This is an automated email from the ASF dual-hosted git repository.
jinrongtong pushed a commit to branch new-official-website
in repository https://gitbox.apache.org/repos/asf/rocketmq-site.git
The following commit(s) were added to refs/heads/new-official-website by this
push:
new 6ed86d5cef Improve security documentation page (#758)
6ed86d5cef is described below
commit 6ed86d5cef8bded0667fd91ffa0bed4ee6f752dd
Author: rongtong <[email protected]>
AuthorDate: Wed Jan 7 10:07:44 2026 +0800
Improve security documentation page (#758)
* Improve security documentation page
* fix
---
.../01security.md} | 29 +++++++++++++++-----
docs/12-security/_category_.json | 4 +++
docs/12-securityModel/_category_.json | 4 ---
docusaurus.config.js | 2 +-
.../en/docusaurus-plugin-content-docs/current.json | 6 ++--
.../01security.md} | 31 +++++++++++++++------
.../version-5.0.json | 6 ++--
.../01security.md} | 31 +++++++++++++++------
i18n/en/docusaurus-theme-classic/footer.json | 2 +-
.../01security.md} | 32 +++++++++++++++++-----
.../version-5.0/14-security/_category_.json | 4 +++
.../version-5.0/14-securityModel/_category_.json | 4 ---
12 files changed, 109 insertions(+), 46 deletions(-)
diff --git a/docs/12-securityModel/01security-model.md
b/docs/12-security/01security.md
similarity index 65%
rename from docs/12-securityModel/01security-model.md
rename to docs/12-security/01security.md
index 1090d5a38c..efa03bb1ef 100644
--- a/docs/12-securityModel/01security-model.md
+++ b/docs/12-security/01security.md
@@ -1,15 +1,17 @@
-# 安全模型
+# 安全
+
+## 安全模型
Apache RocketMQ 项目自身提供了 ACL、TLS 等安全特性,但最终的安全效果仍取决于运维人员对 **网络、主机、账户与数据** 的整体防护。
-## 1. 认证与授权(ACL)
+### 1. 认证与授权(ACL)
- 自 RocketMQ 4.4.0 起支持 ACL 1.0
- 5.3.0 起引入安全性更高的 **ACL 2.0**
- 5.3.3 移除了 ACL 1.0
- 建议所有使用 Apache RocketMQ ACL 的用户迁移到 **ACL 2.0**
-## 2. 控制台 (Dashboard) 与可观测组件暴露
+### 2. 控制台 (Dashboard) 与可观测组件暴露
RocketMQ Dashboard 及部分可观测组件(例如 RocketMQ Prometheus Exporter)默认不启用强认证,任何可访问
HTTP 端口的用户都可读取集群元数据。强烈建议:
@@ -19,21 +21,34 @@ RocketMQ Dashboard 及部分可观测组件(例如 RocketMQ Prometheus Exporte
> 否则可能导致信息泄露风险,该风险属于部署方责任而非 RocketMQ 漏洞。
-## 3. 传输加密与数据加密
+### 3. 传输加密与数据加密
- 客户端与服务端可通过 TLS 加密通信,若数据中包含敏感信息可以开启
- 消息体由业务定义,RocketMQ 不会解析或持久化解密后的内容
- 若消息包含敏感信息,应在业务侧进行字段或整体加密,避免明文落盘
-## 4. 序列化与反序列化风险
+### 4. 序列化与反序列化风险
- RocketMQ 仅传输字节数组,不做对象反序列化
- 消费端若需反序列化,应选用安全格式(如 JSON-Binding、Protobuf 等),并对不可信数据进行校验
-## 5. SDK 与版本管理
+### 5. SDK 与版本管理
- 始终使用官方最新稳定版客户端,以获得最新漏洞修复与改进
-## 6. 日志管理
+### 6. 日志管理
- 请妥善保管 RocketMQ 相关日志(包括 Broker、Namesrver、Proxy、Client等),避免敏感信息泄漏
+
+## 安全策略
+
+Apache RocketMQ 是 Apache Software Foundation(ASF)旗下项目,遵循 ASF 的漏洞处理流程。
+
+### 漏洞报告
+
+如果你发现了新的安全漏洞,请遵循 ASF 官方的漏洞报告流程进行私下披露与提交:
