aonexyz commented on issue #9862: URL: https://github.com/apache/rocketmq/issues/9862#issuecomment-3552355518
Thanks for sharing the detailed reproduction steps this really helps in narrowing down the issue. From the behavior you described, it seems the problem is related to ACL 2.0 authentication logic on the proxy and broker causing the gRPC consumer request to stall. When ACL is enabled on both sides in a storage-compute separation setup, the broker’s POP interface timing out usually indicates that: 1. The gRPC request is reaching the proxy correctly, 2. But the proxy → broker POP request is blocked or rejected because of ACL verification, 3. Leading to the broker returning `pop message is timeout too much`. A few things you may want to check: ### 1. Validate ACL Synchronization Make sure the proxy and broker have consistent ACL configuration (accessKey, secretKey, permission levels). Even small mismatches can cause silent authentication failures. ### 2. Check POP Processing Logs On the broker: - enable `TRACE` or `DEBUG` for ACL and POP modules - check if the POP request is marked as unauthorized or rejected internally ### 3. Confirm Proxy - Broker Authentication In storage-compute separation, POP flows depend heavily on the proxy passing the correct credentials to the broker. If the proxy is not forwarding ACL metadata as expected, the broker will delay until timeout. ### 4. Try Consuming Without ACL If disabling ACL makes the POP flow work normally, it confirms the issue is ACL-related and not a POP scheduling problem. ### 5. Test With Non-gRPC Client Try consuming using a classic Java client (non-gRPC). If that works, then the bug likely exists specifically in gRPC ACL metadata handling. ### 6. This Might Be a Real Bug Given that the issue appears in versions **5.3.2, 5.3.3, and develop**, it’s possible that: - the gRPC consumer does not pass ACL attributes correctly, or - the proxy’s ACL interceptor is not forwarding metadata to the broker. So your report is valid and reproducible. If needed, you can also share: - proxy logs (INFO + DEBUG for ACL) - broker logs around POP timeout - your ACL config snippet (with keys masked) This will help maintainers pinpoint whether it's an authentication forwarding bug or a POP request validation issue. Thanks again for reporting this looks like something that needs investigation. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
