caigy commented on issue #4688:
URL: https://github.com/apache/rocketmq/issues/4688#issuecomment-1197600593
This design requires updating rocketmq-client, which might bring cost for
users to update rocketmq-client. I've some suggestions:
1. `accessKey` should be defined as a globally unique string, so that
complexity is reduced and users with older versions of rocketmq-client may
adopt this feature.
Some uniqueness check of `accessKey` should be added in ACL mqadmin command
to keep `accessKey` globally unique with best effort.
2. One `accessKey` can only be granted permissions to access resources in
the same namespace.
3. Separate presentation with storage of namespace in ACL module.
`{namespace}%{resource}` is just a presentation way of resources in a
namespace. For the definition of `account` data structure, a new field should
be added to store namespace. When checking permissions, resources defined in
ACL account are converted as `{namespace}%{resource}`.
In that way, the ACL config file would like this:
```yaml
globalWhiteRemoteAddresses:
- 10.10.103.*
- 192.168.0.*
accounts:
- accessKey: RocketMQ # accessKey is globally unique
secretKey: 12345678
namespace: namespace1 # add namespace field in acount
whiteRemoteAddress:
admin: false
defaultTopicPerm: DENY
defaultGroupPerm: SUB
# All topics below are in namespace1
topicPerms:
- topicA=DENY
- topicB=PUB|SUB
- topicC=SUB
# All groups below are in namespace1
groupPerms:
- groupA=DENY
- groupB=PUB|SUB
- groupC=SUB
- accessKey: rocketmq2 # rocketmq2 is in a 'default' namespace
secretKey: 12345678
whiteRemoteAddress: 192.168.1.*
admin: true
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
