Access control
1. Introduction to access control features
Access control (ACL) mainly provides RocketMQ with Topic resource level user access control. When using RocketMQ permission control, users can inject AccessKey and SecretKey signatures through RPCHook on the Client client; at the same time, set the corresponding permission control attributes (including Topic access permissions, IP whitelist and AccessKey and SecretKey signatures, etc.) in distribution/conf /plain_acl.yml configuration file. The Broker verifies the permissions owned by the AccessKey , but it throws an exception; the
ACL client can refer to the AclClient code in the org.apache.rocketmq.example.simple package .
2. Definition and attribute value of access control
2.1 Permission definition
The definition of RocketMQ's Topic resource access authority control is mainly shown in the following table, divided into the following four types
| Authority | meaning |
|---|---|
| DENY | Refuse |
| ANY | PUB or SUB permissions |
| PUB | Send permission |
| SUB | Subscription permission |
2.2 Key attributes of permission definition
| Field | Value | meaning |
|---|---|---|
| globalWhiteRemoteAddresses | *;192.168.*.*;192.168.0.1 | Global IP whitelist |
| accessKey | String | Access Key |
| secretKey | String | Secret Key |
| whiteRemoteAddress | *;192.168.*.*;192.168.0.1 | User IP whitelist |
| admin | true;false | Is an administrator account |
| defaultTopicPerm | DENY;PUB;SUB;PUB|SUB | Default topic permissions |
| defaultGroupPerm | DENY;PUB;SUB;PUB|SUB | Default ConsumerGroup permissions |
| topicPerms | topic=Permission | Permission of each topic |
| groupPerms | group=Permission | Permissions of each ConsumerGroup |
For details, please refer to the distribution/conf/plain_acl.yml configuration file
3. Cluster deployment with permission control
After defining the permission attributes in the distribution/conf/plain_acl.yml configuration file as described above, turn on the aclEnable switch variable to enable the ACL feature of the RocketMQ cluster. Here are the contents of the properties configuration file that enables ACL features on the Broker side:
brokerClusterName=DefaultCluster
brokerName=broker-a
brokerId=0
deleteWhen=04
fileReservedTime=48
brokerRole=ASYNC_MASTER
flushDiskType=ASYNC_FLUSH
storePathRootDir=/data/rocketmq/rootdir-a-m
storePathCommitLog=/data/rocketmq/commitlog-a-m
autoCreateSubscriptionGroup=true
## if acl is open,the flag will be true
aclEnable=true
listenPort=10911
brokerIP1=XX.XX.XX.XX1
namesrvAddr=XX.XX.XX.XX:9876
4. The main process of permission control
The main process of ACL is divided into two parts, mainly including permission analysis and permission verification.
4.1 Permission analysis
The Broker side parses the client's RequestCommand request and obtains the attribute fields that require authentication.
Mainly include:
(1) AccessKey: similar to the user name, which refers to the user subject, and the authority data corresponds to it;
(2) Signature: the string obtained by the client based on the SecretKey signature, and the server uses the SecretKey for signature verification;
4.2 Permission verification
Broker's permission verification logic is mainly divided into the following steps:
(1) Check whether it hits the global IP whitelist; if it is, it is deemed to pass; otherwise, go to 2;
(2) Check whether it hits the user IP whitelist; If it is, then the verification is considered to be passed; otherwise, go to 3;
(3) Verify the signature, if the verification fails, and throw an exception; if the verification is passed, go to 4;
(4) Ask the user for the required permissions and user rights The permission you own is verified; if it fails, an exception is thrown; the
user needs to pay attention to the following content:
(1) Special requests such as UPDATE_AND_CREATE_TOPIC, etc., can only be operated by the admin account;
(2) For a certain For each resource, if there is an explicit configuration authority, the configured authority is adopted; if there is no explicit configuration authority, the default authority is adopted;
5. Permission control definition after hot loading modification
The default implementation of RocketMQ's permission control storage is based on the yml configuration file. Users can dynamically modify the attributes defined by access control without restarting the Broker service node.
6. Restrictions on access control
(1) If ACL and high-availability deployment (Master/Slave architecture) are enabled at the same time, you need to
set the global whitelist information in the distribution/conf/plain_acl.yml configuration file of the Broker Master node, which is to set the ip address of the Slave node To the global whitelist in the plain_acl.yml configuration file of the Master node.
(2) If ACL and high-availability deployment (multi-copy Dledger architecture) are enabled at the same time, since the Dledger Group will automatically select the master when a node is down, then it is necessary to
configure the plain_acl.yml of all Broker nodes in the Dledger Group group The whitelist of the file sets the ip addresses of all Broker nodes.
