Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to custom plain_acl.yml content? #184

Open
chixianliangGithub opened this issue Oct 5, 2023 · 6 comments
Open

How to custom plain_acl.yml content? #184

chixianliangGithub opened this issue Oct 5, 2023 · 6 comments
Labels
enhancement New feature or request

Comments

@chixianliangGithub
Copy link

in broker-config,i add aclEnable=true.
I want to cutsom plain_acl.yml
image
@caigy caigy added the enhancement New feature or request label Oct 6, 2023
@caigy
Copy link
Contributor

caigy commented Oct 6, 2023

It seems like the broker CRD does not support mounting the ACL configuration files directly.

@caigy
Copy link
Contributor

caigy commented Oct 6, 2023

@chixianliangGithub Pls try if the following works:

  1. Place your ACL config file in the same directory for broker store, which will be mounted to store folder in the broker pod.
  2. set the system property rocketmq.acl.plain.file as store/${YOUR_ACL_CONF_FILE_NAME}, e.g. store/plain_acl.yml.

@chixianliangGithub
Copy link
Author

@chixianliangGithub Pls try if the following works:

  1. Place your ACL config file in the same directory for broker store, which will be mounted to store folder in the broker pod.
  2. set the system property rocketmq.acl.plain.file as store/${YOUR_ACL_CONF_FILE_NAME}, e.g. store/plain_acl.yml.
    Can you give a complete example?
    I try it, it seams do not work.

@moweilong
Copy link

我是这样开启 ACL 的

  1. 把 plain_acl.yml 内容添加到 configmap broker-config,如下所示
apiVersion: v1                                                                                                                                                                                                                                                     
kind: ConfigMap                                                                                                                                                                                                                                                    
metadata:                                                                                                                                                                                                                                                          
  name: broker-config                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
data:                                                                                                                                                                                                                                                              
  # BROKER_MEM sets the broker JVM, if set to "" then Xms = Xmx = max(min(1/2 ram, 1024MB), min(1/4 ram, 8GB))                                                                                                                                                     
  BROKER_MEM: " -Xms2g -Xmx2g -Xmn1g "                                                                                                                                                                                                                             
  broker-common.conf: |                                                                                                                                                                                                                                            
    # brokerClusterName, brokerName, brokerId are automatically generated by the operator and do not set it manually!!!                                                                                                                                            
    deleteWhen=04                                                                                                                                                                                                                                                  
    fileReservedTime=48                                                                                                                                                                                                                                            
    flushDiskType=ASYNC_FLUSH                                                                                                                                                                                                                                      
    # set brokerRole to ASYNC_MASTER or SYNC_MASTER. DO NOT set to SLAVE because the replica instance will automatically be set!!!                                                                                                                                 
    brokerRole=ASYNC_MASTER                                                                                                                                                                                                                                        
    aclEnable = true                                                                                                                                                                                                                                               
  plain_acl.yml: |-                                                                                                                                                                                                                                                
    globalWhiteRemoteAddresses:                                                                                                                                                                                                                                    
      - 10.10.*.*                                                                                                                                                                                                                                                 
      - 10.11.*.*                                                                                                                                                                                                                                                 
      - 10.16.13.*                                                                                                                                                                                                                                               
                                                                                                                                                                                                                                                                   
    accounts:                                                                                                                                                                                                                                                      
      - accessKey: xxxxxxxxxxxx
        secretKey: xxxxxxxxxxxx
        whiteRemoteAddress:                                                                                                                                                                                                                                        
        admin: false                                                                                                                                                                                                                                               
        defaultTopicPerm: PUB|SUB                                                                                                                                                                                                                                  
        defaultGroupPerm: PUB|SUB                                                                                                                                                                                                                                  
        topicPerms:                                                                                                                                                                                                                                                
          - topicA=DENY                                                                                                                                                                                                                                            
          - topicB=PUB|SUB                                                                                                                                                                                                                                         
          - topicC=SUB                                                                                                                                                                                                                                             
        groupPerms:                                                                                                                                                                                                                                                
          # the group should convert to retry topic                                                                                                                                                                                                                
          - groupA=DENY                                                                                                                                                                                                                                            
          - groupB=PUB|SUB                                                                                                                                                                                                                                         
          - groupC=SUB                                                                                                                                                                                                                                             
                                                                                                                                                                                                                                                                   
      - accessKey: xxxxxxxxxxxx
        secretKey: xxxxxxxxxxxx
        whiteRemoteAddress:                                                                                                                                                                                                                                        
        # if it is admin, it could access all resources                                                                                                                                                                                                            
        admin: true
  1. 在 mq 集群 statefulsets broker-0-master 和 broker-0-replica-1 挂载configmap,如下所示
    spec:
      volumes:
  ...
        - name: broker-acl
          configMap:
            name: broker-config
            items:
              - key: plain_acl.yml
                path: plain_acl.yml
            defaultMode: 420
 ...           
          volumeMounts:
 ...
            - name: broker-acl
              mountPath: /root/rocketmq/broker/conf/plain_acl.yml
              subPath: plain_acl.yml
  1. 删除 statefulsets broker-0-master 和 broker-0-replica-1 的 pod
  2. 进入 pod 终端,执行命令查看集群/Broker的ACL配置文件全部内容,nameserver 的 IP 需要替换为你自己的
./mqadmin getAccessConfigSubCommand -n 10.210.95.195:9876 -c broker

@zhengbucuo
Copy link 

volumeMounts:

你这路子有点野啊,不是应该在kind: broker里面定义volumeMounts吗

drivebyer added a commit to drivebyer/rocketmq-operator that referenced this issue Dec 6, 2023
@drivebyer
[ISSUE apache#184#192] support custom volume mount
c7f18c1
@drivebyer drivebyer mentioned this issue Dec 6, 2023
Open
@caigy caigy mentioned this issue Mar 13, 2024
Open
drivebyer added a commit to drivebyer/rocketmq-operator that referenced this issue Mar 13, 2024
@drivebyer
[ISSUE apache#184] support plain acl configration
b8c7b05
@wolf27w
Copy link

wolf27w commented Mar 14, 2024

应该把configmap里的plain_acl.yml替换到/home/rocketmq/rocketmq-4.9.7/conf/plain_acl.yml才是正确的

@usernameisnull usernameisnull mentioned this issue May 15, 2024
Open
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@chixianliangGithub @caigy @wolf27w @moweilong @zhengbucuo