You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
org.apache.rocketmq.tools.command.SubCommandException: ListAclSubCommand command failed
at org.apache.rocketmq.tools.command.auth.ListAclSubCommand.execute(ListAclSubCommand.java:114)
at org.apache.rocketmq.tools.command.MQAdminStartup.main0(MQAdminStartup.java:177)
at org.apache.rocketmq.tools.command.MQAdminStartup.main(MQAdminStartup.java:127) Caused by: org.apache.rocketmq.client.exception.MQBrokerException: CODE: 1 DESC: org.apache.rocketmq.acl.common.AclException: No acl config for rocketmq, org.apache.rocketmq.acl.plain.PlainPermissionManager.validate(PlainPermissionManager.java:606)
For more information, please visit the url, https://rocketmq.apache.org/docs/bestPractice/06FAQ
at org.apache.rocketmq.client.impl.MQClientAPIImpl.listAcl(MQClientAPIImpl.java:3492)
at org.apache.rocketmq.tools.admin.DefaultMQAdminExtImpl.listAcl(DefaultMQAdminExtImpl.java:1998)
at org.apache.rocketmq.tools.admin.DefaultMQAdminExt.listAcl(DefaultMQAdminExt.java:941)
at org.apache.rocketmq.tools.command.auth.ListAclSubCommand.execute(ListAclSubCommand.java:104)
Before Creating the Bug Report
I found a bug, not just asking a question, which should be created in GitHub Discussions.
I have searched the GitHub Issues and GitHub Discussions of this repository and believe that this is not a duplicate.
I have confirmed that this bug belongs to the current repository, not other repositories of RocketMQ.
Runtime platform environment
Oracle Linux 9
RocketMQ version
5.3.0
JDK Version
OpenJDK 21
Describe the Bug
无法正常开启 ACL 2.0
Steps to Reproduce
使用传统架构(不启动Proxy,Broker 2主+2从,NameServer * 2 ),使用以下步骤开启 ACL 2.0:
修改 broker 的 conf 文件,添加以下内容:
aclEnable=true
authenticationEnabled = true
authenticationProvider = org.apache.rocketmq.auth.authentication.provider.DefaultAuthenticationProvider
initAuthenticationUser = {"username":"rocketmq","password":"admin#123"}
innerClientAuthenticationCredentials = {"accessKey":"rocketmq","secretKey":"admin#123"}
authenticationMetadataProvider = org.apache.rocketmq.auth.authentication.provider.LocalAuthenticationMetadataProvider
authorizationEnabled = true
authorizationProvider = org.apache.rocketmq.auth.authorization.provider.DefaultAuthorizationProvider
authorizationMetadataProvider = org.apache.rocketmq.auth.authorization.provider.LocalAuthorizationMetadataProvider
重启 broker 进程
修改 mqadmin 客户端配置文件 $ROKETMQ_HOME/conf/tools.yml
......
#accessKey: rocketmq2
#secretKey: 12345678
accessKey: rocketmq
secretKey: admin#123
......
在 mqadmin 客户端执行命令查询 ACL配置:
./mqadmin listacl
--namesrvAddr <NameServer_IP>:<NameServer_Port>
--clusterName
4.1 当 mqadmin 客户端为 NameServer 或 Broker 时,
./mqadmin listacl
--namesrvAddr <NameServer_IP>:<NameServer_Port>
--clusterName
可以正常返回结果
4.2 当 mqadmin 客户端不是 NameServer 和 Broker 时(非RocketMQ集群中的节点),
./mqadmin listacl
--namesrvAddr <NameServer_IP>:<NameServer_Port>
--clusterName
返回报错:
org.apache.rocketmq.tools.command.SubCommandException: ListAclSubCommand command failed
at org.apache.rocketmq.tools.command.auth.ListAclSubCommand.execute(ListAclSubCommand.java:114)
at org.apache.rocketmq.tools.command.MQAdminStartup.main0(MQAdminStartup.java:177)
at org.apache.rocketmq.tools.command.MQAdminStartup.main(MQAdminStartup.java:127)
Caused by: org.apache.rocketmq.client.exception.MQBrokerException: CODE: 1 DESC: org.apache.rocketmq.acl.common.AclException: No acl config for rocketmq, org.apache.rocketmq.acl.plain.PlainPermissionManager.validate(PlainPermissionManager.java:606)
For more information, please visit the url, https://rocketmq.apache.org/docs/bestPractice/06FAQ
at org.apache.rocketmq.client.impl.MQClientAPIImpl.listAcl(MQClientAPIImpl.java:3492)
at org.apache.rocketmq.tools.admin.DefaultMQAdminExtImpl.listAcl(DefaultMQAdminExtImpl.java:1998)
at org.apache.rocketmq.tools.admin.DefaultMQAdminExt.listAcl(DefaultMQAdminExt.java:941)
at org.apache.rocketmq.tools.command.auth.ListAclSubCommand.execute(ListAclSubCommand.java:104)
What Did You Expect to See?
期望可以正常获得 ACL和用户配置
What Did You See Instead?
返回报错,rocketmq用户没有默认的ACL配置,没有权限运行 mqadmin
Additional Context
不理解 ACL 2.0 的底层逻辑~
按照文档描述开启 ACL 2.0
修改broker参数,将 initAuthenticationUser 和 innerClientAuthenticationCredentials 设置为 rocketmq,并自定义这个用户的 secretKey(不使用默认的 12345678);
在mqadmin客户端修改 tools.yml 的配置,指定设置的 rocketmq 作为认证用户连接NameServer,使用 mqadmin 命令调用 ACL 2.0 API 查看默认 ACL 配置
当 mqadmin 客户端不是 nameserver 时,报错rocketmq没有ACL配置。。。我有以下问题:
按照我的理解:
a. initAuthenticationUser 指定一个集群启动时自动创建的用户/密码( AK/SK)
b. innerClientAuthenticationCredentials 设置了节点之间可以用于管理认证/鉴权的管理员账号
也就是说,当我设置 initAuthenticationUser = rocketmq / admin#123,那么只需要将 innerClientAuthenticationCredentials 设置为 rocketmq 既可以,这样就可以保证以下策略:
集群节点间 ( Nameserver - broker 之间,Proxy - broker之间) 可以使用 rocketmq 这个用户来进行 账户和权限的配置和读取。
但是为什么 innerClientAuthenticationCredentials 需要同时设置 AK 和 SK? 如果initAuthenticationUser 和 innerClientAuthenticationCredentials 的 AK 设置相同,但是SK设置不同会怎么样???,例如:
initAuthenticationUser = {"username":"rocketmq","password":"admin#123"}
innerClientAuthenticationCredentials = {"accessKey":"rocketmq","secretKey":"XXXXX"}
如果按照上面的配置会出现什么样的行为? rocketmq 这个用户的 SK到底是哪个??
The text was updated successfully, but these errors were encountered: