1. What is ACL?
ACL is short for access control list, commonly known as access control list.Access control basically involves the concepts of users, resources, privileges, roles, and so on. Which objects do these correspond to in RocketMQ?
- user
User is the basic element of access control, and it is not difficult to understand. RocketMQ ACL will inevitably introduce the concept of user, that is, user name and password support.
- Resources
Resources, objects to be protected. In RocketMQ, Topic involved in message sending and consumer group involved in message consumption should be protected, so they can be abstracted as resources.
- Jurisdiction
What you can do with the resource?
- role
In RocketMQ, only two roles are defined: whether they are administrators or not.
RocketMQ also supports whitelist settings based on client IP.
2. ACL Basic Flowchart
Before explaining how to use ACL, let's take a brief look at the request process for RocketMQ ACL:
For the above specific implementation, will be highlighted in subsequent articles, the purpose of this article is only to give readers a general understanding.
3. How to configure ACL
3.1 acl profile
Acl default configuration file name: plain_acl.yml, which needs to be placed in the ${ROCKETMQ_HOME}/store/config directory.The configuration items are described below.
3.1.1 globalWhiteRemoteAddresses
Global whitelist, which is of type array, that is, supports multiple configurations.The following configuration formats are supported:
- empty
Indicates that no whitelist is set and this rule returns false by default.
- "*"
Indicates that all matches. This rule returns true directly, which will block the judgment of other rules. Use caution.
- 192.168.0.{100,101}
Multiple address configuration mode, the last set of ip addresses, using {}, multiple ip addresses in braces, separated by English commas (,).
- 192.168.1.100,192.168.2.100
Use directly, separate, and configure multiple ip addresses.
- 192.168..Or 192.168.100-200.10-20
Each IP segment uses'*'or'-' to represent the range.
3.1.2 accounts
Configure user information, which is an array type.Has accessKey, secretKey, whiteRemoteAddress, admin, defaultTopicPerm, defaultGroupPerm, topicPerms, groupPerms child elements.
3.1.2.1 accessKey
The login user name must be greater than six characters in length.
3.1.2.2 secretKey
Login password.Length must be greater than 6 characters.
3.1.2.3 whiteRemoteAddress
A user-level whitelist of IP addresses.Its type is a string with configuration rules and globalWhiteRemoteAddresses, but only one rule can be configured.
3.1.2.4 admin
boolean type, set if admin.The following permissions have permission to execute only if admin=true.
- UPDATE_AND_CREATE_TOPIC
Update or create a theme.
- UPDATE_BROKER_CONFIG
Update Broker configuration.
- DELETE_TOPIC_IN_BROKER
Delete the theme.
- UPDATE_AND_CREATE_SUBSCRIPTIONGROUP
Update or create subscription group information.
- DELETE_SUBSCRIPTIONGROUP
Delete subscription group information.
3.1.2.5 defaultTopicPerm
Default top permission.This value defaults to DENY (Deny).
3.1.2.6 defaultGroupPerm
Default consumer group permission, which defaults to DENY (Deny), and the recommended value is SUB.
3.1.2.7 topicPerms
Set permissions for top.Its type is an array, and its optional values are described in the next section.
3.1.2.8 groupPerms
Set permissions for consumption groups.Its type is an array, and its optional values are described in the next section.You can configure different permissions for each consumer group.
3.2 Optional RocketMQ ACL Permissions
- DENY
Reject.
- PUB
Has send permission.
- SUB
Has subscription rights.
3.3. Privilege Verification Process
The global whitelist, user-level whitelist, and user-level permissions are defined above. To better configure ACL permission rules, the permission matching logic is given below.
4. Use examples
4.1 Broker End Installation
First, you need to add the parameter aclEnable=true to the broker.conf file.Copy the distribution/conf/plain_acl.yml file to the ${ROCKETMQ_HOME}/conf directory.
