未验证 提交 1dca088a 编写于 作者: H Heng Du 提交者: GitHub

Merge pull request #628 from zongtanghu/feature_acl

[ISSUE#403] Fix some bugs and Optimization code for RocketMQ's ACL feature.
...@@ -30,7 +30,7 @@ public class SessionCredentials { ...@@ -30,7 +30,7 @@ public class SessionCredentials {
public static final String SECURITY_TOKEN = "SecurityToken"; public static final String SECURITY_TOKEN = "SecurityToken";
public static final String KEY_FILE = System.getProperty("rocketmq.client.keyFile", public static final String KEY_FILE = System.getProperty("rocketmq.client.keyFile",
System.getProperty("user.home") + File.separator + "onskey"); System.getProperty("user.home") + File.separator + "key");
private String accessKey; private String accessKey;
private String secretKey; private String secretKey;
......
...@@ -81,8 +81,8 @@ public class PlainPermissionLoader { ...@@ -81,8 +81,8 @@ public class PlainPermissionLoader {
} }
JSONArray accounts = accessControlTransport.getJSONArray("accounts"); JSONArray accounts = accessControlTransport.getJSONArray("accounts");
List<PlainAccessConfig> plainAccessList = accounts.toJavaList(PlainAccessConfig.class); if (accounts != null && !accounts.isEmpty()) {
if (plainAccessList != null && !plainAccessList.isEmpty()) { List<PlainAccessConfig> plainAccessList = accounts.toJavaList(PlainAccessConfig.class);
for (PlainAccessConfig plainAccess : plainAccessList) { for (PlainAccessConfig plainAccess : plainAccessList) {
this.addPlainAccessResource(getPlainAccessResource(plainAccess)); this.addPlainAccessResource(getPlainAccessResource(plainAccess));
} }
...@@ -168,6 +168,11 @@ public class PlainPermissionLoader { ...@@ -168,6 +168,11 @@ public class PlainPermissionLoader {
Map<String, Byte> needCheckedPermMap = needCheckedAccess.getResourcePermMap(); Map<String, Byte> needCheckedPermMap = needCheckedAccess.getResourcePermMap();
Map<String, Byte> ownedPermMap = ownedAccess.getResourcePermMap(); Map<String, Byte> ownedPermMap = ownedAccess.getResourcePermMap();
if (needCheckedPermMap == null) {
//if the needCheckedPermMap is null,then return
return;
}
for (Map.Entry<String, Byte> needCheckedEntry : needCheckedPermMap.entrySet()) { for (Map.Entry<String, Byte> needCheckedEntry : needCheckedPermMap.entrySet()) {
String resource = needCheckedEntry.getKey(); String resource = needCheckedEntry.getKey();
Byte neededPerm = needCheckedEntry.getValue(); Byte neededPerm = needCheckedEntry.getValue();
...@@ -223,16 +228,14 @@ public class PlainPermissionLoader { ...@@ -223,16 +228,14 @@ public class PlainPermissionLoader {
public void validate(PlainAccessResource plainAccessResource) { public void validate(PlainAccessResource plainAccessResource) {
//Step 1, check the global white remote addr //Step 1, check the global white remote addr
if (plainAccessResource.getAccessKey() == null) { for (RemoteAddressStrategy remoteAddressStrategy : globalWhiteRemoteAddressStrategy) {
if (globalWhiteRemoteAddressStrategy.isEmpty()) { if (remoteAddressStrategy.match(plainAccessResource)) {
throw new AclException(String.format("No accessKey is configured and no global white remote addr is configured")); return;
} }
for (RemoteAddressStrategy remoteAddressStrategy : globalWhiteRemoteAddressStrategy) { }
if (remoteAddressStrategy.match(plainAccessResource)) {
return; if (plainAccessResource.getAccessKey() == null) {
} throw new AclException(String.format("No accessKey is configured"));
}
throw new AclException(String.format("No accessKey is configured and no global white remote addr is matched"));
} }
if (!plainAccessResourceMap.containsKey(plainAccessResource.getAccessKey())) { if (!plainAccessResourceMap.containsKey(plainAccessResource.getAccessKey())) {
......
