Shulou(Shulou.com)06/02 Report--

This article mainly introduces "the principle and use of RocketMQ ACL". In daily operation, I believe many people have doubts about the principle and use of RocketMQ ACL. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful for you to answer the doubts about the principle and use of RocketMQ ACL! Next, please follow the editor to study!

1. What is ACL?

ACL is the abbreviation of access control list, commonly known as access control list. Access control basically involves the concepts of users, resources, permissions, roles, and so on. Which objects will the above-mentioned objects correspond to in RocketMQ?

User is the basic element of access control, and it is not difficult to understand that RocketMQ ACL will inevitably introduce the concept of user, that is, support user name and password.

Resource resources, objects that need to be protected. In RocketMQ, the Topic involved in message transmission and the consumer group involved in message consumption should be protected, so they can be abstracted into resources.

Permissions for resources, actions that can be done

In the role RocketMQ, only two roles are defined: whether they are administrators or not.

In addition, RocketMQ also supports whitelist setting according to client IP.

2. ACL basic flow chart

Before we explain how to use ACL, let's take a brief look at the request flow of RocketMQ ACL:

For the above specific implementation, will focus on the following articles, the purpose of this article is to give the reader a general understanding.

3. How to configure ACL3.1 acl configuration file

The default configuration file name for acl: plain_acl.yml, which needs to be placed in the ${ROCKETMQ_HOME} / store/config directory. The following configuration items are described one by one.

3.1.1 globalWhiteRemoteAddresses

The global whitelist, whose type is an array, supports multiple configurations. The supported configuration formats are as follows:

Empty means no whitelist is set. This rule returns false by default.

"*" means all matches. This rule returns true directly, which will block the judgment of other rules. Please use it with caution.

192.168.0. {100101} Multi-address configuration mode, the last group of ip addresses, using {}, multiple ip addresses in curly braces, separated by English commas (,).

192.168.1.100192.168.2.100 is directly used, separated, and configured with multiple ip addresses.

192.168.9. Or 192.168.100-200.10-20 each IP segment uses "" or "-" to indicate a range.

3.1.2 accounts

Configure user information, which is an array type. Has accessKey, secretKey, whiteRemoteAddress, admin, defaultTopicPerm, defaultGroupPerm, topicPerms, groupPerms child elements.

3.1.2.1 accessKey

Login user name, which must be longer than 6 characters.

3.1.2.2 secretKey

Login password. The length must be greater than 6 characters.

3.1.2.3 whiteRemoteAddress

User-level whitelist of IP addresses. Its type is a string and its configuration rule is the same as globalWhiteRemoteAddresses, but only one rule can be configured.

3.1.2.4 admin

Boolean type, which sets whether it is admin. The following permissions can be executed only when admin=true is used.

UPDATE_AND_CREATE_TOPIC updates or creates themes.

UPDATE_BROKER_CONFIG updates the Broker configuration.

DELETE_TOPIC_IN_BROKER deletes the theme.

UPDATE_AND_CREATE_SUBSCRIPTIONGROUP updates or creates subscription group information.

DELETE_SUBSCRIPTIONGROUP deletes subscription group information.

3.1.2.5 defaultTopicPerm

Default topic permissions. The default value is DENY (reject).

3.1.2.6 defaultGroupPerm

The default consumption group permission, which defaults to DENY (deny), and the recommended value is SUB.

3.1.2.7 topicPerms

Set permissions for topic. Its type is an array, and its selectable values are described in the next section.

3.1.2.8 groupPerms

Set the permissions for the consumption group. Its type is an array, and its selectable values are described in the next section. You can configure different permissions for each consumer group.

3.2 optional values for RocketMQ ACL permissions

DENY refused.

PUB has send permission.

SUB has subscription permissions.

3.3. Permission verification process

The global whitelist, user-level whitelist and user-level permissions are defined above. In order to better configure ACL permission rules, the permission matching logic is given below.

4. Install on the Broker side using example 4.1

First, you need to add the parameter aclEnable=true to the broker.conf file. And copy the distribution/conf/plain_acl.yml file to the ${ROCKETMQ_HOME} / conf directory.

The configuration file for broker.conf is as follows:

BrokerClusterName = DefaultClusterbrokerName = broker-bbrokerId = 0deleteWhen = 04fileReservedTime = 48brokerRole = ASYNC_MASTERflushDiskType = ASYNC_FLUSHlistenPort=10915storePathRootDir=E:/SH2019/tmp/rocketmq_home/rocketmq4.5MB/storestorePathCommitLog=E:/SH2019/tmp/rocketmq_home/rocketmq4.5MB/store/commitlognamesrvAddr=127.0.0.1:9876autoCreateTopicEnable=falseaclEnable=true

The plain_acl.yml file is as follows:

GlobalWhiteRemoteAddresses:accounts:- accessKey: RocketMQ secretKey: 12345678 whiteRemoteAddress: admin: false defaultTopicPerm: DENY defaultGroupPerm: SUB topicPerms:-TopicTest=PUB groupPerms: # the group should convert to retry topic-oms_consumer_group=DENY- accessKey: admin secretKey: 12345678 whiteRemoteAddress: # if it is admin, it could access all resources admin: true

As can be seen from the above configuration, user RocketMQ can only send TopicTest messages, while other topic does not have permission to send them. Message consumption of oms_consumer_group consumer groups is rejected, and consumption is recognized by other consumer groups by default.

Message sender example public class AclProducer {public static void main (String [] args) throws MQClientException, InterruptedException {DefaultMQProducer producer = new DefaultMQProducer ("please_rename_unique_group_name", getAclRPCHook ()); producer.setNamesrvAddr ("127.0.0.1 args 9876"); producer.start (); for (int I = 0; I < 1) ) {try {Message msg = new Message ("TopicTest3", "TagA", ("Hello RocketMQ" + I) .getBytes (RemotingHelper.DEFAULT_CHARSET)); SendResult sendResult = producer.send (msg); System.out.printf ("% s% n", sendResult);} catch (Exception e) {e.printStackTrace () Thread.sleep (1000);}} producer.shutdown ();} static RPCHook getAclRPCHook () {return new AclClientRPCHook (new SessionCredentials ("rocketmq", "12345678");}}

The running effect is shown in the figure:

Sample public class AclConsumer {public static void main (String [] args) throws InterruptedException, MQClientException {DefaultMQPushConsumer consumer = new DefaultMQPushConsumer ("please_rename_unique_group_name_4", getAclRPCHook (), new AllocateMessageQueueAveragely ()); consumer.setConsumeFromWhere (ConsumeFromWhere.CONSUME_FROM_FIRST_OFFSET); consumer.subscribe ("TopicTest", "*"); consumer.setNamesrvAddr ("127.0.0.1 args 9876") Consumer.registerMessageListener (new MessageListenerConcurrently () {[@ Override] (https://my.oschina.net/u/1162528) public ConsumeConcurrentlyStatus consumeMessage (List msgs, ConsumeConcurrentlyContext context) {System.out.printf ("% s Receive New Messages:% s% n", Thread.currentThread () .getName (), msgs); return ConsumeConcurrentlyStatus.CONSUME_SUCCESS }}); consumer.start (); System.out.printf ("Consumer Started.%n");} static RPCHook getAclRPCHook () {return new AclClientRPCHook ("rocketmq", "12345678");}}

It is found that there is no consumption message, which is in line with expectations.

At this point, the study on the principle and use of RocketMQ ACL is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.