sunxi92 opened a new issue, #4688:
URL: https://github.com/apache/rocketmq/issues/4688
At present, ACL module does not support namespace. The way to achieve it is
as follows:
1. "namesppace%ak" is globally unique
2. the acl config is modified as follows:
globalWhiteRemoteAddresses:
- 10.10.103.*
- 192.168.0.*
accounts:
- accessKey: namespace1%RocketMQ
secretKey: 12345678
whiteRemoteAddress:
admin: false
defaultTopicPerm: DENY
defaultGroupPerm: SUB
topicPerms:
- namespace1%topicA=DENY
- namespace1%topicB=PUB|SUB
- namespace1%topicC=SUB
groupPerms:
# the group should convert to retry topic
- namespace1%groupA=DENY
- namespace1%groupB=PUB|SUB
- namespace1%groupC=SUB
- accessKey: rocketmq2
secretKey: 12345678
whiteRemoteAddress: 192.168.1.*
# if it is admin, it could access all resources
admin: true
Based on the above, the code that needs to be modified is as follows:
1. To use this feature, clients needs to use RPCHook to inject
accesskey、secretkey and namespace
2. To support this feature, the code in acl module needs to be modified as
follows:
(1) SessionCredentials adds an attributes called namespce
(2) Before client sends request, client calls doBeforeRequest method at
first, so we can add an operation which is adding namespace in the extended
attributes in the request in doBeforeRequest method
(3) After broker receieves the request, it will parse the
PlainAccessResource object from the request, at this moment we can parse
the namespace,and then set the accesskey
3. ACL mqadmin commands also need to be modified, updateAclConfig and
deleteAccessConfig should add a optional parameter called namespace to support
namespace
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