+https://apache.org/security/#reporting-a-vulnerability
+
+为便于评估与修复,建议在报告中包含:受影响的组件/版本、复现步骤、影响说明,以及 PoC(如有)。
+
+> 请勿在修复发布前通过公开 Issue、邮件列表或社交媒体披露可被立即利用的细节。
diff --git a/docs/12-security/_category_.json b/docs/12-security/_category_.json
new file mode 100644
index 0000000000..5112b41073
--- /dev/null
+++ b/docs/12-security/_category_.json
@@ -0,0 +1,4 @@
+{
+ "label": "安全",
+ "position": 13
+}
\ No newline at end of file
diff --git a/docs/12-securityModel/_category_.json
b/docs/12-securityModel/_category_.json
deleted file mode 100644
index fc652b4db4..0000000000
--- a/docs/12-securityModel/_category_.json
+++ /dev/null
@@ -1,4 +0,0 @@
-{
- "label": "安全模型",
- "position": 13
-}
\ No newline at end of file
diff --git a/docusaurus.config.js b/docusaurus.config.js
index 76996778f1..5c41c3ffb4 100644
--- a/docusaurus.config.js
+++ b/docusaurus.config.js
@@ -460,7 +460,7 @@ const darkCodeTheme =
require("prism-react-renderer/themes/dracula");
},
{
label: 'Security',
- href: 'https://www.apache.org/security/',
+ to: '/docs/security/01security',
},
{
label: 'Thanks',
diff --git a/i18n/en/docusaurus-plugin-content-docs/current.json
b/i18n/en/docusaurus-plugin-content-docs/current.json
index 8bebb99c71..bde021ad3f 100644
--- a/i18n/en/docusaurus-plugin-content-docs/current.json
+++ b/i18n/en/docusaurus-plugin-content-docs/current.json
@@ -51,8 +51,8 @@
"message": "Contribution Guide",
"description": "The label for category 贡献指南 in sidebar
myAutogeneratedSidebar"
},
- "sidebar.myAutogeneratedSidebar.category.安全模型": {
- "message": "Security Model",
- "description": "The label for category 安全模型 in sidebar
myAutogeneratedSidebar"
+ "sidebar.myAutogeneratedSidebar.category.安全": {
+ "message": "Security",
+ "description": "The label for category 安全 in sidebar
myAutogeneratedSidebar"
}
}
diff --git
a/i18n/en/docusaurus-plugin-content-docs/current/12-securityModel/01security-model.md
b/i18n/en/docusaurus-plugin-content-docs/current/12-security/01security.md
similarity index 68%
rename from
i18n/en/docusaurus-plugin-content-docs/current/12-securityModel/01security-model.md
rename to
i18n/en/docusaurus-plugin-content-docs/current/12-security/01security.md
index e0b3b1a60c..deccd1a976 100644
---
a/i18n/en/docusaurus-plugin-content-docs/current/12-securityModel/01security-model.md
+++ b/i18n/en/docusaurus-plugin-content-docs/current/12-security/01security.md
@@ -1,15 +1,17 @@
-# Security Model
+# Security
+
+## Security Model
The Apache RocketMQ project itself provides security features such as ACL and
TLS, but the final security effectiveness still depends on the operator’s
comprehensive protection of **network, hosts, accounts, and data**.
