current position:Home>RocketMQ use ACL to do access control can be too simple

RocketMQ use ACL to do access control can be too simple

2022-11-24 22:51:25Zidane love fitness

一、ACL介绍

RocketMQ在4.4.0版本开始支持ACL.ACL是access control list的简称,俗称访问控制列表.访问控制,基本上会涉及到用户、资源、权限、角色等概念;

1> 用户

  • 用户是访问控制的基础要素,包括:用户名、秘钥;Used to distinguish which permissions a request can use;

2> 资源

  • RocketMQObjects that need to be protected,主要包括:Topic、ConsumerGroup.

3> 权限

  • Operations that can be performed on resources,包括:DENY(拒绝)、PUB(发送)、SUB(订阅)

4> 角色

  • RocketMQThere are only two roles:Admins and non-admins.

此外,RocketMQClients are also supported in IP的白名单机制.

ACL原理

Do permissions like this,基本就是

  • Store user information somewhere,包括:用户名、秘钥、用户角色、用户拥有的权限.其实很像Spring-Security.只是RocketMQ的ACL比较轻量级.
  • 每个请求访问Broker时,An interception must be made before executing the request,判断用户是否有权限操作,If there is no permission, it will report an error and return directly.The interception here can actually be understood asSpringMVC的Interceptor、Dubbo的Filter.

The idea is simple,具体原理、源码,Next talk.

二、ACL使用

1、Broker端配置

想要使用ACL权限,首先必须要在BrokerAdd the corresponding configuration on the end(broker.conf中增加aclEnable=true)开启ACL;

aclEnable=true

Then set the specific authentication method;参考RocketMQ源码中distribution/conf/plain_acl.yml文件(https://github.com/apache/rocketmq/blob/4.9.x/distribution/conf/plain_acl.yml),将其复制到${ROCKETMQ_HOME}/conf目录下.

在这里插入图片描述

globalWhiteRemoteAddresses:
- 10.10.103.*
- 192.168.0.*

accounts:
- accessKey: mockmock
  secretKey: 123456
  whiteRemoteAddress:
  admin: false
  defaultTopicPerm: DENY
  defaultGroupPerm: SUB
  topicPerms:
  - topicA=DENY
  - topicB=PUB|SUB
  - topicC=SUB
  groupPerms:
  # the group should convert to retry topic
  - groupA=DENY
  - groupB=PUB|SUB
  - groupC=SUB

- accessKey: mockmock2
  secretKey: 123456
  whiteRemoteAddress: 192.168.1.*
  admin: true

这里的配置表示:

  • 10.10.103.*192.168.0.*网段下的Client可以直接通过ACL权限认证;
  • mockmockThe user role is non-administrator,For the themetopicB、消费组groupB可以做PUB、SUB;For the themetopicC、消费组groupC只能做SUB;And for the themetopicA、消费组groupACan't do anything.
  • mockmock2用户为管理员,User has access to any resource.

ACL配置详解

1> globalWhiteRemoteAddresses

  • 全局IP白名单,类型为数组,支持配置多个IP、多种类型IP地址;
    1. --> 表示不设置白名单,该条规则默认返回 false;
    2. * --> 表示全部匹配,该条规则直接返回 true,将会阻断其他规则的判断,慎用.
    3. 192.168.0.{100,101} --> 多地址配置模式,ip 地址的最后一组,使用{},大括号中多个 ip 地址,用英文逗号(,)隔开;
    4. 192.168.1.100,192.168.2.100 --> 使用英文,分隔,配置多个 ip 地址;
    5. 192.168..或 192.168.100-200.10-20 --> IP端模式,每个 IP 段使用*或-表示范围.

2> accounts

  • 配置用户信息,类型为数组类型.Contains multiple child elements,比如:accessKey、secretKey、whiteRemote
    Address、admin、defaultTopicPerm、defaultGroupPerm、topicPerms、groupPe
    rms.
    • accessKey --> 登录用户名,长度必须大于 6 个字符.
    • secretKey --> 登录密码.长度必须大于 6 个字符.
    • whiteRemoteAddress --> 用户级别的 IP 地址白名单.类型为字符串,配置规则与 globalWhiteRemot
      eAddresses一样,但只能配置一条规则.
    • admin --> boolean 类型,设置是否是 admin.
      The following permissions only admin=true 时才有权限执行:
      • UPDATE_AND_CREATE_TOPIC --> 更新或创建主题
      • UPDATE_BROKER_CONFIG --> 更新 Broker 配置
      • DELETE_TOPIC_IN_BROKER --> 删除主题
      • UPDATE_AND_CREATE_SUBSCRIPTIONGROUP --> 更新或创建订阅组信息
      • DELETE_SUBSCRIPTIONGROUP --> 删除订阅组信息.
    • defaultTopicPerm --> 默认 topic 权限.该值默认为 DENY(拒绝).
    • defaultGroupPerm --> 默认消费组权限,该值默认为 DENY(拒绝),建议值为 SUB.
    • topicPerms --> 设置 topic 的权限,类型为数组,可选值:DENY、PUB、SUB
    • groupPerms --> 设置消费组的权限,类型为数组,可选值:DENY、PUB、SUB

2、Producer

创建DefaultMQProducer时,指定RPCHook;

public class AclProducer {
    
    public static void main(String[] args) throws Exception {
    
        DefaultMQProducer producer = new DefaultMQProducer("saint-test", getAclRPCHook());
        producer.setNamesrvAddr("127.0.0.1:9876");
        producer.setMaxMessageSize(1024 * 1024 * 10);
        producer.start();

        // topic 和body
        Message msg = new Message("test-topic", "study002".getBytes(StandardCharsets.UTF_8));
        SendResult send = producer.send(msg);

        // 关闭生产者
        producer.shutdown();
    }

    static RPCHook getAclRPCHook() {
    
        return new AclClientRPCHook(new SessionCredentials("username", "password"));
    }
}

3、Consumer

同样在创建DefaultMQPushConsumer时,指定RPCHook;

public class AclConsumer {
    
    public static void main(String[] args) throws Exception {
    
        DefaultMQPushConsumer consumer = new DefaultMQPushConsumer("study-consumer", getAclRPCHook(), new AllocateMessageQueueAveragely());
        consumer.setNamesrvAddr("127.0.0.1:9876");

        consumer.subscribe("test-topic", "*");
        consumer.setConsumeFromWhere(ConsumeFromWhere.CONSUME_FROM_LAST_OFFSET);
        consumer.setMessageModel(MessageModel.BROADCASTING);

        consumer.registerMessageListener(new MessageListenerConcurrently() {
    
            @Override
            public ConsumeConcurrentlyStatus consumeMessage(List<MessageExt> msgs, ConsumeConcurrentlyContext consumeConcurrentlyContext) {
    
                for (MessageExt msg : msgs) {
    
                    System.out.println(new String(msg.getBody()));
                }
                return ConsumeConcurrentlyStatus.CONSUME_SUCCESS;
            }
        });

        consumer.start();
        System.out.println("Consumer start......");
    }

    static RPCHook getAclRPCHook() {
    
        return new AclClientRPCHook(new SessionCredentials("username", "password"));
    }
}

4、RocketMQ-Console

在application.properties文件中设置用户名和密码(It is recommended to set up an admin user):

rocketmq.config.accessKey=administrators
rocketmq.config.secretKey=administrators

copyright notice
author[Zidane love fitness],Please bring the original link to reprint, thank you.
https://en.cdmana.com/2022/328/202211242243375905.html

Random recommended