7. ACL mqadmin configuration management commands
7.1 Update the attribute value of "account" in the ACL configuration file
An example of this command is as follows:
sh mqadmin updateAclConfig -n 192.168.1.2:9876 -b 192.168.12.134:10911 -a RocketMQ -s 1234567809123
-t topicA=DENY,topicD=SUB -g groupD=DENY,groupB=SUB
Note: If it does not exist, it will be created in the ACL Config YAML configuration file; if it exists, the attribute value of the corresponding "accounts" will be updated;
if the cluster name is specified, the command will be executed on each broker node in the cluster; Otherwise, the command will be executed on a single broker node.
| parameter | Value | meaning |
|---|---|---|
| n | eg:192.168.1.2:9876 | namesrv address (required) |
| c | eg:DefaultCluster | Specify the cluster name (choose one from the broker address) |
| b | eg:192.168.12.134:10911 | Specify the broker address (choose one from the cluster name) |
| a | eg:RocketMQ | Access Key value (required) |
| s | eg:1234567809123 | Secret Key value (optional) |
| m | eg:true | Whether the administrator account (optional) |
| w | eg:192.168.0.* | whiteRemoteAddress, user IP whitelist (optional) |
| i | eg:DENY;PUB;SUB;PUB|SUB | defaultTopicPerm, default Topic permissions (optional) |
| u | eg:DENY;PUB;SUB;PUB|SUB | defaultGroupPerm, default ConsumerGroup permissions (optional) |
| t | eg:topicA=DENY,topicD=SUB | topicPerms, permissions of each topic (optional) |
| g | eg:groupD=DENY,groupB=SUB | groupPerms, permissions of each ConsumerGroup (optional) |
7.2 Delete the corresponding "account" in the ACL configuration file
An example of this command is as follows:
sh mqadmin deleteAccessConfig -n 192.168.1.2:9876 -c DefaultCluster -a RocketMQ
Note: If the cluster name is specified, the command will be executed on each broker node in the cluster; otherwise, the command will be executed on a single broker node.
Among them, the parameter "a" is the value of Access Key, which is used to identify the unique account id, so the account id can be specified in the parameter of the command.
| parameter | Value | meaning |
|---|---|---|
| n | eg:192.168.1.2:9876 | namesrv address (required) |
| c | eg:DefaultCluster | Specify the cluster name (choose one from the broker address) |
| b | eg:192.168.12.134:10911 | Specify the broker address (choose one from the cluster name) |
| a | eg:RocketMQ | Access Key value (required) |
7.3 Update the global whitelist in the ACL configuration file
An example of this command is as follows:
sh mqadmin updateGlobalWhiteAddr -n 192.168.1.2:9876 -b 192.168.12.134:10911 -g 10.10.154.1,10.10.154.2
Note: If the cluster name is specified, the command will be executed on each broker node in the cluster; otherwise, the command will be executed on a single broker node.
Among them, the parameter "g" is the value of the global IP white name, used to update the attribute value of the "globalWhiteRemoteAddresses" field in the ACL configuration file.
| parameter | Value | meaning |
|---|---|---|
| n | eg:192.168.1.2:9876 | namesrv address (required) |
| c | eg:DefaultCluster | Specify the cluster name (choose one from the broker address) |
| b | eg:192.168.12.134:10911 | Specify the broker address (choose one from the cluster name) |
| g | eg:10.10.154.1,10.10.154.2 | Global IP whitelist (required) |
7.4 Querying the version information of the cluster/Broker ACL configuration file
An example of this command is as follows:
sh mqadmin clusterAclConfigVersion -n 192.168.1.2:9876 -c DefaultCluster
Note: If the cluster name is specified, the command will be executed on each broker node in the cluster; otherwise, the command will be executed on a single broker node.
| parameter | Value | meaning |
|---|---|---|
| n | eg:192.168.1.2:9876 | namesrv address (required) |
| c | eg:DefaultCluster | Specify the cluster name (choose one from the broker address) |
| b | eg:192.168.12.134:10911 | Specify the broker address (choose one from the cluster name) |
7.5 查询集群/Broker的ACL配置文件全部内容
该命令的示例如下:
sh mqadmin getAccessConfigSubCommand -n 192.168.1.2:9876 -c DefaultCluster
说明:如果指定的是集群名称,则会在集群中各个broker节点执行该命令;否则会在单个broker节点执行该命令。
| 参数 | 取值 | 含义 |
|---|---|---|
| n | eg:192.168.1.2:9876 | namesrv地址(必填) |
| c | eg:DefaultCluster | 指定集群名称(与broker地址二选一) |
| b | eg:192.168.12.134:10911 | 指定broker地址(与集群名称二选一) |
特别注意开启Acl鉴权认证后导致Master/Slave和Dledger模式下Broker同步数据异常的问题,
在社区[4.5.1]版本中已经修复,具体的PR链接为:https://github.com/apache/rocketmq/pull/1149;