zergduan commented on issue #3922:
URL: https://github.com/apache/rocketmq/issues/3922#issuecomment-1057874664
我总结一下我碰到的问题,目前 4.9.3
的ACL变更功能无法使用,无论是使用mqadmin还是手动修改plain_acl.yml文件,都会导致ACL失效(至少所有account的相关内容失效)
测试方法如下(对/conf/acl/plain_acl.yml 和 /conf/plain_acl.yml的测试结果相同):
1. 在 plain_acl.yml 中写入如下内容:
> globalWhiteRemoteAddresses:
> - 10.155.100.8
> - 10.155.101.213
> - 10.155.100.164
> - 10.155.101.112
> - 10.155.101.59
> - 10.155.100.212
> - 10.177.96.111
>
> accounts:
> - accessKey: PG-E-APP-YYY
> secretKey: 12345678
> whiteRemoteAddress:
> admin: false
> defaultTopicPerm: DENY
> defaultGroupPerm: DENY
> topicPerms:
> - TP-E-APP-YYY=PUB
> - RMQ_SYS_TRACE_TOPIC=SUB
> groupPerms:
> - accessKey: CG-E-APP-YYY-APP-SVC
> secretKey: 12345678
> whiteRemoteAddress:
> admin: false
> defaultTopicPerm: DENY
> defaultGroupPerm: DENY
> topicPerms:
> - TP-E-APP-YYY=SUB
> - RMQ_SYS_TRACE_TOPIC=SUB
> groupPerms:
> # the group should convert to retry topic
> - CG-E-APP-YYY-APP-SVC=SUB
Step2. 重启 NameSrv 和 Broker
Step3. 使用下列代码,验证消息生产和消费(带有ACL);可以正常生产消费
Producer:
```
public class AclProducer {
public static void main(String[] args)
throws MQClientException, InterruptedException,
RemotingException, MQBrokerException {
DefaultMQProducer producer = new
DefaultMQProducer("My-Producer-YYY", getAclRPCHook(), true, null);
producer.setNamesrvAddr("10.155.100.8:19876;10.155.101.213:19876");
producer.start();
for (int i = 0; i < 10; i++) {
try {
Message msg = new Message("TP-E-APP-YYY" ,"*" , ("Hello
RocketMQ " + i).getBytes(RemotingHelper.DEFAULT_CHARSET));
//msg.setDelayTimeLevel(6);
SendResult sendResult = producer.send(msg);
System.out.printf("%s%n", sendResult);
Thread.sleep(10);
} catch (Exception e) {
e.printStackTrace();
Thread.sleep(1000);
}
}
producer.shutdown();
}
static RPCHook getAclRPCHook() {
return new AclClientRPCHook(new
SessionCredentials("PG-E-APP-YYY","12345678"));
}
}
```
Consumer:
```
public class AclConsumer {
public static void main(String[] args) throws MQClientException {
DefaultMQPushConsumer consumer = new DefaultMQPushConsumer(
"CG-E-APP-YYY-APP-SVC", getAclRPCHook(), new
AllocateMessageQueueAveragely(), true, null);
consumer.setConsumeFromWhere(ConsumeFromWhere.CONSUME_FROM_FIRST_OFFSET);
consumer.subscribe("TP-E-APP-YYY", "*");
consumer.setNamesrvAddr("10.155.100.8:19876;10.155.101.213:19876");
consumer.registerMessageListener(new MessageListenerConcurrently() {
@Override
public ConsumeConcurrentlyStatus consumeMessage(List<MessageExt>
msgs,
ConsumeConcurrentlyContext context) {
System.out.printf("%s Receive New Messages: %s %n",
Thread.currentThread().getName(), msgs);
//return ConsumeConcurrentlyStatus.CONSUME_SUCCESS;
return ConsumeConcurrentlyStatus.RECONSUME_LATER;
}
});
consumer.start();
System.out.printf("Consumer Started.%n");
}
static RPCHook getAclRPCHook() {
return new AclClientRPCHook(new
SessionCredentials("CG-E-APP-YYY-APP-SVC","12345678"));
}
}
```
Step4. vi plain_acl.yml 文件,但是不做任何修改,仅仅:wq退出(文件内容没有变化,仅仅文件修改时间变化)
Step5. 使用相同代码,验证消息生产和消费(带ACL);无法正常生产消费,报错如下:
```
org.apache.rocketmq.client.exception.MQClientException: Send [3] times,
still failed, cost [17]ms, Topic: TP-E-APP-YYY, BrokersSent:
[AWS-NPRD-Broker-b, AWS-NPRD-Broker-a, AWS-NPRD-Broker-b]
See http://rocketmq.apache.org/docs/faq/ for further details.
at
org.apache.rocketmq.client.impl.producer.DefaultMQProducerImpl.sendDefaultImpl(DefaultMQProducerImpl.java:681)
at
org.apache.rocketmq.client.impl.producer.DefaultMQProducerImpl.send(DefaultMQProducerImpl.java:1391)
at
org.apache.rocketmq.client.impl.producer.DefaultMQProducerImpl.send(DefaultMQProducerImpl.java:1335)
at
org.apache.rocketmq.client.producer.DefaultMQProducer.send(DefaultMQProducer.java:336)
at AclProducer.main(AclProducer.java:22)
Caused by: org.apache.rocketmq.client.exception.MQBrokerException: CODE: 1
DESC: java.lang.NullPointerException,
org.apache.rocketmq.acl.plain.PlainPermissionManager.validate(PlainPermissionManager.java:646)
BROKER: 10.155.101.59:22922
For more information, please visit the url,
http://rocketmq.apache.org/docs/faq/
at
org.apache.rocketmq.client.impl.MQClientAPIImpl.processSendResponse(MQClientAPIImpl.java:668)
at
org.apache.rocketmq.client.impl.MQClientAPIImpl.sendMessageSync(MQClientAPIImpl.java:507)
at
org.apache.rocketmq.client.impl.MQClientAPIImpl.sendMessage(MQClientAPIImpl.java:489)
at
org.apache.rocketmq.client.impl.MQClientAPIImpl.sendMessage(MQClientAPIImpl.java:433)
at
org.apache.rocketmq.client.impl.producer.DefaultMQProducerImpl.sendKernelImpl(DefaultMQProducerImpl.java:870)
at
org.apache.rocketmq.client.impl.producer.DefaultMQProducerImpl.sendDefaultImpl(DefaultMQProducerImpl.java:606)
... 4 more
```
Step6. 重启NameSrv和Broker,重新使用相同代码测试消息生产消费,生产消费正常
结论:
Broker运行过程中,任何针对 plain_acl.yml 文件的修改(即使不修改文件内容,仅仅修改文件之间戳),都会导致当前已有的 account
ACL规则失效,相关生产消费客户端报错:
> org.apache.rocketmq.client.exception.MQBrokerException: CODE: 1 DESC:
java.lang.NullPointerException,
org.apache.rocketmq.acl.plain.PlainPermissionManager.validate(PlainPermissionManager.java:646)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