...@@ -21,19 +21,26 @@ import java.util.Set; ...@@ -21,19 +21,26 @@ import java.util.Set;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.apache.rocketmq.acl.common.AclException; import org.apache.rocketmq.acl.common.AclException;
import org.apache.rocketmq.acl.common.AclUtils; import org.apache.rocketmq.acl.common.AclUtils;
import org.apache.rocketmq.common.constant.LoggerName;
import org.apache.rocketmq.logging.InternalLogger;
import org.apache.rocketmq.logging.InternalLoggerFactory;
public class RemoteAddressStrategyFactory { public class RemoteAddressStrategyFactory {
private static final InternalLogger log = InternalLoggerFactory.getLogger(LoggerName.ACL_PLUG_LOGGER_NAME);
public static final NullRemoteAddressStrategy NULL_NET_ADDRESS_STRATEGY = new NullRemoteAddressStrategy(); public static final NullRemoteAddressStrategy NULL_NET_ADDRESS_STRATEGY = new NullRemoteAddressStrategy();
public static final BlankRemoteAddressStrategy BLANK_NET_ADDRESS_STRATEGY = new BlankRemoteAddressStrategy();
public RemoteAddressStrategy getRemoteAddressStrategy(PlainAccessResource plainAccessResource) { public RemoteAddressStrategy getRemoteAddressStrategy(PlainAccessResource plainAccessResource) {
return getRemoteAddressStrategy(plainAccessResource.getWhiteRemoteAddress()); return getRemoteAddressStrategy(plainAccessResource.getWhiteRemoteAddress());
} }
public RemoteAddressStrategy getRemoteAddressStrategy(String remoteAddr) { public RemoteAddressStrategy getRemoteAddressStrategy(String remoteAddr) {
if (StringUtils.isBlank(remoteAddr)) { if (StringUtils.isBlank(remoteAddr)) {
throw new AclException("Must fill in the white list address"); log.warn("white list address is null");
return BLANK_NET_ADDRESS_STRATEGY;
} }
if ("*".equals(remoteAddr)) { if ("*".equals(remoteAddr)) {
return NULL_NET_ADDRESS_STRATEGY; return NULL_NET_ADDRESS_STRATEGY;
...@@ -62,6 +69,14 @@ public class RemoteAddressStrategyFactory { ...@@ -62,6 +69,14 @@ public class RemoteAddressStrategyFactory {
} }
public static class BlankRemoteAddressStrategy implements RemoteAddressStrategy {
@Override
public boolean match(PlainAccessResource plainAccessResource) {
return false;
}
}
public static class MultipleRemoteAddressStrategy implements RemoteAddressStrategy { public static class MultipleRemoteAddressStrategy implements RemoteAddressStrategy {
private final Set<String> multipleSet = new HashSet<>(); private final Set<String> multipleSet = new HashSet<>();
......
...@@ -227,6 +227,7 @@ public class PlainPermissionLoaderTest { ...@@ -227,6 +227,7 @@ public class PlainPermissionLoaderTest {
File file = new File("src/test/resources/watch/conf"); File file = new File("src/test/resources/watch/conf");
file.mkdirs(); file.mkdirs();
File transport = new File("src/test/resources/watch/conf/plain_acl.yml"); File transport = new File("src/test/resources/watch/conf/plain_acl.yml");
transport.delete();
transport.createNewFile(); transport.createNewFile();
FileWriter writer = new FileWriter(transport); FileWriter writer = new FileWriter(transport);
...@@ -258,11 +259,6 @@ public class PlainPermissionLoaderTest { ...@@ -258,11 +259,6 @@ public class PlainPermissionLoaderTest {
plainAccessResourceMap = (Map<String, List<PlainAccessResource>>) FieldUtils.readDeclaredField(plainPermissionLoader, "plainAccessResourceMap", true); plainAccessResourceMap = (Map<String, List<PlainAccessResource>>) FieldUtils.readDeclaredField(plainPermissionLoader, "plainAccessResourceMap", true);
Assert.assertNotNull(plainAccessResourceMap.get("rokcet1")); Assert.assertNotNull(plainAccessResourceMap.get("rokcet1"));
transport.delete();
file.delete();
file = new File("src/test/resources/watch");
file.delete();
} }
@Test(expected = AclException.class) @Test(expected = AclException.class)
......
