From 459b246d28f2c865e2ef89e25f41103904416a55 Mon Sep 17 00:00:00 2001 From: wangshaojie4039 Date: Wed, 26 Dec 2018 18:51:23 +0800 Subject: [PATCH] [ISSUE#403] fix some bugs and Optimization code for rocketmq's acl feature. (#632) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * [ISSUE#403] fix some bugs and Optimization code for rocketmq's acl feature.  * [ISSUE#403] fix some bugs and Optimization code for rocketmq's acl feature.  * Update MQAdminStartup.java * Update MQAdminStartup.java --- .../rocketmq/acl/common/Permission.java | 6 +- .../acl/plain/PlainAccessValidator.java | 6 +- .../rocketmq/acl/common/PermissionTest.java | 21 ++--- .../acl/plain/PlainPermissionLoaderTest.java | 12 +-- distribution/conf/tools.yml | 19 +++++ tools/pom.xml | 4 + .../tools/command/MQAdminStartup.java | 76 +++++-------------- 7 files changed, 61 insertions(+), 83 deletions(-) create mode 100644 distribution/conf/tools.yml diff --git a/acl/src/main/java/org/apache/rocketmq/acl/common/Permission.java b/acl/src/main/java/org/apache/rocketmq/acl/common/Permission.java index c608f05d..7a95ee05 100644 --- a/acl/src/main/java/org/apache/rocketmq/acl/common/Permission.java +++ b/acl/src/main/java/org/apache/rocketmq/acl/common/Permission.java @@ -64,12 +64,10 @@ public class Permission { return Permission.PUB; case "SUB": return Permission.SUB; - case "ANY": - return Permission.ANY; case "PUB|SUB": - return Permission.ANY; + return Permission.PUB | Permission.SUB; case "SUB|PUB": - return Permission.ANY; + return Permission.PUB | Permission.SUB; case "DENY": return Permission.DENY; default: diff --git a/acl/src/main/java/org/apache/rocketmq/acl/plain/PlainAccessValidator.java b/acl/src/main/java/org/apache/rocketmq/acl/plain/PlainAccessValidator.java index d7150984..bb1c0a11 100644 --- a/acl/src/main/java/org/apache/rocketmq/acl/plain/PlainAccessValidator.java +++ b/acl/src/main/java/org/apache/rocketmq/acl/plain/PlainAccessValidator.java @@ -47,7 +47,11 @@ public class PlainAccessValidator implements AccessValidator { @Override public AccessResource parse(RemotingCommand request, String remoteAddr) { PlainAccessResource accessResource = new PlainAccessResource(); - accessResource.setWhiteRemoteAddress(remoteAddr); + if (remoteAddr != null && remoteAddr.contains(":")) { + accessResource.setWhiteRemoteAddress(remoteAddr.split(":")[0]); + } else { + accessResource.setWhiteRemoteAddress(remoteAddr); + } accessResource.setRequestCode(request.getCode()); accessResource.setAccessKey(request.getExtFields().get(SessionCredentials.ACCESS_KEY)); accessResource.setSignature(request.getExtFields().get(SessionCredentials.SIGNATURE)); diff --git a/acl/src/test/java/org/apache/rocketmq/acl/common/PermissionTest.java b/acl/src/test/java/org/apache/rocketmq/acl/common/PermissionTest.java index 2d998cc4..31820ad7 100644 --- a/acl/src/test/java/org/apache/rocketmq/acl/common/PermissionTest.java +++ b/acl/src/test/java/org/apache/rocketmq/acl/common/PermissionTest.java @@ -35,14 +35,11 @@ public class PermissionTest { perm = Permission.parsePermFromString("SUB"); Assert.assertEquals(perm, Permission.SUB); - perm = Permission.parsePermFromString("ANY"); - Assert.assertEquals(perm, Permission.ANY); - perm = Permission.parsePermFromString("PUB|SUB"); - Assert.assertEquals(perm, Permission.ANY); + Assert.assertEquals(perm, Permission.PUB|Permission.SUB); perm = Permission.parsePermFromString("SUB|PUB"); - Assert.assertEquals(perm, Permission.ANY); + Assert.assertEquals(perm, Permission.PUB|Permission.SUB); perm = Permission.parsePermFromString("DENY"); Assert.assertEquals(perm, Permission.DENY); @@ -66,8 +63,14 @@ public class PermissionTest { boo = Permission.checkPermission(Permission.SUB, Permission.SUB); Assert.assertTrue(boo); - boo = Permission.checkPermission(Permission.ANY, Permission.ANY); - Assert.assertFalse(boo); + boo = Permission.checkPermission(Permission.PUB, (byte) (Permission.PUB|Permission.SUB)); + Assert.assertTrue(boo); + + boo = Permission.checkPermission(Permission.SUB, (byte) (Permission.PUB|Permission.SUB)); + Assert.assertTrue(boo); + + boo = Permission.checkPermission(Permission.ANY, (byte) (Permission.PUB|Permission.SUB)); + Assert.assertTrue(boo); boo = Permission.checkPermission(Permission.ANY, Permission.SUB); Assert.assertTrue(boo); @@ -108,7 +111,7 @@ public class PermissionTest { Assert.assertEquals(perm, Permission.DENY); perm = resourcePermMap.get(PlainAccessResource.getRetryTopic("groupB")); - Assert.assertEquals(perm, Permission.ANY); + Assert.assertEquals(perm,Permission.PUB|Permission.SUB); perm = resourcePermMap.get(PlainAccessResource.getRetryTopic("groupC")); Assert.assertEquals(perm, Permission.PUB); @@ -124,7 +127,7 @@ public class PermissionTest { Assert.assertEquals(perm, Permission.DENY); perm = resourcePermMap.get("topicB"); - Assert.assertEquals(perm, Permission.ANY); + Assert.assertEquals(perm, Permission.PUB|Permission.SUB); perm = resourcePermMap.get("topicC"); Assert.assertEquals(perm, Permission.PUB); diff --git a/acl/src/test/java/org/apache/rocketmq/acl/plain/PlainPermissionLoaderTest.java b/acl/src/test/java/org/apache/rocketmq/acl/plain/PlainPermissionLoaderTest.java index 2bd5b8ce..68f6e119 100644 --- a/acl/src/test/java/org/apache/rocketmq/acl/plain/PlainPermissionLoaderTest.java +++ b/acl/src/test/java/org/apache/rocketmq/acl/plain/PlainPermissionLoaderTest.java @@ -108,14 +108,6 @@ public class PlainPermissionLoaderTest { plainAccessResource = plainPermissionLoader.getPlainAccessResource(plainAccess); Assert.assertEquals(plainAccessResource.isAdmin(), true); - plainAccess.setDefaultGroupPerm("ANY"); - plainAccessResource = plainPermissionLoader.getPlainAccessResource(plainAccess); - Assert.assertEquals(plainAccessResource.getDefaultGroupPerm(), Permission.ANY); - - plainAccess.setDefaultTopicPerm("ANY"); - plainAccessResource = plainPermissionLoader.getPlainAccessResource(plainAccess); - Assert.assertEquals(plainAccessResource.getDefaultTopicPerm(), Permission.ANY); - List groups = new ArrayList(); groups.add("groupA=DENY"); groups.add("groupB=PUB|SUB"); @@ -126,7 +118,7 @@ public class PlainPermissionLoaderTest { Assert.assertEquals(resourcePermMap.size(), 3); Assert.assertEquals(resourcePermMap.get(PlainAccessResource.getRetryTopic("groupA")).byteValue(), Permission.DENY); - Assert.assertEquals(resourcePermMap.get(PlainAccessResource.getRetryTopic("groupB")).byteValue(), Permission.ANY); + Assert.assertEquals(resourcePermMap.get(PlainAccessResource.getRetryTopic("groupB")).byteValue(), Permission.PUB|Permission.SUB); Assert.assertEquals(resourcePermMap.get(PlainAccessResource.getRetryTopic("groupC")).byteValue(), Permission.PUB); List topics = new ArrayList(); @@ -139,7 +131,7 @@ public class PlainPermissionLoaderTest { Assert.assertEquals(resourcePermMap.size(), 6); Assert.assertEquals(resourcePermMap.get("topicA").byteValue(), Permission.DENY); - Assert.assertEquals(resourcePermMap.get("topicB").byteValue(), Permission.ANY); + Assert.assertEquals(resourcePermMap.get("topicB").byteValue(), Permission.PUB|Permission.SUB); Assert.assertEquals(resourcePermMap.get("topicC").byteValue(), Permission.PUB); } diff --git a/distribution/conf/tools.yml b/distribution/conf/tools.yml new file mode 100644 index 00000000..b9096967 --- /dev/null +++ b/distribution/conf/tools.yml @@ -0,0 +1,19 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +accessKey: aliyun.com +secretKey: 12345678 + diff --git a/tools/pom.xml b/tools/pom.xml index 086c3e64..a4a8630b 100644 --- a/tools/pom.xml +++ b/tools/pom.xml @@ -37,6 +37,10 @@ ${project.groupId} rocketmq-client + + ${project.groupId} + rocketmq-acl + ${project.groupId} rocketmq-store diff --git a/tools/src/main/java/org/apache/rocketmq/tools/command/MQAdminStartup.java b/tools/src/main/java/org/apache/rocketmq/tools/command/MQAdminStartup.java index 34e9f451..065e4175 