提交 459b246d 编写于 作者: W wangshaojie4039 提交者: Zhendong Liu

[ISSUE#403] fix some bugs and Optimization code for rocketmq's acl feature. (#632)

* [ISSUE#403] fix some bugs and Optimization code for rocketmq's acl feature. 

* [ISSUE#403] fix some bugs and Optimization code for rocketmq's acl feature. 

* Update MQAdminStartup.java

* Update MQAdminStartup.java
上级 04726187
...@@ -64,12 +64,10 @@ public class Permission { ...@@ -64,12 +64,10 @@ public class Permission {
return Permission.PUB; return Permission.PUB;
case "SUB": case "SUB":
return Permission.SUB; return Permission.SUB;
case "ANY":
return Permission.ANY;
case "PUB|SUB": case "PUB|SUB":
return Permission.ANY; return Permission.PUB | Permission.SUB;
case "SUB|PUB": case "SUB|PUB":
return Permission.ANY; return Permission.PUB | Permission.SUB;
case "DENY": case "DENY":
return Permission.DENY; return Permission.DENY;
default: default:
......
...@@ -47,7 +47,11 @@ public class PlainAccessValidator implements AccessValidator { ...@@ -47,7 +47,11 @@ public class PlainAccessValidator implements AccessValidator {
@Override @Override
public AccessResource parse(RemotingCommand request, String remoteAddr) { public AccessResource parse(RemotingCommand request, String remoteAddr) {
PlainAccessResource accessResource = new PlainAccessResource(); PlainAccessResource accessResource = new PlainAccessResource();
accessResource.setWhiteRemoteAddress(remoteAddr); if (remoteAddr != null && remoteAddr.contains(":")) {
accessResource.setWhiteRemoteAddress(remoteAddr.split(":")[0]);
} else {
accessResource.setWhiteRemoteAddress(remoteAddr);
}
accessResource.setRequestCode(request.getCode()); accessResource.setRequestCode(request.getCode());
accessResource.setAccessKey(request.getExtFields().get(SessionCredentials.ACCESS_KEY)); accessResource.setAccessKey(request.getExtFields().get(SessionCredentials.ACCESS_KEY));
accessResource.setSignature(request.getExtFields().get(SessionCredentials.SIGNATURE)); accessResource.setSignature(request.getExtFields().get(SessionCredentials.SIGNATURE));
......
...@@ -35,14 +35,11 @@ public class PermissionTest { ...@@ -35,14 +35,11 @@ public class PermissionTest {
perm = Permission.parsePermFromString("SUB"); perm = Permission.parsePermFromString("SUB");
Assert.assertEquals(perm, Permission.SUB); Assert.assertEquals(perm, Permission.SUB);
perm = Permission.parsePermFromString("ANY");
Assert.assertEquals(perm, Permission.ANY);
perm = Permission.parsePermFromString("PUB|SUB"); perm = Permission.parsePermFromString("PUB|SUB");
Assert.assertEquals(perm, Permission.ANY); Assert.assertEquals(perm, Permission.PUB|Permission.SUB);
perm = Permission.parsePermFromString("SUB|PUB"); perm = Permission.parsePermFromString("SUB|PUB");
Assert.assertEquals(perm, Permission.ANY); Assert.assertEquals(perm, Permission.PUB|Permission.SUB);
perm = Permission.parsePermFromString("DENY"); perm = Permission.parsePermFromString("DENY");
Assert.assertEquals(perm, Permission.DENY); Assert.assertEquals(perm, Permission.DENY);
...@@ -66,8 +63,14 @@ public class PermissionTest { ...@@ -66,8 +63,14 @@ public class PermissionTest {
boo = Permission.checkPermission(Permission.SUB, Permission.SUB); boo = Permission.checkPermission(Permission.SUB, Permission.SUB);
Assert.assertTrue(boo); Assert.assertTrue(boo);
