This is an automated email from the ASF dual-hosted git repository.
dinglei pushed a commit to branch new-official-website
in repository https://gitbox.apache.org/repos/asf/rocketmq-site.git
The following commit(s) were added to refs/heads/new-official-website by this
push:
new a470741bcf Update security page (#763)
a470741bcf is described below
commit a470741bcf877c7152dc47f276ed8e5a82a1b4d1
Author: rongtong <[email protected]>
AuthorDate: Wed Mar 11 16:40:54 2026 +0800
Update security page (#763)
* update security page
* Update 01security.md
---------
Co-authored-by: dinglei <[email protected]>
---
docs/12-security/01security.md | 29 ++++++++++++++++------
.../current/12-security/01security.md | 17 +++++++++++--
.../version-5.0/14-security/01security.md | 17 +++++++++++--
.../version-5.0/14-security/01security.md | 13 +++++++++-
4 files changed, 63 insertions(+), 13 deletions(-)
diff --git a/docs/12-security/01security.md b/docs/12-security/01security.md
index efa03bb1ef..4da5cdc933 100644
--- a/docs/12-security/01security.md
+++ b/docs/12-security/01security.md
@@ -2,21 +2,29 @@
## 安全模型
-Apache RocketMQ 项目自身提供了 ACL、TLS 等安全特性,但最终的安全效果仍取决于运维人员对 **网络、主机、账户与数据** 的整体防护。
+Apache RocketMQ 项目自身提供了 ACL、TLS 等安全特性,但最终的安全效果仍取决于运维人员对 **网络、主机、账户与数据**
的整体防护配置。
+
+> **重要提示(安全部署基线)**:RocketMQ 的认证/鉴权能力依赖 ACL 配置。若未启用/未配置 ACL,RocketMQ
将不会在协议层强制校验客户端身份,任何能够访问 RocketMQ 端口的主体都可能发起消息收发或管理类操作。
+> **运维方必须**:要么启用并正确配置 ACL(认证 + 授权),要么将 RocketMQ
组件与端口严格限制在受信任网络内(如内网/VPC/专用网络),而不是将它们暴露到不受信任网络。
### 1. 认证与授权(ACL)
-- 自 RocketMQ 4.4.0 起支持 ACL 1.0
+- 自 RocketMQ 4.4.0 版本起支持 ACL 1.0
- 5.3.0 起引入安全性更高的 **ACL 2.0**
- 5.3.3 移除了 ACL 1.0
- 建议所有使用 Apache RocketMQ ACL 的用户迁移到 **ACL 2.0**
+ACL 用于对 RocketMQ 请求进行**认证**与**授权**控制。生产环境建议:
+
+- 除非 RocketMQ 被严格隔离在受信任网络内,部署的RocketMQ集群应启用 ACL(认证/鉴权),并为使用方配置最小权限账户
+- 避免在业务应用中使用管理员账号;对使用方的访问密钥进行分级、定期轮换并审计变更
+
### 2. 控制台 (Dashboard) 与可观测组件暴露
RocketMQ Dashboard 及部分可观测组件(例如 RocketMQ Prometheus Exporter)默认不启用强认证,任何可访问
HTTP 端口的用户都可读取集群元数据。强烈建议:
-- Dashboard 监听地址 绑定至内网或受信任 VPC
-- 在 网关 / Ingress / 反向代理 上配置 ACL / IP 白名单
+- Dashboard 监听地址绑定至内网或受信任 VPC
+- 在网关 / Ingress / 反向代理上配置 ACL / IP 白名单
- 如需公网运维,务必叠加 VPN、HTTP Basic/OAuth 鉴权或 WAF
> 否则可能导致信息泄露风险,该风险属于部署方责任而非 RocketMQ 漏洞。
@@ -24,8 +32,8 @@ RocketMQ Dashboard 及部分可观测组件(例如 RocketMQ Prometheus Exporte
### 3. 传输加密与数据加密
- 客户端与服务端可通过 TLS 加密通信,若数据中包含敏感信息可以开启
-- 消息体由业务定义,RocketMQ 不会解析或持久化解密后的内容
-- 若消息包含敏感信息,应在业务侧进行字段或整体加密,避免明文落盘
+- 消息体由业务定义,RocketMQ 不会解密消息体或持久化解密后的内容
+- 若消息包含敏感信息,应在业务侧进行字段或整体加密,避免明文传输至RocketMQ
### 4. 序列化与反序列化风险
@@ -38,7 +46,12 @@ RocketMQ Dashboard 及部分可观测组件(例如 RocketMQ Prometheus Exporte
### 6. 日志管理
-- 请妥善保管 RocketMQ 相关日志(包括 Broker、Namesrver、Proxy、Client等),避免敏感信息泄漏
+- 请妥善保管 RocketMQ 相关日志(包括 Broker、NameServer、Proxy、Client 等),避免敏感信息泄漏
+
+### FAQ:关于“未开启 ACL 时无需认证/可访问”的说明
+
+RocketMQ 的认证与鉴权能力由 ACL 能力提供,是否启用取决于部署时的配置。
+当 ACL 未启用或未配置时,请求可能在不进行身份校验的情况下被处理,这属于部署/配置选择。运维方应根据自身威胁模型评估并启用
ACL,配合网络隔离等手段保证RocketMQ集群安全。
## 安全策略
@@ -51,4 +64,4 @@ https://apache.org/security/#reporting-a-vulnerability
为便于评估与修复,建议在报告中包含:受影响的组件/版本、复现步骤、影响说明,以及 PoC(如有)。
-> 请勿在修复发布前通过公开 Issue、邮件列表或社交媒体披露可被立即利用的细节。
+> 请勿在已修复安全漏洞的版本发布前通过公开 Issue、邮件列表或社交媒体等披露可被立即利用的漏洞细节。
diff --git
a/i18n/en/docusaurus-plugin-content-docs/current/12-security/01security.md
b/i18n/en/docusaurus-plugin-content-docs/current/12-security/01security.md
index deccd1a976..e81a61e56d 100644
--- a/i18n/en/docusaurus-plugin-content-docs/current/12-security/01security.md
+++ b/i18n/en/docusaurus-plugin-content-docs/current/12-security/01security.md
@@ -2,7 +2,10 @@
## Security Model
-The Apache RocketMQ project itself provides security features such as ACL and
TLS, but the final security effectiveness still depends on the operator’s
comprehensive protection of **network, hosts, accounts, and data**.