The configuration file for broker.conf is as follows:
brokerClusterName = DefaultCluster brokerName = broker-b brokerId = 0 deleteWhen = 04 fileReservedTime = 48 brokerRole = ASYNC_MASTER flushDiskType = ASYNC_FLUSH listenPort=10915 storePathRootDir=E:/SH2019/tmp/rocketmq_home/rocketmq4.5MB/store storePathCommitLog=E:/SH2019/tmp/rocketmq_home/rocketmq4.5MB/store/commitlog namesrvAddr=127.0.0.1:9876 autoCreateTopicEnable=false aclEnable=true
The plain_acl.yml file contains the following:
globalWhiteRemoteAddresses: accounts: - accessKey: RocketMQ secretKey: 12345678 whiteRemoteAddress: admin: false defaultTopicPerm: DENY defaultGroupPerm: SUB topicPerms: - TopicTest=PUB groupPerms: # the group should convert to retry topic - oms_consumer_group=DENY - accessKey: admin secretKey: 12345678 whiteRemoteAddress: # if it is admin, it could access all resources admin: true
From the configuration above, the user RocketMQ can only send TopicTest messages, other topic s have no permission to send; the message consumption of oms_consumer_group consumer group is rejected, and other consumer groups are consumable by default.
4.2 Message Sender Example
public class AclProducer { public static void main(String[] args) throws MQClientException, InterruptedException { DefaultMQProducer producer = new DefaultMQProducer("please_rename_unique_group_name", getAclRPCHook()); producer.setNamesrvAddr("127.0.0.1:9876"); producer.start(); for (int i = 0; i < 1; i++) { try { Message msg = new Message("TopicTest3" ,"TagA" , ("Hello RocketMQ " + i).getBytes(RemotingHelper.DEFAULT_CHARSET)); SendResult sendResult = producer.send(msg); System.out.printf("%s%n", sendResult); } catch (Exception e) { e.printStackTrace(); Thread.sleep(1000); } } producer.shutdown(); } static RPCHook getAclRPCHook() { return new AclClientRPCHook(new SessionCredentials("rocketmq","12345678")); } }
The result is as shown in the diagram:
4.3 Message Consumer Example
public class AclConsumer { public static void main(String[] args) throws InterruptedException, MQClientException { DefaultMQPushConsumer consumer = new DefaultMQPushConsumer("please_rename_unique_group_name_4", getAclRPCHook(),new AllocateMessageQueueAveragely()); consumer.setConsumeFromWhere(ConsumeFromWhere.CONSUME_FROM_FIRST_OFFSET); consumer.subscribe("TopicTest", "*"); consumer.setNamesrvAddr("127.0.0.1:9876"); consumer.registerMessageListener(new MessageListenerConcurrently() { @Override public ConsumeConcurrentlyStatus consumeMessage(List<MessageExt> msgs, ConsumeConcurrentlyContext context) { System.out.printf("%s Receive New Messages: %s %n", Thread.currentThread().getName(), msgs); return ConsumeConcurrentlyStatus.CONSUME_SUCCESS; } }); consumer.start(); System.out.printf("Consumer Started.%n"); } static RPCHook getAclRPCHook() { return new AclClientRPCHook(new SessionCredentials("rocketmq","12345678")); } }
We found that there were no consumer messages, which met our expectations.
This is where the use of the RocketMQ ACL is described, and the next section describes how the RocketMQ ACL works.
Recommended reading:
1,RocketMQ Actual Warfare: Why can't autoCreateTopicEnable be set to true in a production environment
2,Reason Analysis and Solution for RocketMQ Message Sending system busy and broker busy
3,RocketMQ HA mechanism (master-slave synchronization)
4,RocketMQ Transaction Message Actual
Author's introduction:
Dingwei, author of Insider of RocketMQ Technology, RocketMQ Community Evangelist, Public Number: Middleware Circle of Interest Maintainer, Source Analysis Java Collection, Java Concurrent Packaging (JUC), Netty, Mycat, Dubbo, RocketMQ, Mybatis and other source columns have been published successively.
