RocketMQ集群ACL设置

一、概述

因安全需求,需要对RocketMQ添加ACL设置

注意:ACL功能需要高版本支持,低版本不行,本文使用的版本为4.9.4

 

关于搭建RocketMQ集群,请参考链接:https://www.cnblogs.com/xiao987334176/p/16771899.html

 

二、配置

修改配置文件broker-a/broker-a.conf,broker-b/broker-b.conf最后一行增加

aclEnable=true

表示开启ACL功能

 

修改broker-a/plain_acl.yml,broker-b/plain_acl.yml

globalWhiteRemoteAddresses:
  - 10.10.103.*
  - 192.168.0.*
  - 172.24.0.*
#  - 101.95.106.218
#  - 192.168.137.138

accounts:
  - accessKey: RocketMQ
    secretKey: 12345678
    whiteRemoteAddress:
    admin: false
    defaultTopicPerm: DENY
    defaultGroupPerm: SUB
    topicPerms:
      - topicA=DENY
      - topicB=PUB|SUB
      - topicC=SUB
    groupPerms:
      # the group should convert to retry topic
      - groupA=DENY
      - groupB=PUB|SUB
      - groupC=SUB

  - accessKey: rocketmq2
    secretKey: 12345678
    whiteRemoteAddress: 192.168.137.138
    # if it is admin, it could access all resources
    admin: true

说明:
globalWhiteRemoteAddresses: 表示全局白名单远程地址,也就是客户端连接地址,即使密码错误,也可以连接。
accessKey和secretKey,表示连接的用户名和密码
whiteRemoteAddress:表示连接的白名单地址,这里的用户名和密码不能出错。
PUB是发布权限,SUB是订阅权限、也就是消费权限,按需配

 

修改docker-compose.yml

version: '3.5'
services:
  rmqnamesrv-a:
    image: apache/rocketmq:4.9.4
    container_name: rmqnamesrv-a
    ports:
      - 9876:9876
    volumes:
      - /opt/rocketmq/logs/nameserver-a:/home/rocketmq/logs
      - /opt/rocketmq/broker-b/broker-b.conf:/home/rocketmq/rocketmq-4.9.4/conf/broker.conf
      - /opt/rocketmq/broker-a/plain_acl.yml:/home/rocketmq/rocketmq-4.9.4/conf/plain_acl.yml
    command: sh mqnamesrv
    networks:
      rmq:
        aliases:
          - rmqnamesrv-a

  rmqnamesrv-b:
    image: apache/rocketmq:4.9.4
    container_name: rmqnamesrv-b
    ports:
      - 9877:9876
    volumes:
      - /opt/rocketmq/logs/nameserver-b:/home/rocketmq/logs
      - /opt/rocketmq/broker-b/broker-b.conf:/home/rocketmq/rocketmq-4.9.4/conf/broker.conf
      - /opt/rocketmq/broker-a/plain_acl.yml:/home/rocketmq/rocketmq-4.9.4/conf/plain_acl.yml
    command: sh mqnamesrv
    networks:
      rmq:
        aliases:
          - rmqnamesrv-b

  rmqbroker-a:
    image: apache/rocketmq:4.9.4
    container_name: rmqbroker-a
    ports:
      - 10911:10911
    volumes:
      - /opt/rocketmq/logs/broker-a/logs:/home/rocketmq/logs
      - /opt/rocketmq/store/broker-a/store:/home/rocketmq/store
      - /opt/rocketmq/broker-a/broker-a.conf:/home/rocketmq/rocketmq-4.9.4/conf/broker.conf
      - /opt/rocketmq/broker-a/plain_acl.yml:/home/rocketmq/rocketmq-4.9.4/conf/plain_acl.yml
    environment:
      TZ: Asia/Shanghai
      NAMESRV_ADDR: "rmqnamesrv-a:9876"
      JAVA_OPTS: " -Duser.home=/opt"
      JAVA_OPT_EXT: "-server -Xms256m -Xmx256m -Xmn256m"
    command: sh mqbroker -c /home/rocketmq/rocketmq-4.9.4/conf/broker.conf
    links:
      - rmqnamesrv-a:rmqnamesrv-a
      - rmqnamesrv-b:rmqnamesrv-b
    networks:
      rmq:
        aliases:
          - rmqbroker-a

  rmqbroker-b:
    image: apache/rocketmq:4.9.4
    container_name: rmqbroker-b
    ports:
      - 10912:10912
    volumes:
      - /opt/rocketmq/logs/broker-b/logs:/home/rocketmq/logs
      - /opt/rocketmq/store/broker-b/store:/home/rocketmq/store
      - /opt/rocketmq/broker-b/broker-b.conf:/home/rocketmq/rocketmq-4.9.4/conf/broker.conf
      - /opt/rocketmq/broker-a/plain_acl.yml:/home/rocketmq/rocketmq-4.9.4/conf/plain_acl.yml
    environment:
      TZ: Asia/Shanghai
      NAMESRV_ADDR: "rmqnamesrv-b:9877"
      JAVA_OPTS: " -Duser.home=/opt"
      JAVA_OPT_EXT: "-server -Xms256m -Xmx256m -Xmn256m"
    command: sh mqbroker -c /home/rocketmq/rocketmq-4.9.4/conf/broker.conf
    links:
      - rmqnamesrv-a:rmqnamesrv-a
      - rmqnamesrv-b:rmqnamesrv-b
    networks:
      rmq:
        aliases:
          - rmqbroker-b
  rmqconsole:
    image: apacherocketmq/rocketmq-dashboard
    container_name: rmqconsole
    ports:
      - 8087:8080
    environment:
      JAVA_OPTS: -Drocketmq.namesrv.addr=rmqnamesrv-a:9876;rmqnamesrv-b:9877 -Dcom.rocketmq.sendMessageWithVIPChannel=false -Drocketmq.config.accessKey=rocketmq2 -Drocketmq.config.secretKey=12345678
    volumes:
      - /opt/rocketmq/console-ng/data:/tmp/rocketmq-console/data
    networks:
      rmq:
        aliases:
          - rmqconsole
networks:
  rmq:
    name: rmq
    driver: bridge
View Code

如果开启了ACL,注意配置accessKey、secretKey,建议配置admin的账户,不然有些功能没有权限使用,

 

访问控制台,查看数据是否显示正常。

 

posted @ 2024-08-18 09:35  肖祥  阅读(101)  评论(0编辑  收藏  举报