search

apache / rocketmq-operator

Apache RocketMQ Operator
https://rocketmq.apache.org/
Apache License 2.0
314 stars 127 forks source link

How to custom plain_acl.yml content? #184

Open chixianliangGithub opened 12 months ago

chixianliangGithub commented 12 months ago

in broker-config,i add aclEnable=true. I want to cutsom plain_acl.yml image

caigy commented 12 months ago

It seems like the broker CRD does not support mounting the ACL configuration files directly.

caigy commented 12 months ago

@chixianliangGithub Pls try if the following works:

  1. Place your ACL config file in the same directory for broker store, which will be mounted to store folder in the broker pod.
  2. set the system property rocketmq.acl.plain.file as store/${YOUR_ACL_CONF_FILE_NAME}, e.g. store/plain_acl.yml.
chixianliangGithub commented 12 months ago

@chixianliangGithub Pls try if the following works:

  1. Place your ACL config file in the same directory for broker store, which will be mounted to store folder in the broker pod.
  2. set the system property rocketmq.acl.plain.file as store/${YOUR_ACL_CONF_FILE_NAME}, e.g. store/plain_acl.yml. Can you give a complete example? I try it, it seams do not work.
moweilong commented 12 months ago

我是这样开启 ACL 的

  1. 把 plain_acl.yml 内容添加到 configmap broker-config,如下所示
apiVersion: v1                                                                                                                                                                                                                                                     
kind: ConfigMap                                                                                                                                                                                                                                                    
metadata:                                                                                                                                                                                                                                                          
  name: broker-config                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
data:                                                                                                                                                                                                                                                              
  # BROKER_MEM sets the broker JVM, if set to "" then Xms = Xmx = max(min(1/2 ram, 1024MB), min(1/4 ram, 8GB))                                                                                                                                                     
  BROKER_MEM: " -Xms2g -Xmx2g -Xmn1g "                                                                                                                                                                                                                             
  broker-common.conf: |                                                                                                                                                                                                                                            
    # brokerClusterName, brokerName, brokerId are automatically generated by the operator and do not set it manually!!!                                                                                                                                            
    deleteWhen=04                                                                                                                                                                                                                                                  
    fileReservedTime=48                                                                                                                                                                                                                                            
    flushDiskType=ASYNC_FLUSH                                                                                                                                                                                                                                      
    # set brokerRole to ASYNC_MASTER or SYNC_MASTER. DO NOT set to SLAVE because the replica instance will automatically be set!!!                                                                                                                                 
    brokerRole=ASYNC_MASTER                                                                                                                                                                                                                                        
    aclEnable = true                                                                                                                                                                                                                                               
  plain_acl.yml: |-                                                                                                                                                                                                                                                
    globalWhiteRemoteAddresses:                                                                                                                                                                                                                                    
      - 10.10.*.*                                                                                                                                                                                                                                                 
      - 10.11.*.*                                                                                                                                                                                                                                                 
      - 10.16.13.*                                                                                                                                                                                                                                               

    accounts:                                                                                                                                                                                                                                                      
      - accessKey: xxxxxxxxxxxx
        secretKey: xxxxxxxxxxxx
        whiteRemoteAddress:                                                                                                                                                                                                                                        
        admin: false                                                                                                                                                                                                                                               
        defaultTopicPerm: PUB|SUB                                                                                                                                                                                                                                  
        defaultGroupPerm: PUB|SUB                                                                                                                                                                                                                                  
        topicPerms:                                                                                                                                                                                                                                                
          - topicA=DENY                                                                                                                                                                                                                                            
          - topicB=PUB|SUB                                                                                                                                                                                                                                         
          - topicC=SUB                                                                                                                                                                                                                                             
        groupPerms:                                                                                                                                                                                                                                                
          # the group should convert to retry topic                                                                                                                                                                                                                
          - groupA=DENY                                                                                                                                                                                                                                            
          - groupB=PUB|SUB                                                                                                                                                                                                                                         
          - groupC=SUB                                                                                                                                                                                                                                             

      - accessKey: xxxxxxxxxxxx
        secretKey: xxxxxxxxxxxx
        whiteRemoteAddress:                                                                                                                                                                                                                                        
        # if it is admin, it could access all resources                                                                                                                                                                                                            
        admin: true

  1. 在 mq 集群 statefulsets broker-0-master 和 broker-0-replica-1 挂载configmap,如下所示

    spec:
  volumes:
...
    - name: broker-acl
      configMap:
        name: broker-config
        items:
          - key: plain_acl.yml
            path: plain_acl.yml
        defaultMode: 420
...           
      volumeMounts:
...
        - name: broker-acl
          mountPath: /root/rocketmq/broker/conf/plain_acl.yml
          subPath: plain_acl.yml

  2. 删除 statefulsets broker-0-master 和 broker-0-replica-1 的 pod

  3. 进入 pod 终端,执行命令查看集群/Broker的ACL配置文件全部内容,nameserver 的 IP 需要替换为你自己的

    ./mqadmin getAccessConfigSubCommand -n 10.210.95.195:9876 -c broker
zhengbucuo commented 11 months ago 
volumeMounts:

你这路子有点野啊,不是应该在kind: broker里面定义volumeMounts吗

wolf27w commented 6 months ago

应该把configmap里的plain_acl.yml替换到/home/rocketmq/rocketmq-4.9.7/conf/plain_acl.yml才是正确的