-## 1. Authentication and Authorization (ACL)
+### 1. Authentication and Authorization (ACL)
- ACL 1.0 has been supported since RocketMQ 4.4.0
- The more secure **ACL 2.0** was introduced in 5.3.0
- ACL 1.0 was removed in 5.3.3
- It is recommended that all users who use Apache RocketMQ ACL migrate to
**ACL 2.0**
-## 2. Dashboard & Observability Exposure
+### 2. Dashboard & Observability Exposure
RocketMQ Dashboard and some observability components (such as RocketMQ
Prometheus Exporter) do **not** enable strong authentication by default; anyone
who can access the HTTP port can read cluster metadata. Strongly recommended:
@@ -19,21 +21,34 @@ RocketMQ Dashboard and some observability components (such
as RocketMQ Prometheu
> Otherwise, information-leakage risks may occur; such risks are the
> responsibility of the deployment side rather than RocketMQ vulnerabilities.
-## 3. Transport Encryption and Data Encryption
+### 3. Transport Encryption and Data Encryption
- Clients and servers can communicate through **TLS** encryption; enable it if
sensitive data is involved
- The message body is defined by the business; RocketMQ will **not** parse or
persist decrypted content
- If messages contain sensitive information, perform field-level or overall
encryption on the business side to avoid storing plaintext
-## 4. Serialization and Deserialization Risks
+### 4. Serialization and Deserialization Risks
- RocketMQ only transmits byte arrays and does **not** perform object
deserialization
- If consumers need to deserialize, they should choose secure formats (such as
**JSON-Binding, Protobuf** etc.) and validate untrusted data
-## 5. SDK and Version Management
+### 5. SDK and Version Management
- Always use the latest official stable client to obtain the latest
vulnerability fixes and improvements
-## 6. Log Management
+### 6. Log Management
+
+- Properly keep RocketMQ-related logs (including **Broker, NameServer, Proxy,
Client**, etc.) to avoid leakage of sensitive information
+
+## Security Policy
+
+Apache RocketMQ is a project of the Apache Software Foundation (ASF) and
follows the ASF vulnerability handling process.
+
+### Reporting a Vulnerability
+
+To report a new vulnerability you have discovered, please follow the ASF
vulnerability reporting process:
+https://apache.org/security/#reporting-a-vulnerability
+
+To help us assess and address the issue, please include the affected
component(s)/version(s), reproduction steps, impact analysis, and a PoC if
available.
-- Properly keep RocketMQ-related logs (including **Broker, NameServer, Proxy,
Client**, etc.) to avoid leakage of sensitive information
\ No newline at end of file
+> Please do not disclose exploitable details via public issues, mailing lists,
or social media before a fix is available.
\ No newline at end of file
diff --git a/i18n/en/docusaurus-plugin-content-docs/version-5.0.json
b/i18n/en/docusaurus-plugin-content-docs/version-5.0.json
index 6e6968b447..10aa4a8ee6 100644
--- a/i18n/en/docusaurus-plugin-content-docs/version-5.0.json
+++ b/i18n/en/docusaurus-plugin-content-docs/version-5.0.json
@@ -55,8 +55,8 @@
"message": "Contribution Guide",
"description": "The label for category 贡献指南 in sidebar
myAutogeneratedSidebar"
},
- "sidebar.myAutogeneratedSidebar.category.安全模型": {
- "message": "Security Model",
- "description": "The label for category 安全模型 in sidebar
myAutogeneratedSidebar"
+ "sidebar.myAutogeneratedSidebar.category.安全": {
+ "message": "Security",
+ "description": "The label for category 安全 in sidebar
myAutogeneratedSidebar"
}
}
\ No newline at end of file
diff --git
a/i18n/en/docusaurus-plugin-content-docs/version-5.0/14-securityModel/01security-model.md
b/i18n/en/docusaurus-plugin-content-docs/version-5.0/14-security/01security.md
similarity index 68%
rename from
i18n/en/docusaurus-plugin-content-docs/version-5.0/14-securityModel/01security-model.md
rename to
i18n/en/docusaurus-plugin-content-docs/version-5.0/14-security/01security.md
index e0b3b1a60c..deccd1a976 100644
---
a/i18n/en/docusaurus-plugin-content-docs/version-5.0/14-securityModel/01security-model.md
+++
b/i18n/en/docusaurus-plugin-content-docs/version-5.0/14-security/01security.md
@@ -1,15 +1,17 @@
-# Security Model
+# Security
+
+## Security Model
The Apache RocketMQ project itself provides security features such as ACL and
TLS, but the final security effectiveness still depends on the operator’s
comprehensive protection of **network, hosts, accounts, and data**.
