yx9o
commented
11 hours ago Hello @zergduan , please refer to: https://mp.weixin.qq.com/s/g_CUAXrzQ1TQhIDrhX-zkw
Open zergduan opened 1 day ago
yx9o
commented
11 hours ago Hello @zergduan , please refer to: https://mp.weixin.qq.com/s/g_CUAXrzQ1TQhIDrhX-zkw
Before Creating the Bug Report
[X] I found a bug, not just asking a question, which should be created in GitHub Discussions.
[X] I have searched the GitHub Issues and GitHub Discussions of this repository and believe that this is not a duplicate.
[X] I have confirmed that this bug belongs to the current repository, not other repositories of RocketMQ.
Runtime platform environment
Oracle Linux 9
RocketMQ version
5.3.0
JDK Version
OpenJDK 21
Describe the Bug
无法正常开启 ACL 2.0
Steps to Reproduce
使用传统架构(不启动Proxy,Broker 2主+2从,NameServer * 2 ),使用以下步骤开启 ACL 2.0:
修改 broker 的 conf 文件,添加以下内容: aclEnable=true authenticationEnabled = true authenticationProvider = org.apache.rocketmq.auth.authentication.provider.DefaultAuthenticationProvider initAuthenticationUser = {"username":"rocketmq","password":"admin#123"} innerClientAuthenticationCredentials = {"accessKey":"rocketmq","secretKey":"admin#123"} authenticationMetadataProvider = org.apache.rocketmq.auth.authentication.provider.LocalAuthenticationMetadataProvider authorizationEnabled = true authorizationProvider = org.apache.rocketmq.auth.authorization.provider.DefaultAuthorizationProvider authorizationMetadataProvider = org.apache.rocketmq.auth.authorization.provider.LocalAuthorizationMetadataProvider
重启 broker 进程
修改 mqadmin 客户端配置文件 $ROKETMQ_HOME/conf/tools.yml ......
accessKey: rocketmq2
secretKey: 12345678
accessKey: rocketmq secretKey: admin#123 ......
在 mqadmin 客户端执行命令查询 ACL配置: ./mqadmin listacl \ --namesrvAddr:\
--clusterName
4.1 当 mqadmin 客户端为 NameServer 或 Broker 时, ./mqadmin listacl \ --namesrvAddr:\
--clusterName
可以正常返回结果
4.2 当 mqadmin 客户端不是 NameServer 和 Broker 时(非RocketMQ集群中的节点), ./mqadmin listacl \ --namesrvAddr:\
--clusterName
返回报错:
org.apache.rocketmq.tools.command.SubCommandException: ListAclSubCommand command failed at org.apache.rocketmq.tools.command.auth.ListAclSubCommand.execute(ListAclSubCommand.java:114) at org.apache.rocketmq.tools.command.MQAdminStartup.main0(MQAdminStartup.java:177) at org.apache.rocketmq.tools.command.MQAdminStartup.main(MQAdminStartup.java:127) Caused by: org.apache.rocketmq.client.exception.MQBrokerException: CODE: 1 DESC: org.apache.rocketmq.acl.common.AclException: No acl config for rocketmq, org.apache.rocketmq.acl.plain.PlainPermissionManager.validate(PlainPermissionManager.java:606) For more information, please visit the url, https://rocketmq.apache.org/docs/bestPractice/06FAQ at org.apache.rocketmq.client.impl.MQClientAPIImpl.listAcl(MQClientAPIImpl.java:3492) at org.apache.rocketmq.tools.admin.DefaultMQAdminExtImpl.listAcl(DefaultMQAdminExtImpl.java:1998) at org.apache.rocketmq.tools.admin.DefaultMQAdminExt.listAcl(DefaultMQAdminExt.java:941) at org.apache.rocketmq.tools.command.auth.ListAclSubCommand.execute(ListAclSubCommand.java:104)
What Did You Expect to See?
期望可以正常获得 ACL和用户配置
What Did You See Instead?
返回报错,rocketmq用户没有默认的ACL配置,没有权限运行 mqadmin
Additional Context
不理解 ACL 2.0 的底层逻辑~
按照文档描述开启 ACL 2.0 修改broker参数,将 initAuthenticationUser 和 innerClientAuthenticationCredentials 设置为 rocketmq,并自定义这个用户的 secretKey(不使用默认的 12345678); 在mqadmin客户端修改 tools.yml 的配置,指定设置的 rocketmq 作为认证用户连接NameServer,使用 mqadmin 命令调用 ACL 2.0 API 查看默认 ACL 配置
当 mqadmin 客户端不是 nameserver 时,报错rocketmq没有ACL配置。。。我有以下问题:
但是为什么 innerClientAuthenticationCredentials 需要同时设置 AK 和 SK? 如果initAuthenticationUser 和 innerClientAuthenticationCredentials 的 AK 设置相同,但是SK设置不同会怎么样???,例如:
initAuthenticationUser = {"username":"rocketmq","password":"admin#123"} innerClientAuthenticationCredentials = {"accessKey":"rocketmq","secretKey":"XXXXX"}
如果按照上面的配置会出现什么样的行为? rocketmq 这个用户的 SK到底是哪个??