boo = Permission.checkPermission(Permission.ANY, Permission.ANY); boo = Permission.checkPermission(Permission.PUB, (byte) (Permission.PUB|Permission.SUB));
Assert.assertFalse(boo); Assert.assertTrue(boo);
boo = Permission.checkPermission(Permission.SUB, (byte) (Permission.PUB|Permission.SUB));
Assert.assertTrue(boo);
boo = Permission.checkPermission(Permission.ANY, (byte) (Permission.PUB|Permission.SUB));
Assert.assertTrue(boo);
boo = Permission.checkPermission(Permission.ANY, Permission.SUB); boo = Permission.checkPermission(Permission.ANY, Permission.SUB);
Assert.assertTrue(boo); Assert.assertTrue(boo);
...@@ -108,7 +111,7 @@ public class PermissionTest { ...@@ -108,7 +111,7 @@ public class PermissionTest {
Assert.assertEquals(perm, Permission.DENY); Assert.assertEquals(perm, Permission.DENY);
perm = resourcePermMap.get(PlainAccessResource.getRetryTopic("groupB")); perm = resourcePermMap.get(PlainAccessResource.getRetryTopic("groupB"));
Assert.assertEquals(perm, Permission.ANY); Assert.assertEquals(perm,Permission.PUB|Permission.SUB);
perm = resourcePermMap.get(PlainAccessResource.getRetryTopic("groupC")); perm = resourcePermMap.get(PlainAccessResource.getRetryTopic("groupC"));
Assert.assertEquals(perm, Permission.PUB); Assert.assertEquals(perm, Permission.PUB);
...@@ -124,7 +127,7 @@ public class PermissionTest { ...@@ -124,7 +127,7 @@ public class PermissionTest {
Assert.assertEquals(perm, Permission.DENY); Assert.assertEquals(perm, Permission.DENY);
perm = resourcePermMap.get("topicB"); perm = resourcePermMap.get("topicB");
Assert.assertEquals(perm, Permission.ANY); Assert.assertEquals(perm, Permission.PUB|Permission.SUB);
perm = resourcePermMap.get("topicC"); perm = resourcePermMap.get("topicC");
Assert.assertEquals(perm, Permission.PUB); Assert.assertEquals(perm, Permission.PUB);
......
...@@ -108,14 +108,6 @@ public class PlainPermissionLoaderTest { ...@@ -108,14 +108,6 @@ public class PlainPermissionLoaderTest {
plainAccessResource = plainPermissionLoader.getPlainAccessResource(plainAccess); plainAccessResource = plainPermissionLoader.getPlainAccessResource(plainAccess);
Assert.assertEquals(plainAccessResource.isAdmin(), true); Assert.assertEquals(plainAccessResource.isAdmin(), true);
plainAccess.setDefaultGroupPerm("ANY");
plainAccessResource = plainPermissionLoader.getPlainAccessResource(plainAccess);
Assert.assertEquals(plainAccessResource.getDefaultGroupPerm(), Permission.ANY);
plainAccess.setDefaultTopicPerm("ANY");
plainAccessResource = plainPermissionLoader.getPlainAccessResource(plainAccess);
Assert.assertEquals(plainAccessResource.getDefaultTopicPerm(), Permission.ANY);
List<String> groups = new ArrayList<String>(); List<String> groups = new ArrayList<String>();
groups.add("groupA=DENY"); groups.add("groupA=DENY");
groups.add("groupB=PUB|SUB"); groups.add("groupB=PUB|SUB");
...@@ -126,7 +118,7 @@ public class PlainPermissionLoaderTest { ...@@ -126,7 +118,7 @@ public class PlainPermissionLoaderTest {
Assert.assertEquals(resourcePermMap.size(), 3); Assert.assertEquals(resourcePermMap.size(), 3);
Assert.assertEquals(resourcePermMap.get(PlainAccessResource.getRetryTopic("groupA")).byteValue(), Permission.DENY); Assert.assertEquals(resourcePermMap.get(PlainAccessResource.getRetryTopic("groupA")).byteValue(), Permission.DENY);
Assert.assertEquals(resourcePermMap.get(PlainAccessResource.getRetryTopic("groupB")).byteValue(), Permission.ANY); Assert.assertEquals(resourcePermMap.get(PlainAccessResource.getRetryTopic("groupB")).byteValue(), Permission.PUB|Permission.SUB);
Assert.assertEquals(resourcePermMap.get(PlainAccessResource.getRetryTopic("groupC")).byteValue(), Permission.PUB); Assert.assertEquals(resourcePermMap.get(PlainAccessResource.getRetryTopic("groupC")).byteValue(), Permission.PUB);
List<String> topics = new ArrayList<String>(); List<String> topics = new ArrayList<String>();
...@@ -139,7 +131,7 @@ public class PlainPermissionLoaderTest { ...@@ -139,7 +131,7 @@ public class PlainPermissionLoaderTest {
Assert.assertEquals(resourcePermMap.size(), 6); Assert.assertEquals(resourcePermMap.size(), 6);
Assert.assertEquals(resourcePermMap.get("topicA").byteValue(), Permission.DENY); Assert.assertEquals(resourcePermMap.get("topicA").byteValue(), Permission.DENY);
Assert.assertEquals(resourcePermMap.get("topicB").byteValue(), Permission.ANY); Assert.assertEquals(resourcePermMap.get("topicB").byteValue(), Permission.PUB|Permission.SUB);
Assert.assertEquals(resourcePermMap.get("topicC").byteValue(), Permission.PUB); Assert.assertEquals(resourcePermMap.get("topicC").byteValue(), Permission.PUB);
} }
......
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
accessKey: aliyun.com
secretKey: 12345678
...@@ -37,6 +37,10 @@ ...@@ -37,6 +37,10 @@
<groupId>${project.groupId}</groupId> <groupId>${project.groupId}</groupId>
<artifactId>rocketmq-client</artifactId> <artifactId>rocketmq-client</artifactId>
</dependency> </dependency>
<dependency>
<groupId>${project.groupId}</groupId>
<artifactId>rocketmq-acl</artifactId>
</dependency>
<dependency> <dependency>
<groupId>${project.groupId}</groupId> <groupId>${project.groupId}</groupId>
<artifactId>rocketmq-store</artifactId> <artifactId>rocketmq-store</artifactId>
......
...@@ -19,17 +19,16 @@ package org.apache.rocketmq.tools.command; ...@@ -19,17 +19,16 @@ package org.apache.rocketmq.tools.command;
import ch.qos.logback.classic.LoggerContext; import ch.qos.logback.classic.LoggerContext;
import ch.qos.logback.classic.joran.JoranConfigurator; import ch.qos.logback.classic.joran.JoranConfigurator;
import ch.qos.logback.core.joran.spi.JoranException; import ch.qos.logback.core.joran.spi.JoranException;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import com.alibaba.fastjson.JSONObject;
import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.Options; import org.apache.commons.cli.Options;
import org.apache.commons.cli.PosixParser; import org.apache.commons.cli.PosixParser;
import org.apache.commons.lang3.StringUtils; import org.apache.commons.lang3.StringUtils;
import org.apache.rocketmq.acl.common.AclClientRPCHook;
import org.apache.rocketmq.acl.common.AclUtils;
import org.apache.rocketmq.acl.common.SessionCredentials;
import org.apache.rocketmq.common.MQVersion; import org.apache.rocketmq.common.MQVersion;
import org.apache.rocketmq.common.MixAll; import org.apache.rocketmq.common.MixAll;
import org.apache.rocketmq.remoting.RPCHook; import org.apache.rocketmq.remoting.RPCHook;
...@@ -79,7 +78,6 @@ import org.apache.rocketmq.tools.command.topic.UpdateOrderConfCommand; ...@@ -79,7 +78,6 @@ import org.apache.rocketmq.tools.command.topic.UpdateOrderConfCommand;