+The Apache RocketMQ project itself provides security features such as ACL and
TLS, but the final security effectiveness still depends on the operator's
comprehensive protection of **network, hosts, accounts, and data**.
+
+> **Important Note (Security Deployment Baseline)**: RocketMQ's
authentication/authorization capabilities rely on ACL configuration. If ACL is
not enabled/configured, RocketMQ will not enforce client identity verification
at the protocol layer. Any entity that can access RocketMQ ports may initiate
message sending/receiving or management operations.
+> **Operators must**: Either enable and properly configure ACL (authentication
+ authorization), or strictly restrict RocketMQ components and ports within a
trusted network (intranet/VPC/private network), rather than exposing them to
untrusted networks.
### 1. Authentication and Authorization (ACL)
@@ -11,6 +14,11 @@ The Apache RocketMQ project itself provides security
features such as ACL and TL
- ACL 1.0 was removed in 5.3.3
- It is recommended that all users who use Apache RocketMQ ACL migrate to
**ACL 2.0**
+ACL is used for **authentication** and **authorization** control of RocketMQ
requests. For production environments, it is recommended to:
+
+- Enable ACL (authentication/authorization) unless RocketMQ is strictly
isolated within a trusted network, and configure accounts with minimum
privileges for applications
+- Avoid using administrator accounts in business applications; implement
tiered access keys, regular rotation, and audit changes
+
### 2. Dashboard & Observability Exposure
RocketMQ Dashboard and some observability components (such as RocketMQ
Prometheus Exporter) do **not** enable strong authentication by default; anyone
who can access the HTTP port can read cluster metadata. Strongly recommended:
@@ -51,4 +59,9 @@ https://apache.org/security/#reporting-a-vulnerability
To help us assess and address the issue, please include the affected
component(s)/version(s), reproduction steps, impact analysis, and a PoC if
available.
-> Please do not disclose exploitable details via public issues, mailing lists,
or social media before a fix is available.
\ No newline at end of file
+> Please do not disclose exploitable details via public issues, mailing lists,
or social media before a fix is available.
+
+### FAQ: Regarding "No Authentication Required/Accessible When ACL is Not
Enabled"
+
+RocketMQ's authentication and authorization capabilities are provided by ACL;
whether to enable it depends on deployment and configuration.
+When ACL is not enabled or not configured, requests may be processed without
identity verification. This is a deployment/configuration choice. Operators
should enable ACL based on their threat model and ensure security through
network isolation and other means.
\ No newline at end of file
diff --git
a/i18n/en/docusaurus-plugin-content-docs/version-5.0/14-security/01security.md
b/i18n/en/docusaurus-plugin-content-docs/version-5.0/14-security/01security.md
index deccd1a976..e81a61e56d 100644
---
a/i18n/en/docusaurus-plugin-content-docs/version-5.0/14-security/01security.md
+++
b/i18n/en/docusaurus-plugin-content-docs/version-5.0/14-security/01security.md
@@ -2,7 +2,10 @@
## Security Model
-The Apache RocketMQ project itself provides security features such as ACL and
TLS, but the final security effectiveness still depends on the operator’s
comprehensive protection of **network, hosts, accounts, and data**.
+The Apache RocketMQ project itself provides security features such as ACL and
TLS, but the final security effectiveness still depends on the operator's
comprehensive protection of **network, hosts, accounts, and data**.
+
+> **Important Note (Security Deployment Baseline)**: RocketMQ's
authentication/authorization capabilities rely on ACL configuration. If ACL is
not enabled/configured, RocketMQ will not enforce client identity verification
at the protocol layer. Any entity that can access RocketMQ ports may initiate
message sending/receiving or management operations.
