This is an automated email from the ASF dual-hosted git repository.
jinrongtong pushed a commit to branch new-official-website
in repository https://gitbox.apache.org/repos/asf/rocketmq-site.git
The following commit(s) were added to refs/heads/new-official-website by this
push:
new 03a43523ba optimize acl 2.0 title (#750)
03a43523ba is described below
commit 03a43523ba66b401697c9c3a9ed5aa057b2232f8
Author: dingshuangxi888 <[email protected]>
AuthorDate: Mon Nov 24 14:23:16 2025 +0800
optimize acl 2.0 title (#750)
* add rocketmq acl 2.0 document
Change-Id: I014bcea2b798dc4a9f668f6917bc4f23580c65e4
Co-developed-by: Cursor <[email protected]>
* 删除一些多余的文档
Change-Id: I37b66feead00e92817a77b11e63bf81b8f50cba2
Co-developed-by: Cursor <[email protected]>
* 添加提示信息
Change-Id: I4a8c18b764fa8d6eccba729df351a0ffc34b52e5
Co-developed-by: Cursor <[email protected]>
* add warning info
Change-Id: I9a2babdc50d09bfe1f652ada1658f1f92ea5e85f
Co-developed-by: Cursor <[email protected]>
* modify warning info
Change-Id: I79a3e483d785ae8b6e06789db36bbd72f8a06b85
Co-developed-by: Cursor <[email protected]>
* delete architecture comparison
Change-Id: I939cb449511de173db4b163acc3c6878cc144fa8
Co-developed-by: Cursor <[email protected]>
* modify warning info
Change-Id: I6eb1612441e73e85c5aa78fa8f77e02374007612
Co-developed-by: Cursor <[email protected]>
* optimize access.md
Change-Id: I0fab7cf5aae07e0f80361c6d03bd8e606fc46a04
Co-developed-by: Cursor <[email protected]>
* optimize access.md
Change-Id: Iebba9a7a8941e6739a73f7c9333d1107730bb843
Co-developed-by: Cursor <[email protected]>
* optimize access.md
Change-Id: I955555200441df2b262410bb514ec36e16af6907
Co-developed-by: Cursor <[email protected]>
* optimize access.md
Change-Id: I1976a2c7e421fb573704f6767b7f361a9b30c0a1
Co-developed-by: Cursor <[email protected]>
* add english version of access.md
Change-Id: Iba57d73b5d78241eaa66e170bef1d370ab8f47c8
Co-developed-by: Cursor <[email protected]>
* optimize access.md
Change-Id: I402292ca855031bc7cedb7f628e5d0da4262ca54
Co-developed-by: Cursor <[email protected]>
* fix: access-1.0.md
Change-Id: I600ac4a5d0458cae6c7cb0b49c481dacd45360c8
Co-developed-by: Cursor <[email protected]>
* 优化菜单的显示
Change-Id: I83a38d5719ab8439693785a9fa4ebdc5d72c1fb5
Co-developed-by: Cursor <[email protected]>
* 优化访问控制 2.0和1.0的展示逻辑
Change-Id: I9a8145d6c273771d594c0a209bf800393819bd97
Co-developed-by: Cursor <[email protected]>
---------
Co-authored-by: shuangxi.dsx <[email protected]>
---
.../version-5.0/06-bestPractice/03access.md | 79 ++++++----------------
.../version-5.0/06-bestPractice/07access-1.0.md | 3 +-
src/css/custom.css | 4 ++
.../version-5.0/06-bestPractice/03access.md | 10 +--
.../version-5.0/06-bestPractice/07access-1.0.md | 3 +-
5 files changed, 34 insertions(+), 65 deletions(-)
diff --git
a/i18n/en/docusaurus-plugin-content-docs/version-5.0/06-bestPractice/03access.md
b/i18n/en/docusaurus-plugin-content-docs/version-5.0/06-bestPractice/03access.md
index 92e9848c02..e2450210b2 100644
---
a/i18n/en/docusaurus-plugin-content-docs/version-5.0/06-bestPractice/03access.md
+++
b/i18n/en/docusaurus-plugin-content-docs/version-5.0/06-bestPractice/03access.md
@@ -1,10 +1,10 @@
-# RocketMQ ACL 2.0 User Guide
+# Access Control 2.0
:::info Version Notice
-This document describes **RocketMQ ACL 2.0**, applicable to **RocketMQ 5.3.0**
and above.
