RocketMQ集群ACL设置
一、概述
因安全需求,需要对RocketMQ添加ACL设置
注意:ACL功能需要高版本支持,低版本不行,本文使用的版本为4.9.4
关于搭建RocketMQ集群,请参考链接:https://www.cnblogs.com/xiao987334176/p/16771899.html
二、配置
修改配置文件broker-a/broker-a.conf,broker-b/broker-b.conf最后一行增加
aclEnable=true
表示开启ACL功能
修改broker-a/plain_acl.yml,broker-b/plain_acl.yml
globalWhiteRemoteAddresses: - 10.10.103.* - 192.168.0.* - 172.24.0.* # - 101.95.106.218 # - 192.168.137.138 accounts: - accessKey: RocketMQ secretKey: 12345678 whiteRemoteAddress: admin: false defaultTopicPerm: DENY defaultGroupPerm: SUB topicPerms: - topicA=DENY - topicB=PUB|SUB - topicC=SUB groupPerms: # the group should convert to retry topic - groupA=DENY - groupB=PUB|SUB - groupC=SUB - accessKey: rocketmq2 secretKey: 12345678 whiteRemoteAddress: 192.168.137.138 # if it is admin, it could access all resources admin: true
说明:
globalWhiteRemoteAddresses: 表示全局白名单远程地址,也就是客户端连接地址,即使密码错误,也可以连接。
accessKey和secretKey,表示连接的用户名和密码
whiteRemoteAddress:表示连接的白名单地址,这里的用户名和密码不能出错。
PUB是发布权限,SUB是订阅权限、也就是消费权限,按需配
修改docker-compose.yml
version: '3.5' services: rmqnamesrv-a: image: apache/rocketmq:4.9.4 container_name: rmqnamesrv-a ports: - 9876:9876 volumes: - /opt/rocketmq/logs/nameserver-a:/home/rocketmq/logs - /opt/rocketmq/broker-b/broker-b.conf:/home/rocketmq/rocketmq-4.9.4/conf/broker.conf - /opt/rocketmq/broker-a/plain_acl.yml:/home/rocketmq/rocketmq-4.9.4/conf/plain_acl.yml command: sh mqnamesrv networks: rmq: aliases: - rmqnamesrv-a rmqnamesrv-b: image: apache/rocketmq:4.9.4 container_name: rmqnamesrv-b ports: - 9877:9876 volumes: - /opt/rocketmq/logs/nameserver-b:/home/rocketmq/logs - /opt/rocketmq/broker-b/broker-b.conf:/home/rocketmq/rocketmq-4.9.4/conf/broker.conf - /opt/rocketmq/broker-a/plain_acl.yml:/home/rocketmq/rocketmq-4.9.4/conf/plain_acl.yml command: sh mqnamesrv networks: rmq: aliases: - rmqnamesrv-b rmqbroker-a: image: apache/rocketmq:4.9.4 container_name: rmqbroker-a ports: - 10911:10911 volumes: - /opt/rocketmq/logs/broker-a/logs:/home/rocketmq/logs - /opt/rocketmq/store/broker-a/store:/home/rocketmq/store - /opt/rocketmq/broker-a/broker-a.conf:/home/rocketmq/rocketmq-4.9.4/conf/broker.conf - /opt/rocketmq/broker-a/plain_acl.yml:/home/rocketmq/rocketmq-4.9.4/conf/plain_acl.yml environment: TZ: Asia/Shanghai NAMESRV_ADDR: "rmqnamesrv-a:9876" JAVA_OPTS: " -Duser.home=/opt" JAVA_OPT_EXT: "-server -Xms256m -Xmx256m -Xmn256m" command: sh mqbroker -c /home/rocketmq/rocketmq-4.9.4/conf/broker.conf links: - rmqnamesrv-a:rmqnamesrv-a - rmqnamesrv-b:rmqnamesrv-b networks: rmq: aliases: - rmqbroker-a rmqbroker-b: image: apache/rocketmq:4.9.4 container_name: rmqbroker-b ports: - 10912:10912 volumes: - /opt/rocketmq/logs/broker-b/logs:/home/rocketmq/logs - /opt/rocketmq/store/broker-b/store:/home/rocketmq/store - /opt/rocketmq/broker-b/broker-b.conf:/home/rocketmq/rocketmq-4.9.4/conf/broker.conf - /opt/rocketmq/broker-a/plain_acl.yml:/home/rocketmq/rocketmq-4.9.4/conf/plain_acl.yml environment: TZ: Asia/Shanghai NAMESRV_ADDR: "rmqnamesrv-b:9877" JAVA_OPTS: " -Duser.home=/opt" JAVA_OPT_EXT: "-server -Xms256m -Xmx256m -Xmn256m" command: sh mqbroker -c /home/rocketmq/rocketmq-4.9.4/conf/broker.conf links: - rmqnamesrv-a:rmqnamesrv-a - rmqnamesrv-b:rmqnamesrv-b networks: rmq: aliases: - rmqbroker-b rmqconsole: image: apacherocketmq/rocketmq-dashboard container_name: rmqconsole ports: - 8087:8080 environment: JAVA_OPTS: -Drocketmq.namesrv.addr=rmqnamesrv-a:9876;rmqnamesrv-b:9877 -Dcom.rocketmq.sendMessageWithVIPChannel=false -Drocketmq.config.accessKey=rocketmq2 -Drocketmq.config.secretKey=12345678 volumes: - /opt/rocketmq/console-ng/data:/tmp/rocketmq-console/data networks: rmq: aliases: - rmqconsole networks: rmq: name: rmq driver: bridge
如果开启了ACL,注意配置accessKey、secretKey,建议配置admin的账户,不然有些功能没有权限使用,
访问控制台,查看数据是否显示正常。