+> **Operators must**: Either enable and properly configure ACL (authentication
+ authorization), or strictly restrict RocketMQ components and ports within a
trusted network (intranet/VPC/private network), rather than exposing them to
untrusted networks.
### 1. Authentication and Authorization (ACL)
@@ -11,6 +14,11 @@ The Apache RocketMQ project itself provides security
features such as ACL and TL
- ACL 1.0 was removed in 5.3.3
- It is recommended that all users who use Apache RocketMQ ACL migrate to
**ACL 2.0**
+ACL is used for **authentication** and **authorization** control of RocketMQ
requests. For production environments, it is recommended to:
+
+- Enable ACL (authentication/authorization) unless RocketMQ is strictly
isolated within a trusted network, and configure accounts with minimum
privileges for applications
+- Avoid using administrator accounts in business applications; implement
tiered access keys, regular rotation, and audit changes
+
### 2. Dashboard & Observability Exposure
RocketMQ Dashboard and some observability components (such as RocketMQ
Prometheus Exporter) do **not** enable strong authentication by default; anyone
who can access the HTTP port can read cluster metadata. Strongly recommended:
@@ -51,4 +59,9 @@ https://apache.org/security/#reporting-a-vulnerability
To help us assess and address the issue, please include the affected
component(s)/version(s), reproduction steps, impact analysis, and a PoC if
available.
-> Please do not disclose exploitable details via public issues, mailing lists,
or social media before a fix is available.
\ No newline at end of file
+> Please do not disclose exploitable details via public issues, mailing lists,
or social media before a fix is available.
+
+### FAQ: Regarding "No Authentication Required/Accessible When ACL is Not
Enabled"
+
+RocketMQ's authentication and authorization capabilities are provided by ACL;
whether to enable it depends on deployment and configuration.
+When ACL is not enabled or not configured, requests may be processed without
identity verification. This is a deployment/configuration choice. Operators
should enable ACL based on their threat model and ensure security through
network isolation and other means.
\ No newline at end of file
diff --git a/versioned_docs/version-5.0/14-security/01security.md
b/versioned_docs/version-5.0/14-security/01security.md
index a250e3e0a7..6c12ec13b6 100644
--- a/versioned_docs/version-5.0/14-security/01security.md
+++ b/versioned_docs/version-5.0/14-security/01security.md
@@ -4,6 +4,9 @@
Apache RocketMQ 项目自身提供了 ACL、TLS 等安全特性,但最终的安全效果仍取决于运维人员对 **网络、主机、账户与数据** 的整体防护。
+> **重要提示(安全部署基线)**:RocketMQ 的认证/鉴权能力依赖 ACL 配置。若未启用/未配置 ACL,RocketMQ
将不会在协议层强制校验客户端身份,任何能够访问 RocketMQ 端口的主体都可能发起消息收发或管理类操作。
+> **运维方必须**:要么启用并正确配置 ACL(认证 + 授权),要么将 RocketMQ
组件与端口严格限制在受信任网络内(内网/VPC/专用网络),而不是暴露到不受信任网络。
+
### 1. 认证与授权(ACL)
- 自 RocketMQ 4.4.0 起支持 ACL 1.0
@@ -11,6 +14,11 @@ Apache RocketMQ 项目自身提供了 ACL、TLS 等安全特性,但最终的
- 5.3.3 移除了 ACL 1.0
- 建议所有使用 Apache RocketMQ ACL 的用户迁移到 **ACL 2.0**
+ACL 用于对 RocketMQ 请求进行**认证**与**授权**控制。生产环境建议:
+
+- 除非 RocketMQ 被严格隔离在受信任网络内,否则应启用 ACL(认证/鉴权),并为应用配置最小权限账户
+- 避免在业务应用中使用管理员账号;对访问密钥进行分级、定期轮换并审计变更
+
### 2. 控制台 (Dashboard) 与可观测组件暴露
RocketMQ Dashboard 及部分可观测组件(例如 RocketMQ Prometheus Exporter)默认不启用强认证,任何可访问
HTTP 端口的用户都可读取集群元数据。强烈建议:
@@ -38,7 +46,7 @@ RocketMQ Dashboard 及部分可观测组件(例如 RocketMQ Prometheus Exporte
### 6. 日志管理
-- 请妥善保管 RocketMQ 相关日志(包括 Broker、Namesrver、Proxy、Client等),避免敏感信息泄漏
+- 请妥善保管 RocketMQ 相关日志(包括 Broker、NameServer、Proxy、Client 等),避免敏感信息泄漏
## 安全策略
@@ -54,4 +62,7 @@ https://apache.org/security/#reporting-a-vulnerability
> 请勿在修复发布前通过公开 Issue、邮件列表或社交媒体披露可被立即利用的细节。
+## FAQ:关于"未开启 ACL 时无需认证/可访问"的说明
+RocketMQ 的认证与鉴权能力由 ACL 提供,是否启用取决于部署与配置。
+当 ACL 未启用或未配置时,请求可能在不进行身份校验的情况下被处理。这属于部署/配置选择。运维方应根据自身威胁模型启用
ACL,并配合网络隔离等手段保证安全。
