm, Permission.ANY);
-
perm = Permission.parsePermFromString("PUB|SUB");
- Assert.assertEquals(perm, Permission.ANY);
+ Assert.assertEquals(perm, Permission.PUB|Permission.SUB);
perm = Permission.parsePermFromString("SUB|PUB");
- Assert.assertEquals(perm, Permission.ANY);
+ Assert.assertEquals(perm, Permission.PUB|Permission.SUB);
perm = Permission.parsePermFromString("DENY");
Assert.assertEquals(perm, Permission.DENY);
@@ -66,8 +63,14 @@ public void checkPermissionTest() {
boo = Permission.checkPermission(Permission.SUB, Permission.SUB);
Assert.assertTrue(boo);
- boo = Permission.checkPermission(Permission.ANY, Permission.ANY);
- Assert.assertFalse(boo);
+ boo = Permission.checkPermission(Permission.PUB, (byte) (Permission.PUB|Permission.SUB));
+ Assert.assertTrue(boo);
+
+ boo = Permission.checkPermission(Permission.SUB, (byte) (Permission.PUB|Permission.SUB));
+ Assert.assertTrue(boo);
+
+ boo = Permission.checkPermission(Permission.ANY, (byte) (Permission.PUB|Permission.SUB));
+ Assert.assertTrue(boo);
boo = Permission.checkPermission(Permission.ANY, Permission.SUB);
Assert.assertTrue(boo);
@@ -108,7 +111,7 @@ public void setTopicPermTest() {
Assert.assertEquals(perm, Permission.DENY);
perm = resourcePermMap.get(PlainAccessResource.getRetryTopic("groupB"));
- Assert.assertEquals(perm, Permission.ANY);
+ Assert.assertEquals(perm,Permission.PUB|Permission.SUB);
perm = resourcePermMap.get(PlainAccessResource.getRetryTopic("groupC"));
Assert.assertEquals(perm, Permission.PUB);
@@ -124,7 +127,7 @@ public void setTopicPermTest() {
Assert.assertEquals(perm, Permission.DENY);
perm = resourcePermMap.get("topicB");
- Assert.assertEquals(perm, Permission.ANY);
+ Assert.assertEquals(perm, Permission.PUB|Permission.SUB);
perm = resourcePermMap.get("topicC");
Assert.assertEquals(perm, Permission.PUB);
diff --git a/acl/src/test/java/org/apache/rocketmq/acl/plain/PlainPermissionLoaderTest.java b/acl/src/test/java/org/apache/rocketmq/acl/plain/PlainPermissionLoaderTest.java
index 2bd5b8cea..68f6e1198 100644
--- a/acl/src/test/java/org/apache/rocketmq/acl/plain/PlainPermissionLoaderTest.java
+++ b/acl/src/test/java/org/apache/rocketmq/acl/plain/PlainPermissionLoaderTest.java
@@ -108,14 +108,6 @@ public void getPlainAccessResourceTest() {
plainAccessResource = plainPermissionLoader.getPlainAccessResource(plainAccess);
Assert.assertEquals(plainAccessResource.isAdmin(), true);
- plainAccess.setDefaultGroupPerm("ANY");
- plainAccessResource = plainPermissionLoader.getPlainAccessResource(plainAccess);
- Assert.assertEquals(plainAccessResource.getDefaultGroupPerm(), Permission.ANY);
-
- plainAccess.setDefaultTopicPerm("ANY");
- plainAccessResource = plainPermissionLoader.getPlainAccessResource(plainAccess);
- Assert.assertEquals(plainAccessResource.getDefaultTopicPerm(), Permission.ANY);
-
List<String> groups = new ArrayList<String>();
groups.add("groupA=DENY");
groups.add("groupB=PUB|SUB");
@@ -126,7 +118,7 @@ public void getPlainAccessResourceTest() {
Assert.assertEquals(resourcePermMap.size(), 3);
Assert.assertEquals(resourcePermMap.get(PlainAccessResource.getRetryTopic("groupA")).byteValue(), Permission.DENY);
- Assert.assertEquals(resourcePermMap.get(PlainAccessResource.getRetryTopic("groupB")).byteValue(), Permission.ANY);
+ Assert.assertEquals(resourcePermMap.get(PlainAccessResource.getRetryTopic("groupB")).byteValue(), Permission.PUB|Permission.SUB);
Assert.assertEquals(resourcePermMap.get(PlainAccessResource.getRetryTopic("groupC")).byteValue(), Permission.PUB);
List<String> topics = new ArrayList<String>();
@@ -139,7 +131,7 @@ public void getPlainAccessResourceTest() {
Assert.assertEquals(resourcePermMap.size(), 6);
Assert.assertEquals(resourcePermMap.get("topicA").byteValue(), Permission.DENY);
- Assert.assertEquals(resourcePermMap.get("topicB").byteValue(), Permission.ANY);
+ Assert.assertEquals(resourcePermMap.get("topicB").byteValue(), Permission.PUB|Permission.SUB);
Assert.assertEquals(resourcePermMap.get("topicC").byteValue(), Permission.PUB);
}
diff --git a/distribution/conf/tools.yml b/distribution/conf/tools.yml
new file mode 100644
index 000000000..b90969670
--- /dev/null
+++ b/distribution/conf/tools.yml
@@ -0,0 +1,19 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+accessKey: aliyun.com
+secretKey: 12345678
+
diff --git a/tools/pom.xml b/tools/pom.xml
index 086c3e64c..a4a8630b1 100644
--- a/tools/pom.xml
+++ b/tools/pom.xml
@@ -37,6 +37,10 @@