import org.apache.rocketmq.tools.command.topic.UpdateTopicPermSubCommand; import org.apache.rocketmq.tools.command.topic.UpdateTopicPermSubCommand;
import org.apache.rocketmq.tools.command.topic.UpdateTopicSubCommand; import org.apache.rocketmq.tools.command.topic.UpdateTopicSubCommand;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import org.yaml.snakeyaml.Yaml;
public class MQAdminStartup { public class MQAdminStartup {
protected static List<SubCommand> subCommandList = new ArrayList<SubCommand>(); protected static List<SubCommand> subCommandList = new ArrayList<SubCommand>();
...@@ -250,62 +248,22 @@ public class MQAdminStartup { ...@@ -250,62 +248,22 @@ public class MQAdminStartup {
public static RPCHook getAclRPCHook(CommandLine commandLine) { public static RPCHook getAclRPCHook(CommandLine commandLine) {
String fileHome = System.getProperty(MixAll.ROCKETMQ_HOME_PROPERTY, System.getenv(MixAll.ROCKETMQ_HOME_ENV)); String fileHome = System.getProperty(MixAll.ROCKETMQ_HOME_PROPERTY, System.getenv(MixAll.ROCKETMQ_HOME_ENV));
File file = new File(fileHome + "/conf/tools.yml"); String fileName = "/conf/tools.yml";
if (!file.exists()) { JSONObject yamlDataObject = AclUtils.getYamlDataObject(fileHome + fileName ,
System.out.printf("file %s is not exist \n", file.getPath()); JSONObject.class);
if (yamlDataObject == null || yamlDataObject.isEmpty()) {
System.out.printf(" Cannot find conf file %s, acl is not be enabled.%n" ,fileHome + fileName);
return null; return null;
} }
Yaml ymal = new Yaml(); // admin ak sk
FileInputStream fis = null; String accessKey = yamlDataObject.getString("accessKey");
Map<String, Map<String, Object>> map = null; String secretKey = yamlDataObject.getString("secretKey");
try {
fis = new FileInputStream(file); if (StringUtils.isBlank(accessKey) || StringUtils.isBlank(secretKey)) {
map = ymal.loadAs(fis, Map.class); System.out.printf("AccessKey or secretKey is blank, the acl is not enabled.%n");
} catch (Exception e) {
e.printStackTrace();
} finally {
if (fis != null) {
try {
fis.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
if (map == null || map.isEmpty()) {
System.out.printf("file %s is no data", file.getPath());
return null; return null;
} }
return new AclClientRPCHook(new SessionCredentials(accessKey,secretKey));
final Map<String, Map<String, Object>> newMap = map;
return new RPCHook() {
@Override
public void doBeforeRequest(String remoteAddr, RemotingCommand request) {
System.out.printf("remoteAddr is %s code %d \n", remoteAddr, request.getCode());
String fastRemoteAddr = null;
if (remoteAddr != null) {
String[] ipAndPost = StringUtils.split(remoteAddr, ":");
Integer fastPost = Integer.valueOf(ipAndPost[1]) + 2;
fastRemoteAddr = ipAndPost[0] + ":" + fastPost.toString();
}
Map<String, Object> map;
if ((map = newMap.get(remoteAddr)) != null || (map = newMap.get(fastRemoteAddr)) != null || (map = newMap.get("all")) != null) {
HashMap<String, String> ext = request.getExtFields();
if (ext == null) {
ext = new HashMap<>();
request.setExtFields(ext);
}
ext.put("account", map.get("account").toString());
ext.put("password", map.get("password").toString());
}
}
@Override
public void doAfterResponse(String remoteAddr, RemotingCommand request, RemotingCommand response) {
}
};
} }
} }
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册