Open chixianliangGithub opened 12 months ago
It seems like the broker CRD does not support mounting the ACL configuration files directly.
@chixianliangGithub Pls try if the following works:
store
folder in the broker pod.rocketmq.acl.plain.file
as store/${YOUR_ACL_CONF_FILE_NAME}
, e.g. store/plain_acl.yml
.@chixianliangGithub Pls try if the following works:
- Place your ACL config file in the same directory for broker store, which will be mounted to
store
folder in the broker pod.- set the system property
rocketmq.acl.plain.file
asstore/${YOUR_ACL_CONF_FILE_NAME}
, e.g.store/plain_acl.yml
. Can you give a complete example? I try it, it seams do not work.
我是这样开启 ACL 的
apiVersion: v1
kind: ConfigMap
metadata:
name: broker-config
data:
# BROKER_MEM sets the broker JVM, if set to "" then Xms = Xmx = max(min(1/2 ram, 1024MB), min(1/4 ram, 8GB))
BROKER_MEM: " -Xms2g -Xmx2g -Xmn1g "
broker-common.conf: |
# brokerClusterName, brokerName, brokerId are automatically generated by the operator and do not set it manually!!!
deleteWhen=04
fileReservedTime=48
flushDiskType=ASYNC_FLUSH
# set brokerRole to ASYNC_MASTER or SYNC_MASTER. DO NOT set to SLAVE because the replica instance will automatically be set!!!
brokerRole=ASYNC_MASTER
aclEnable = true
plain_acl.yml: |-
globalWhiteRemoteAddresses:
- 10.10.*.*
- 10.11.*.*
- 10.16.13.*
accounts:
- accessKey: xxxxxxxxxxxx
secretKey: xxxxxxxxxxxx
whiteRemoteAddress:
admin: false
defaultTopicPerm: PUB|SUB
defaultGroupPerm: PUB|SUB
topicPerms:
- topicA=DENY
- topicB=PUB|SUB
- topicC=SUB
groupPerms:
# the group should convert to retry topic
- groupA=DENY
- groupB=PUB|SUB
- groupC=SUB
- accessKey: xxxxxxxxxxxx
secretKey: xxxxxxxxxxxx
whiteRemoteAddress:
# if it is admin, it could access all resources
admin: true
在 mq 集群 statefulsets broker-0-master 和 broker-0-replica-1 挂载configmap,如下所示
spec:
volumes:
...
- name: broker-acl
configMap:
name: broker-config
items:
- key: plain_acl.yml
path: plain_acl.yml
defaultMode: 420
...
volumeMounts:
...
- name: broker-acl
mountPath: /root/rocketmq/broker/conf/plain_acl.yml
subPath: plain_acl.yml
删除 statefulsets broker-0-master 和 broker-0-replica-1 的 pod
进入 pod 终端,执行命令查看集群/Broker的ACL配置文件全部内容,nameserver 的 IP 需要替换为你自己的
./mqadmin getAccessConfigSubCommand -n 10.210.95.195:9876 -c broker
volumeMounts:
你这路子有点野啊,不是应该在kind: broker里面定义volumeMounts吗
应该把configmap里的plain_acl.yml替换到/home/rocketmq/rocketmq-4.9.7/conf/plain_acl.yml才是正确的
in broker-config,i add aclEnable=true. I want to cutsom plain_acl.yml