...@@ -24,10 +24,12 @@ public class RemoteAddressStrategyTest { ...@@ -24,10 +24,12 @@ public class RemoteAddressStrategyTest {
RemoteAddressStrategyFactory remoteAddressStrategyFactory = new RemoteAddressStrategyFactory(); RemoteAddressStrategyFactory remoteAddressStrategyFactory = new RemoteAddressStrategyFactory();
@Test(expected = AclException.class) @Test
public void netaddressStrategyFactoryExceptionTest() { public void netaddressStrategyFactoryExceptionTest() {
PlainAccessResource plainAccessResource = new PlainAccessResource(); PlainAccessResource plainAccessResource = new PlainAccessResource();
remoteAddressStrategyFactory.getRemoteAddressStrategy(plainAccessResource); remoteAddressStrategyFactory.getRemoteAddressStrategy(plainAccessResource);
Assert.assertEquals(remoteAddressStrategyFactory.getRemoteAddressStrategy(plainAccessResource).getClass(),
RemoteAddressStrategyFactory.BlankRemoteAddressStrategy.class);
} }
@Test @Test
...@@ -61,6 +63,10 @@ public class RemoteAddressStrategyTest { ...@@ -61,6 +63,10 @@ public class RemoteAddressStrategyTest {
plainAccessResource.setWhiteRemoteAddress("127.0.1-20.*"); plainAccessResource.setWhiteRemoteAddress("127.0.1-20.*");
remoteAddressStrategy = remoteAddressStrategyFactory.getRemoteAddressStrategy(plainAccessResource); remoteAddressStrategy = remoteAddressStrategyFactory.getRemoteAddressStrategy(plainAccessResource);
Assert.assertEquals(remoteAddressStrategy.getClass(), RemoteAddressStrategyFactory.RangeRemoteAddressStrategy.class); Assert.assertEquals(remoteAddressStrategy.getClass(), RemoteAddressStrategyFactory.RangeRemoteAddressStrategy.class);
plainAccessResource.setWhiteRemoteAddress("");
remoteAddressStrategy = remoteAddressStrategyFactory.getRemoteAddressStrategy(plainAccessResource);
Assert.assertEquals(remoteAddressStrategy.getClass(), RemoteAddressStrategyFactory.BlankRemoteAddressStrategy.class);
} }
@Test(expected = AclException.class) @Test(expected = AclException.class)
...@@ -78,6 +84,12 @@ public class RemoteAddressStrategyTest { ...@@ -78,6 +84,12 @@ public class RemoteAddressStrategyTest {
Assert.assertTrue(isMatch); Assert.assertTrue(isMatch);
} }
@Test
public void blankNetaddressStrategyTest() {
boolean isMatch = RemoteAddressStrategyFactory.BLANK_NET_ADDRESS_STRATEGY.match(new PlainAccessResource());
Assert.assertFalse(isMatch);
}
public void oneNetaddressStrategyTest() { public void oneNetaddressStrategyTest() {
PlainAccessResource plainAccessResource = new PlainAccessResource(); PlainAccessResource plainAccessResource = new PlainAccessResource();
plainAccessResource.setWhiteRemoteAddress("127.0.0.1"); plainAccessResource.setWhiteRemoteAddress("127.0.0.1");
......
...@@ -499,6 +499,7 @@ public class BrokerController { ...@@ -499,6 +499,7 @@ public class BrokerController {
List<AccessValidator> accessValidators = ServiceProvider.load(ServiceProvider.ACL_VALIDATOR_ID, AccessValidator.class); List<AccessValidator> accessValidators = ServiceProvider.load(ServiceProvider.ACL_VALIDATOR_ID, AccessValidator.class);
if (accessValidators == null || accessValidators.isEmpty()) { if (accessValidators == null || accessValidators.isEmpty()) {
log.info("The broker dose not load the AccessValidator");
return; return;
} }
......
org.apache.rocketmq.acl.plain.PlainAccessValidator
\ No newline at end of file
...@@ -42,6 +42,21 @@ public class BrokerControllerTest { ...@@ -42,6 +42,21 @@ public class BrokerControllerTest {
brokerController.shutdown(); brokerController.shutdown();
} }
@Test
public void testBrokerStartAclEnabled() throws Exception {
BrokerConfig brokerConfigAclEnabled = new BrokerConfig();
brokerConfigAclEnabled.setEnableAcl(true);
BrokerController brokerController = new BrokerController(
brokerConfigAclEnabled,
new NettyServerConfig(),
new NettyClientConfig(),
new MessageStoreConfig());
assertThat(brokerController.initialize());
brokerController.start();
brokerController.shutdown();
}
@After @After
public void destroy() { public void destroy() {
UtilAll.deleteFile(new File(new MessageStoreConfig().getStorePathRootDir())); UtilAll.deleteFile(new File(new MessageStoreConfig().getStorePathRootDir()));
......
org.apache.rocketmq.acl.DefaultAclRemotingServiceImpl org.apache.rocketmq.acl.plain.PlainAccessValidator
\ No newline at end of file \ No newline at end of file
...@@ -171,7 +171,11 @@ public class BrokerConfig { ...@@ -171,7 +171,11 @@ public class BrokerConfig {
@ImportantField @ImportantField
private long transactionCheckInterval = 60 * 1000; private long transactionCheckInterval = 60 * 1000;
private boolean enableAcl; /**
* Acl feature switch
*/
@ImportantField
private boolean enableAcl = false;
public static String localHostName() { public static String localHostName() {
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册