-## 1. Authentication and Authorization (ACL)
+### 1. Authentication and Authorization (ACL)
- ACL 1.0 has been supported since RocketMQ 4.4.0
- The more secure **ACL 2.0** was introduced in 5.3.0
- ACL 1.0 was removed in 5.3.3
- It is recommended that all users who use Apache RocketMQ ACL migrate to
**ACL 2.0**
-## 2. Dashboard & Observability Exposure
+### 2. Dashboard & Observability Exposure
RocketMQ Dashboard and some observability components (such as RocketMQ
Prometheus Exporter) do **not** enable strong authentication by default; anyone
who can access the HTTP port can read cluster metadata. Strongly recommended:
@@ -19,21 +21,34 @@ RocketMQ Dashboard and some observability components (such
as RocketMQ Prometheu
> Otherwise, information-leakage risks may occur; such risks are the
> responsibility of the deployment side rather than RocketMQ vulnerabilities.
-## 3. Transport Encryption and Data Encryption
+### 3. Transport Encryption and Data Encryption
- Clients and servers can communicate through **TLS** encryption; enable it if
sensitive data is involved
- The message body is defined by the business; RocketMQ will **not** parse or
persist decrypted content
- If messages contain sensitive information, perform field-level or overall
encryption on the business side to avoid storing plaintext
-## 4. Serialization and Deserialization Risks
+### 4. Serialization and Deserialization Risks
- RocketMQ only transmits byte arrays and does **not** perform object
deserialization
- If consumers need to deserialize, they should choose secure formats (such as
**JSON-Binding, Protobuf** etc.) and validate untrusted data
-## 5. SDK and Version Management
+### 5. SDK and Version Management
- Always use the latest official stable client to obtain the latest
vulnerability fixes and improvements
-## 6. Log Management
+### 6. Log Management
+
+- Properly keep RocketMQ-related logs (including **Broker, NameServer, Proxy,
Client**, etc.) to avoid leakage of sensitive information
+
+## Security Policy
+
+Apache RocketMQ is a project of the Apache Software Foundation (ASF) and
follows the ASF vulnerability handling process.
+
+### Reporting a Vulnerability
+
+To report a new vulnerability you have discovered, please follow the ASF
vulnerability reporting process:
+https://apache.org/security/#reporting-a-vulnerability
+
+To help us assess and address the issue, please include the affected
component(s)/version(s), reproduction steps, impact analysis, and a PoC if
available.
-- Properly keep RocketMQ-related logs (including **Broker, NameServer, Proxy,
Client**, etc.) to avoid leakage of sensitive information
\ No newline at end of file
+> Please do not disclose exploitable details via public issues, mailing lists,
or social media before a fix is available.
