Status: Cureent State: exploit Authors: laohu Shepherds: dongeforever Mailing List Discussion: users@rocketmq.apache.org Pull Request: Released: Backgroud & Motivation What do we need to do Many users provide feedback that RocketMQ can't manage or protect RocketMQ resources effectively in complex development , testing,text 许多用户反馈RocketMQ在复杂的开发,测试等环境中无法有效的管理并且保护好RocketMQ资源。十分盼望RocketMQ拥有ACL体系 Goals 1. designand implement a secure, efficient, easy to use, friendly ACL system. 2. The granularity of permissions reaches topic , IP , user , interface level. 3. can authenticate broker 4. Supports data permission verification on the same interface. For example, the send interface can only send general information and cannot send transaction information 5. The implementation of ACL needs to minimize the impact on existing code, an not affect the performance of the broker 6. If don't start ACL , need to ensure compatibility with tthe original client. 7. Guaranteed for ward compatibility after change 1. 设计并且实现一个安全,高效,易用,友善的ACL体系。 2. 权限粒度达到topic级别,IP,用户,接口 3. 可以鉴权broker 4. 支持同一接口数据权限校验。比如send接口,只能发送普通消息,不能发送事务消息 5. ACL的实现需要对现在代码影响降低到最小,不能影响broker的性能。 6. 如果不开acl,要保证对原有客户端兼容 7,change之后保证向前兼容 Non-Goals 1. Do not implement ACL management client, for insufficient time 2. Do not implement the ACL management command. 3. Do not implement ACL rights managenent 1. 不实现ACL管理web端,时间不充足 2. 不实现ACL管理命令,执行ACL管理准确,迅速的达到对应的broker,nameserver 3. 不实现ACL权限管理功能 change 1. Add an ACL permission management data strut true 2. Added an ALC plugin, responsible for broker permission verification, permission data management , etc which hash been implemented in plain mode 3. Modify Reming to add ACL plugin 4. Add longin and other operations to the clients affectiong the client of jaa, c++, go 1. 新增一个 ACL 权限管理数据结构 2. 新增一个ACL 插件,负责broker 权限校验,权限数据管理等等。目前实现Plain模式, 3. 修改reming 加入ACL 插件 4. client中加入登陆等操作。 影响java,go,c++的client |
签名由
网易邮箱大师
定制