+This document describes **Access Control 2.0 (ACL 2.0)**, applicable to
**RocketMQ 5.3.0** and above.
-- If you are using **RocketMQ 4.x, 5.0-5.2, or 5.3.0-5.3.2**, please refer to
[ACL 1.0 Documentation](07access-1.0.md)
+- If you are using **RocketMQ 4.x, 5.0-5.2, or 5.3.0-5.3.2**, please refer to
[ACL 1.0 Documentation](./07access-1.0)
- **Starting from RocketMQ 5.3.3, ACL 1.0 is no longer supported**. It is
recommended to upgrade to ACL 2.0
- If you are migrating from ACL 1.0 to 2.0, please refer to the [ACL 1.0
Migration](#migrating-from-acl-10-to-acl-20) section
@@ -23,9 +23,9 @@ For production deployment, please ensure:
## Introduction
-### What is RocketMQ ACL 2.0?
+### What is Access Control 2.0?
-RocketMQ ACL 2.0 is an upgraded version of Apache RocketMQ's Access Control
List, providing comprehensive authentication and authorization mechanisms to
protect the data security of RocketMQ clusters.
+Access Control 2.0 (ACL 2.0) is an upgraded version of Apache RocketMQ's
Access Control List, providing comprehensive authentication and authorization
mechanisms to protect the data security of RocketMQ clusters.
### Core Features
@@ -939,6 +939,15 @@ grep "innerClientAuthenticationCredentials" conf/*.conf
conf/*.json
# Modify to unified credentials
innerClientAuthenticationCredentials =
{"accessKey":"rocketmq","secretKey":"12345678"}
```
+CODE: 17 DESC: No user
+or
+CODE: 16 DESC: Authentication failed
+```
+
+**Possible Causes**:
+- `conf/tools.yml` file not configured
+- Credentials in `tools.yml` are incorrect
+- Configured user is not a super user
### View Audit Logs
@@ -976,7 +985,6 @@ grep "AUTHORIZATION" logs/rocketmqlogs/broker.log
- Create independent users for different applications or services
- Use strong passwords (at least 8 characters, including letters and numbers)
- Super users should only be used for system initialization and emergency
operations
-- Avoid using weak passwords (e.g., 123456)
❌ **Avoid**:
- Multiple applications sharing the same user
@@ -1082,6 +1090,13 @@ innerClientAuthenticationCredentials =
{"accessKey":"rocketmq","secretKey":"1234
"statefulAuthorizationCacheExpiredSecond": 60
}
```
+[AUTHORIZATION] Subject = User:xxx is Deny Action = Pub from sourceIp = xxx on
resource = Topic:xxx
+```
+
+**Possible Causes**:
+- User does not have permission for the resource
+- IP not in whitelist
+- Deny rule exists
**Tuning Recommendations**:
@@ -1181,55 +1196,3 @@ if [ $authz_deny_count -gt 100 ]; then
echo "Alert: Too many authorization denials: $authz_deny_count"
fi
```
-
----
-
-## Appendix
-
-### Complete Configuration Example
-
-#### Broker Production Environment Configuration
-
-```properties
-# broker.conf
-
-# Basic configuration
-brokerClusterName = DefaultCluster
-brokerName = broker-a
-brokerId = 0
-deleteWhen = 04
-fileReservedTime = 48
-brokerRole = ASYNC_MASTER
-flushDiskType = ASYNC_FLUSH
-
-# ACL authentication configuration
-authenticationEnabled = true
-authenticationMetadataProvider =
org.apache.rocketmq.auth.authentication.provider.LocalAuthenticationMetadataProvider
-authenticationStrategy =
org.apache.rocketmq.auth.authentication.strategy.StatefulAuthenticationStrategy
-initAuthenticationUser = {"username":"rocketmq","password":"12345678"}