<groupId>${project.groupId}</groupId>
<artifactId>rocketmq-client</artifactId>
</dependency>
+ <dependency>
+ <groupId>${project.groupId}</groupId>
+ <artifactId>rocketmq-acl</artifactId>
+ </dependency>
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>rocketmq-store</artifactId>
diff --git a/tools/src/main/java/org/apache/rocketmq/tools/command/MQAdminStartup.java b/tools/src/main/java/org/apache/rocketmq/tools/command/MQAdminStartup.java
index 34e9f451a..065e4175d 100644
--- a/tools/src/main/java/org/apache/rocketmq/tools/command/MQAdminStartup.java
+++ b/tools/src/main/java/org/apache/rocketmq/tools/command/MQAdminStartup.java
@@ -19,17 +19,16 @@
import ch.qos.logback.classic.LoggerContext;
import ch.qos.logback.classic.joran.JoranConfigurator;
import ch.qos.logback.core.joran.spi.JoranException;
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.IOException;
import java.util.ArrayList;
-import java.util.HashMap;
import java.util.List;
-import java.util.Map;
+import com.alibaba.fastjson.JSONObject;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.Options;
import org.apache.commons.cli.PosixParser;
import org.apache.commons.lang3.StringUtils;
+import org.apache.rocketmq.acl.common.AclClientRPCHook;
+import org.apache.rocketmq.acl.common.AclUtils;
+import org.apache.rocketmq.acl.common.SessionCredentials;
import org.apache.rocketmq.common.MQVersion;
import org.apache.rocketmq.common.MixAll;
import org.apache.rocketmq.remoting.RPCHook;
@@ -79,7 +78,6 @@
import org.apache.rocketmq.tools.command.topic.UpdateTopicPermSubCommand;
import org.apache.rocketmq.tools.command.topic.UpdateTopicSubCommand;
import org.slf4j.LoggerFactory;
-import org.yaml.snakeyaml.Yaml;
public class MQAdminStartup {
protected static List<SubCommand> subCommandList = new ArrayList<SubCommand>();
@@ -250,62 +248,22 @@ public static void initCommand(SubCommand command) {
public static RPCHook getAclRPCHook(CommandLine commandLine) {
String fileHome = System.getProperty(MixAll.ROCKETMQ_HOME_PROPERTY, System.getenv(MixAll.ROCKETMQ_HOME_ENV));
- File file = new File(fileHome + "/conf/tools.yml");
- if (!file.exists()) {
- System.out.printf("file %s is not exist \n", file.getPath());
+ String fileName = "/conf/tools.yml";
+ JSONObject yamlDataObject = AclUtils.getYamlDataObject(fileHome + fileName ,
+ JSONObject.class);
+
+ if (yamlDataObject == null || yamlDataObject.isEmpty()) {
+ System.out.printf(" Cannot find conf file %s, acl is not be enabled.%n" ,fileHome + fileName);
return null;
}
- Yaml ymal = new Yaml();
- FileInputStream fis = null;
- Map<String, Map<String, Object>> map = null;
- try {
- fis = new FileInputStream(file);
- map = ymal.loadAs(fis, Map.class);
- } catch (Exception e) {
- e.printStackTrace();
- } finally {
- if (fis != null) {
- try {
- fis.close();
- } catch (IOException e) {
- e.printStackTrace();
- }
- }
- }
- if (map == null || map.isEmpty()) {
- System.out.printf("file %s is no data", file.getPath());
+ // admin ak sk
+ String accessKey = yamlDataObject.getString("accessKey");
+ String secretKey = yamlDataObject.getString("secretKey");
+
+ if (StringUtils.isBlank(accessKey) || StringUtils.isBlank(secretKey)) {
+ System.out.printf("AccessKey or secretKey is blank, the acl is not enabled.%n");
return null;
}
-
- final Map<String, Map<String, Object>> newMap = map;
- return new RPCHook() {
-
- @Override
- public void doBeforeRequest(String remoteAddr, RemotingCommand request) {
- System.out.printf("remoteAddr is %s code %d \n", remoteAddr, request.getCode());
- String fastRemoteAddr = null;
- if (remoteAddr != null) {
- String[] ipAndPost = StringUtils.split(remoteAddr, ":");
- Integer fastPost = Integer.valueOf(ipAndPost[1]) + 2;
- fastRemoteAddr = ipAndPost[0] + ":" + fastPost.toString();
- }
- Map<String, Object> map;
- if ((map = newMap.get(remoteAddr)) != null || (map = newMap.get(fastRemoteAddr)) != null || (map = newMap.get("all")) != null) {
- HashMap<String, String> ext = request.getExtFields();
- if (ext == null) {
- ext = new HashMap<>();
- request.setExtFields(ext);
- }
- ext.put("account", map.get("account").toString());
- ext.put("password", map.get("password").toString());
- }
-
- }
-
- @Override
- public void doAfterResponse(String remoteAddr, RemotingCommand request, RemotingCommand response) {
- }
- };
-
+ return new AclClientRPCHook(new SessionCredentials(accessKey,secretKey));
}
}
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services