zergduan commented on issue #3922:
URL: https://github.com/apache/rocketmq/issues/3922#issuecomment-1057631591
另外发现,/conf/plain_acl.yml 和 /conf/acl/plain_acl.yml 共存的情况下:
全局IP白名单保存在 /conf/acl/plain_acl.yml
account保存在 /conf/plain.acl.yml
此时通过 CLI 添加的 account后,虽然可以通过 mqadmin getAccessConfigSubCommand
看到设置的权限,但是使用时却无法通过ACl检测
例如:
step1. /conf/plain.acl.yml 不存在,/conf/acl/plain.yml 手动写入全局IP白名单
step2. 使用CLI mqadmin 添加 account 用于生产者,如下:
sh /opt/paasmq/rocketmq-4.9.3/bin/mqadmin updateAclConfig -n 127.0.0.1:19876
-c AWS-NPRD-Cluster \
--accessKey PG-E-APP-YYY \
--secretKey 12345678 \
--admin false \
--defaultTopicPerm DENY \
--defaultGroupPerm DENY \
--topicPerms RMQ_SYS_TRACE_TOPIC=PUB,TP-E-APP-YYY=PUB
step3. 使用 CLI mqadmin 查看新添加的account,已经成功
sh /opt/paasmq/rocketmq-4.9.3/bin/mqadmin getAccessConfigSubCommand -n
127.0.0.1:19876 -c AWS-NPRD-Cluster;
step4. 使用以下代码测试生产这者功能,可以正常消费
public class AclProducer {
public static void main(String[] args)
throws MQClientException, InterruptedException,
RemotingException, MQBrokerException {
DefaultMQProducer producer = new
DefaultMQProducer("My-Producer-YYY", getAclRPCHook(), true, null);
producer.setNamesrvAddr("10.155.100.8:19876;10.155.101.213:19876");
producer.start();
for (int i = 0; i < 10; i++) {
try {
Message msg = new Message("TP-E-APP-YYY" ,"*" , ("Hello
RocketMQ " + i).getBytes(RemotingHelper.DEFAULT_CHARSET));
//msg.setDelayTimeLevel(6);
SendResult sendResult = producer.send(msg);
System.out.printf("%s%n", sendResult);
Thread.sleep(10);
} catch (Exception e) {
e.printStackTrace();
Thread.sleep(1000);
}
}
producer.shutdown();
}
static RPCHook getAclRPCHook() {
return new AclClientRPCHook(new
SessionCredentials("PG-E-APP-YYY","12345678"));
}
}
step4. 使用CLI mqadmin 添加 account 用于消费者,如下:
sh /opt/paasmq/rocketmq-4.9.3/bin/mqadmin updateAclConfig -n 127.0.0.1:19876
-c AWS-NPRD-Cluster \
--accessKey CG-E-APP-YYY-APP-SVC \
--secretKey 12345678 \
--admin false \
--defaultTopicPerm DENY \
--defaultGroupPerm DENY \
--topicPerms RMQ_SYS_TRACE_TOPIC=PUB,TP-E-APP-YYY=SUB \
--groupPerms CG-E-APP-YYY-APP-SVC=SUB
step5. 使用和step3中相同的代码,再次测试生产,发现无法正常生产消息,报错如下:
```
org.apache.rocketmq.client.exception.MQClientException: Send [3] times,
still failed, cost [17]ms, Topic: TP-E-APP-YYY, BrokersSent:
[AWS-NPRD-Broker-a, AWS-NPRD-Broker-b, AWS-NPRD-Broker-a]
See http://rocketmq.apache.org/docs/faq/ for further details.
at
org.apache.rocketmq.client.impl.producer.DefaultMQProducerImpl.sendDefaultImpl(DefaultMQProducerImpl.java:681)
at
org.apache.rocketmq.client.impl.producer.DefaultMQProducerImpl.send(DefaultMQProducerImpl.java:1391)
at
org.apache.rocketmq.client.impl.producer.DefaultMQProducerImpl.send(DefaultMQProducerImpl.java:1335)
at
org.apache.rocketmq.client.producer.DefaultMQProducer.send(DefaultMQProducer.java:336)
at AclProducer.main(AclProducer.java:22)
Caused by: org.apache.rocketmq.client.exception.MQBrokerException: CODE: 1
DESC: java.lang.NullPointerException,
org.apache.rocketmq.acl.plain.PlainPermissionManager.validate(PlainPermissionManager.java:646)
BROKER: 10.155.100.164:22922
For more information, please visit the url,
http://rocketmq.apache.org/docs/faq/
at
org.apache.rocketmq.client.impl.MQClientAPIImpl.processSendResponse(MQClientAPIImpl.java:668)
at
org.apache.rocketmq.client.impl.MQClientAPIImpl.sendMessageSync(MQClientAPIImpl.java:507)
at
org.apache.rocketmq.client.impl.MQClientAPIImpl.sendMessage(MQClientAPIImpl.java:489)
at
org.apache.rocketmq.client.impl.MQClientAPIImpl.sendMessage(MQClientAPIImpl.java:433)
at
org.apache.rocketmq.client.impl.producer.DefaultMQProducerImpl.sendKernelImpl(DefaultMQProducerImpl.java:870)
at
org.apache.rocketmq.client.impl.producer.DefaultMQProducerImpl.sendDefaultImpl(DefaultMQProducerImpl.java:606)
... 4 more
```
step6. 使用下列代码,测试新加入的消费者 ACL,也无法正常消费
public class AclConsumer {
public static void main(String[] args) throws MQClientException {
DefaultMQPushConsumer consumer = new DefaultMQPushConsumer(
"CG-E-APP-YYY-APP-SVC", getAclRPCHook(), new
AllocateMessageQueueAveragely(), true, null);
consumer.setConsumeFromWhere(ConsumeFromWhere.CONSUME_FROM_FIRST_OFFSET);
consumer.subscribe("TP-E-APP-YYY", "*");
consumer.setNamesrvAddr("10.155.100.8:19876;10.155.101.213:19876");
consumer.registerMessageListener(new MessageListenerConcurrently() {
@Override
public ConsumeConcurrentlyStatus consumeMessage(List<MessageExt>
msgs,
ConsumeConcurrentlyContext context) {
System.out.printf("%s Receive New Messages: %s %n",
Thread.currentThread().getName(), msgs);
return ConsumeConcurrentlyStatus.CONSUME_SUCCESS;
//return ConsumeConcurrentlyStatus.RECONSUME_LATER;
}
});
consumer.start();
System.out.printf("Consumer Started.%n");
}
static RPCHook getAclRPCHook() {
return new AclClientRPCHook(new
SessionCredentials("CG-E-APP-YYY-APP-SVC","12345678"));
}
}
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
