You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@rocketmq.apache.org by GitBox <gi...@apache.org> on 2022/03/03 03:34:24 UTC
[GitHub] [rocketmq] zergduan edited a comment on issue #3922: mqadmin updateGlobalWhiteAddr failed in 4.9.3
zergduan edited a comment on issue #3922:
URL: https://github.com/apache/rocketmq/issues/3922#issuecomment-1057631591
另外发现,/conf/plain_acl.yml 和 /conf/acl/plain_acl.yml 共存的情况下:
全局IP白名单保存在 /conf/acl/plain_acl.yml
account保存在 /conf/plain_acl.yml
此时通过 CLI 添加的2个或者2个以上 account 规则后,虽然可以通过 mqadmin getAccessConfigSubCommand 看到设置的权限,但是ACL规则无效,生产消费时会报错。。。
只有当/conf/plain_acl.yml中只有1个account规则时,这个ACL才可以正常使用。。。。。
例如:
step1. /conf/plain.acl.yml 不存在,/conf/acl/plain.yml 手动写入全局IP白名单
step2. 使用CLI mqadmin 添加 account 用于生产者,如下:
sh /opt/paasmq/rocketmq-4.9.3/bin/mqadmin updateAclConfig -n 127.0.0.1:19876 -c AWS-NPRD-Cluster \
--accessKey PG-E-APP-YYY \
--secretKey 12345678 \
--admin false \
--defaultTopicPerm DENY \
--defaultGroupPerm DENY \
--topicPerms RMQ_SYS_TRACE_TOPIC=PUB,TP-E-APP-YYY=PUB
step3. 使用 CLI mqadmin 查看新添加的account,已经成功
sh /opt/paasmq/rocketmq-4.9.3/bin/mqadmin getAccessConfigSubCommand -n 127.0.0.1:19876 -c AWS-NPRD-Cluster;
step4. 使用以下代码测试生产这者功能,可以正常消费
public class AclProducer {
public static void main(String[] args)
throws MQClientException, InterruptedException, RemotingException, MQBrokerException {
DefaultMQProducer producer = new DefaultMQProducer("My-Producer-YYY", getAclRPCHook(), true, null);
producer.setNamesrvAddr("10.155.100.8:19876;10.155.101.213:19876");
producer.start();
for (int i = 0; i < 10; i++) {
try {
Message msg = new Message("TP-E-APP-YYY" ,"*" , ("Hello RocketMQ " + i).getBytes(RemotingHelper.DEFAULT_CHARSET));
//msg.setDelayTimeLevel(6);
SendResult sendResult = producer.send(msg);
System.out.printf("%s%n", sendResult);
Thread.sleep(10);
} catch (Exception e) {
e.printStackTrace();
Thread.sleep(1000);
}
}
producer.shutdown();
}
static RPCHook getAclRPCHook() {
return new AclClientRPCHook(new SessionCredentials("PG-E-APP-YYY","12345678"));
}
}
step4. 使用CLI mqadmin 添加 account 用于消费者,如下:
sh /opt/paasmq/rocketmq-4.9.3/bin/mqadmin updateAclConfig -n 127.0.0.1:19876 -c AWS-NPRD-Cluster \
--accessKey CG-E-APP-YYY-APP-SVC \
--secretKey 12345678 \
--admin false \
--defaultTopicPerm DENY \
--defaultGroupPerm DENY \
--topicPerms RMQ_SYS_TRACE_TOPIC=PUB,TP-E-APP-YYY=SUB \
--groupPerms CG-E-APP-YYY-APP-SVC=SUB
step5. 使用和step3中相同的代码,再次测试生产,发现无法正常生产消息,报错如下:
```
org.apache.rocketmq.client.exception.MQClientException: Send [3] times, still failed, cost [17]ms, Topic: TP-E-APP-YYY, BrokersSent: [AWS-NPRD-Broker-a, AWS-NPRD-Broker-b, AWS-NPRD-Broker-a]
See http://rocketmq.apache.org/docs/faq/ for further details.
at org.apache.rocketmq.client.impl.producer.DefaultMQProducerImpl.sendDefaultImpl(DefaultMQProducerImpl.java:681)
at org.apache.rocketmq.client.impl.producer.DefaultMQProducerImpl.send(DefaultMQProducerImpl.java:1391)
at org.apache.rocketmq.client.impl.producer.DefaultMQProducerImpl.send(DefaultMQProducerImpl.java:1335)
at org.apache.rocketmq.client.producer.DefaultMQProducer.send(DefaultMQProducer.java:336)
at AclProducer.main(AclProducer.java:22)
Caused by: org.apache.rocketmq.client.exception.MQBrokerException: CODE: 1 DESC: java.lang.NullPointerException, org.apache.rocketmq.acl.plain.PlainPermissionManager.validate(PlainPermissionManager.java:646) BROKER: 10.155.100.164:22922
For more information, please visit the url, http://rocketmq.apache.org/docs/faq/
at org.apache.rocketmq.client.impl.MQClientAPIImpl.processSendResponse(MQClientAPIImpl.java:668)
at org.apache.rocketmq.client.impl.MQClientAPIImpl.sendMessageSync(MQClientAPIImpl.java:507)
at org.apache.rocketmq.client.impl.MQClientAPIImpl.sendMessage(MQClientAPIImpl.java:489)
at org.apache.rocketmq.client.impl.MQClientAPIImpl.sendMessage(MQClientAPIImpl.java:433)
at org.apache.rocketmq.client.impl.producer.DefaultMQProducerImpl.sendKernelImpl(DefaultMQProducerImpl.java:870)
at org.apache.rocketmq.client.impl.producer.DefaultMQProducerImpl.sendDefaultImpl(DefaultMQProducerImpl.java:606)
... 4 more
```
step6. 使用下列代码,测试新加入的消费者 ACL,也无法正常消费
public class AclConsumer {
public static void main(String[] args) throws MQClientException {
DefaultMQPushConsumer consumer = new DefaultMQPushConsumer(
"CG-E-APP-YYY-APP-SVC", getAclRPCHook(), new AllocateMessageQueueAveragely(), true, null);
consumer.setConsumeFromWhere(ConsumeFromWhere.CONSUME_FROM_FIRST_OFFSET);
consumer.subscribe("TP-E-APP-YYY", "*");
consumer.setNamesrvAddr("10.155.100.8:19876;10.155.101.213:19876");
consumer.registerMessageListener(new MessageListenerConcurrently() {
@Override
public ConsumeConcurrentlyStatus consumeMessage(List<MessageExt> msgs,
ConsumeConcurrentlyContext context) {
System.out.printf("%s Receive New Messages: %s %n", Thread.currentThread().getName(), msgs);
return ConsumeConcurrentlyStatus.CONSUME_SUCCESS;
//return ConsumeConcurrentlyStatus.RECONSUME_LATER;
}
});
consumer.start();
System.out.printf("Consumer Started.%n");
}
static RPCHook getAclRPCHook() {
return new AclClientRPCHook(new SessionCredentials("CG-E-APP-YYY-APP-SVC","12345678"));
}
}
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@rocketmq.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org