-innerClientAuthenticationCredentials =
{"accessKey":"rocketmq","secretKey":"12345678"}
-
-# ACL authorization configuration
-authorizationEnabled = true
-authorizationMetadataProvider =
org.apache.rocketmq.auth.authorization.provider.LocalAuthorizationMetadataProvider
-authorizationStrategy =
org.apache.rocketmq.auth.authorization.strategy.StatefulAuthorizationStrategy
-
-# Cache configuration
-userCacheMaxNum = 5000
-userCacheExpiredSecond = 3600
-userCacheRefreshSecond = 300
-aclCacheMaxNum = 5000
-aclCacheExpiredSecond = 3600
-aclCacheRefreshSecond = 300
-statefulAuthenticationCacheMaxNum = 10000
-statefulAuthenticationCacheExpiredSecond = 60
-statefulAuthorizationCacheMaxNum = 10000
-statefulAuthorizationCacheExpiredSecond = 60
-```
-
----
-
-**Document Version**: 1.0
-**Applicable RocketMQ Version**: 5.3.0+
-**Last Updated**: November 2024
-
diff --git
a/i18n/en/docusaurus-plugin-content-docs/version-5.0/06-bestPractice/07access-1.0.md
b/i18n/en/docusaurus-plugin-content-docs/version-5.0/06-bestPractice/07access-1.0.md
index e9ff10d2b6..b28327e883 100644
---
a/i18n/en/docusaurus-plugin-content-docs/version-5.0/06-bestPractice/07access-1.0.md
+++
b/i18n/en/docusaurus-plugin-content-docs/version-5.0/06-bestPractice/07access-1.0.md
@@ -1,5 +1,6 @@
---
-unlisted: true
+sidebar_class_name: hidden-sidebar-item
+custom_edit_url: null
---
# Access Control (ACL 1.0)
diff --git a/src/css/custom.css b/src/css/custom.css
index e535f29e19..b20ae8efbe 100644
--- a/src/css/custom.css
+++ b/src/css/custom.css
@@ -652,3 +652,7 @@ footer .docusaurus-mt-lg{
margin-top: 0rem!important;
}
+/* Hide specific sidebar items */
+.hidden-sidebar-item {
+ display: none !important;
+}
diff --git a/versioned_docs/version-5.0/06-bestPractice/03access.md
b/versioned_docs/version-5.0/06-bestPractice/03access.md
index 3a0c51539f..1ca05cc7d7 100644
--- a/versioned_docs/version-5.0/06-bestPractice/03access.md
+++ b/versioned_docs/version-5.0/06-bestPractice/03access.md
@@ -1,10 +1,10 @@
-# RocketMQ ACL 2.0 使用手册
+# 访问控制 2.0
:::info 版本说明
-本文档介绍的是 **RocketMQ ACL 2.0**,适用于 **RocketMQ 5.3.0** 及以上版本。
+本文档介绍的是 **访问控制 2.0(ACL 2.0)**,适用于 **RocketMQ 5.3.0** 及以上版本。
-- 如果您使用的是 **RocketMQ 4.x、5.0-5.2 或 5.3.0-5.3.2** 版本,请参考 [ACL 1.0
文档](07access-1.0.md)
+- 如果您使用的是 **RocketMQ 4.x、5.0-5.2 或 5.3.0-5.3.2** 版本,请参考 [ACL 1.0
文档](./07access-1.0)
- **从 RocketMQ 5.3.3 开始,ACL 1.0 已不再支持**,建议升级到 ACL 2.0
- 如果您正在从 ACL 1.0 迁移到 2.0,请查看本文档的 [ACL 1.0 迁移](#acl-10迁移到acl-20) 章节
@@ -23,9 +23,9 @@
## 简介
-### 什么是RocketMQ ACL 2.0?
+### 什么是访问控制 2.0?
-RocketMQ ACL 2.0 是Apache RocketMQ的访问控制列表(Access Control
List)升级版本,提供了完善的身份认证(Authentication)和权限授权(Authorization)机制,用于保护RocketMQ集群的数据安全。
+访问控制 2.0(ACL 2.0)是Apache RocketMQ的访问控制列表(Access Control
List)升级版本,提供了完善的身份认证(Authentication)和权限授权(Authorization)机制,用于保护RocketMQ集群的数据安全。
### 核心特性
diff --git a/versioned_docs/version-5.0/06-bestPractice/07access-1.0.md
b/versioned_docs/version-5.0/06-bestPractice/07access-1.0.md
index abfe47a397..2254b5e168 100644
--- a/versioned_docs/version-5.0/06-bestPractice/07access-1.0.md
+++ b/versioned_docs/version-5.0/06-bestPractice/07access-1.0.md
@@ -1,5 +1,6 @@
---
-unlisted: true
+sidebar_class_name: hidden-sidebar-item
+custom_edit_url: null
---
# 权限控制(ACL 1.0)