100644 --- a/tools/src/main/java/org/apache/rocketmq/tools/command/MQAdminStartup.java +++ b/tools/src/main/java/org/apache/rocketmq/tools/command/MQAdminStartup.java @@ -19,17 +19,16 @@ package org.apache.rocketmq.tools.command; import ch.qos.logback.classic.LoggerContext; import ch.qos.logback.classic.joran.JoranConfigurator; import ch.qos.logback.core.joran.spi.JoranException; -import java.io.File; -import java.io.FileInputStream; -import java.io.IOException; import java.util.ArrayList; -import java.util.HashMap; import java.util.List; -import java.util.Map; +import com.alibaba.fastjson.JSONObject; import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.Options; import org.apache.commons.cli.PosixParser; import org.apache.commons.lang3.StringUtils; +import org.apache.rocketmq.acl.common.AclClientRPCHook; +import org.apache.rocketmq.acl.common.AclUtils; +import org.apache.rocketmq.acl.common.SessionCredentials; import org.apache.rocketmq.common.MQVersion; import org.apache.rocketmq.common.MixAll; import org.apache.rocketmq.remoting.RPCHook; @@ -79,7 +78,6 @@ import org.apache.rocketmq.tools.command.topic.UpdateOrderConfCommand; import org.apache.rocketmq.tools.command.topic.UpdateTopicPermSubCommand; import org.apache.rocketmq.tools.command.topic.UpdateTopicSubCommand; import org.slf4j.LoggerFactory; -import org.yaml.snakeyaml.Yaml; public class MQAdminStartup { protected static List subCommandList = new ArrayList(); @@ -250,62 +248,22 @@ public class MQAdminStartup { public static RPCHook getAclRPCHook(CommandLine commandLine) { String fileHome = System.getProperty(MixAll.ROCKETMQ_HOME_PROPERTY, System.getenv(MixAll.ROCKETMQ_HOME_ENV)); - File file = new File(fileHome + "/conf/tools.yml"); - if (!file.exists()) { - System.out.printf("file %s is not exist \n", file.getPath()); + String fileName = "/conf/tools.yml"; + JSONObject yamlDataObject = AclUtils.getYamlDataObject(fileHome + fileName , + JSONObject.class); + + if (yamlDataObject == null || yamlDataObject.isEmpty()) { + System.out.printf(" Cannot find conf file %s, acl is not be enabled.%n" ,fileHome + fileName); return null; } - Yaml ymal = new Yaml(); - FileInputStream fis = null; - Map> map = null; - try { - fis = new FileInputStream(file); - map = ymal.loadAs(fis, Map.class); - } catch (Exception e) { - e.printStackTrace(); - } finally { - if (fis != null) { - try { - fis.close(); - } catch (IOException e) { - e.printStackTrace(); - } - } - } - if (map == null || map.isEmpty()) { - System.out.printf("file %s is no data", file.getPath()); + // admin ak sk + String accessKey = yamlDataObject.getString("accessKey"); + String secretKey = yamlDataObject.getString("secretKey"); + + if (StringUtils.isBlank(accessKey) || StringUtils.isBlank(secretKey)) { + System.out.printf("AccessKey or secretKey is blank, the acl is not enabled.%n"); return null; } - - final Map> newMap = map; - return new RPCHook() { - - @Override - public void doBeforeRequest(String remoteAddr, RemotingCommand request) { - System.out.printf("remoteAddr is %s code %d \n", remoteAddr, request.getCode()); - String fastRemoteAddr = null; - if (remoteAddr != null) { - String[] ipAndPost = StringUtils.split(remoteAddr, ":"); - Integer fastPost = Integer.valueOf(ipAndPost[1]) + 2; - fastRemoteAddr = ipAndPost[0] + ":" + fastPost.toString(); - } - Map map; - if ((map = newMap.get(remoteAddr)) != null || (map = newMap.get(fastRemoteAddr)) != null || (map = newMap.get("all")) != null) { - HashMap ext = request.getExtFields(); - if (ext == null) { - ext = new HashMap<>(); - request.setExtFields(ext); - } - ext.put("account", map.get("account").toString()); - ext.put("password", map.get("password").toString()); - } - - } - - @Override - public void doAfterResponse(String remoteAddr, RemotingCommand request, RemotingCommand response) { - } - }; - + return new AclClientRPCHook(new SessionCredentials(accessKey,secretKey)); } } -- GitLab