\ No newline at end of file
diff --git a/i18n/en/docusaurus-theme-classic/footer.json
b/i18n/en/docusaurus-theme-classic/footer.json
index 5ae17900f2..ed3e999bdc 100644
--- a/i18n/en/docusaurus-theme-classic/footer.json
+++ b/i18n/en/docusaurus-theme-classic/footer.json
@@ -77,7 +77,7 @@
},
"link.item.label.Security": {
"message": "Security",
- "description": "The label of footer link with label=Security linking to
https://www.apache.org/security/";
+ "description": "The label of footer link with label=Security linking to
/docs/security/01security"
},
"link.item.label.Thanks": {
"message": "Thanks",
diff --git a/versioned_docs/version-5.0/14-securityModel/01security-model.md
b/versioned_docs/version-5.0/14-security/01security.md
similarity index 65%
rename from versioned_docs/version-5.0/14-securityModel/01security-model.md
rename to versioned_docs/version-5.0/14-security/01security.md
index 1090d5a38c..a250e3e0a7 100644
--- a/versioned_docs/version-5.0/14-securityModel/01security-model.md
+++ b/versioned_docs/version-5.0/14-security/01security.md
@@ -1,15 +1,17 @@
-# 安全模型
+# 安全
+
+## 安全模型
Apache RocketMQ 项目自身提供了 ACL、TLS 等安全特性,但最终的安全效果仍取决于运维人员对 **网络、主机、账户与数据** 的整体防护。
-## 1. 认证与授权(ACL)
+### 1. 认证与授权(ACL)
- 自 RocketMQ 4.4.0 起支持 ACL 1.0
- 5.3.0 起引入安全性更高的 **ACL 2.0**
- 5.3.3 移除了 ACL 1.0
- 建议所有使用 Apache RocketMQ ACL 的用户迁移到 **ACL 2.0**
-## 2. 控制台 (Dashboard) 与可观测组件暴露
+### 2. 控制台 (Dashboard) 与可观测组件暴露
RocketMQ Dashboard 及部分可观测组件(例如 RocketMQ Prometheus Exporter)默认不启用强认证,任何可访问
HTTP 端口的用户都可读取集群元数据。强烈建议:
@@ -19,21 +21,37 @@ RocketMQ Dashboard 及部分可观测组件(例如 RocketMQ Prometheus Exporte
> 否则可能导致信息泄露风险,该风险属于部署方责任而非 RocketMQ 漏洞。
-## 3. 传输加密与数据加密
+### 3. 传输加密与数据加密
- 客户端与服务端可通过 TLS 加密通信,若数据中包含敏感信息可以开启
- 消息体由业务定义,RocketMQ 不会解析或持久化解密后的内容
- 若消息包含敏感信息,应在业务侧进行字段或整体加密,避免明文落盘
-## 4. 序列化与反序列化风险
+### 4. 序列化与反序列化风险
- RocketMQ 仅传输字节数组,不做对象反序列化
- 消费端若需反序列化,应选用安全格式(如 JSON-Binding、Protobuf 等),并对不可信数据进行校验
-## 5. SDK 与版本管理
+### 5. SDK 与版本管理
- 始终使用官方最新稳定版客户端,以获得最新漏洞修复与改进
-## 6. 日志管理
+### 6. 日志管理
- 请妥善保管 RocketMQ 相关日志(包括 Broker、Namesrver、Proxy、Client等),避免敏感信息泄漏
+
+
+## 安全策略
+
+Apache RocketMQ 是 Apache Software Foundation(ASF)旗下项目,遵循 ASF 的漏洞处理流程。
+
+### 漏洞报告
+
+如果你发现了新的安全漏洞,请遵循 ASF 官方的漏洞报告流程进行私下披露与提交:
+https://apache.org/security/#reporting-a-vulnerability
+
+为便于评估与修复,建议在报告中包含:受影响的组件/版本、复现步骤、影响说明,以及 PoC(如有)。
+
+> 请勿在修复发布前通过公开 Issue、邮件列表或社交媒体披露可被立即利用的细节。
+
+
diff --git a/versioned_docs/version-5.0/14-security/_category_.json
b/versioned_docs/version-5.0/14-security/_category_.json
new file mode 100644
index 0000000000..8b4ef17aca
--- /dev/null
+++ b/versioned_docs/version-5.0/14-security/_category_.json
@@ -0,0 +1,4 @@
+{
+ "label": "安全",
+ "position": 14
+}
\ No newline at end of file
diff --git a/versioned_docs/version-5.0/14-securityModel/_category_.json
b/versioned_docs/version-5.0/14-securityModel/_category_.json
deleted file mode 100644
index a23a247f9b..0000000000
--- a/versioned_docs/version-5.0/14-securityModel/_category_.json
+++ /dev/null
@@ -1,4 +0,0 @@
-{
- "label": "安全模型",
- "position": 14
-}
\ No newline at end of file
