Re: [I] How to custom plain_acl.yml content? [rocketmq-operator]

via GitHub Sun, 08 Oct 2023 01:58:03 -0700


bugsmo commented on issue #184:
URL: 
https://github.com/apache/rocketmq-operator/issues/184#issuecomment-1751967857


   我是这样开启 ACL 的
   
   1. 把 plain_acl.yml 内容添加到  configmap broker-config，如下所示
   
   ```yaml
   apiVersion: v1                                                               
                                                                                
                                                                                
                      
   kind: ConfigMap                                                              
                                                                                
                                                                                
                      
   metadata:                                                                    
                                                                                
                                                                                
                      
     name: broker-config                                                        
                                                                                
                                                                                
                                                                                
                                                                                
                                                                                
                 
   data:                                                                        
                                                                                
                                                                                
                      
     # BROKER_MEM sets the broker JVM, if set to "" then Xms = Xmx = 
max(min(1/2 ram, 1024MB), min(1/4 ram, 8GB))                                    
                                                                                
                                 
     BROKER_MEM: " -Xms2g -Xmx2g -Xmn1g "                                       
                                                                                
                                                                                
                      
     broker-common.conf: |                                                      
                                                                                
                                                                                
                      
       # brokerClusterName, brokerName, brokerId are automatically generated by 
the operator and do not set it manually!!!                                      
                                                                                
                      
       deleteWhen=04                                                            
                                                                                
                                                                                
                      
       fileReservedTime=48                                                      
                                                                                
                                                                                
                      
       flushDiskType=ASYNC_FLUSH                                                
                                                                                
                                                                                
                      
       # set brokerRole to ASYNC_MASTER or SYNC_MASTER. DO NOT set to SLAVE 
because the replica instance will automatically be set!!!                       
                                                                                
                          
       brokerRole=ASYNC_MASTER                                                  
                                                                                
                                                                                
                      
       aclEnable = true                                                         
                                                                                
                                                                                
                      
     plain_acl.yml: |-                                                          
                                                                                
                                                                                
                      
       globalWhiteRemoteAddresses:                                              
                                                                                
                                                                                
                      
         - 10.10.*.*                                                            
                                                                                
                                                                                
                     
         - 10.11.*.*                                                            
                                                                                
                                                                                
                     
         - 10.16.13.*                                                           
                                                                                
                                                                                
                    
                                                                                
                                                                                
                                                                                
                      
       accounts:                                                                
                                                                                
                                                                                
                      
         - accessKey: xxxxxxxxxxxx
           secretKey: xxxxxxxxxxxx
           whiteRemoteAddress:                                                  
                                                                                
                                                                                
                      
           admin: false                                                         
                                                                                
                                                                                
                      
           defaultTopicPerm: PUB|SUB                                            
                                                                                
                                                                                
                      
           defaultGroupPerm: PUB|SUB                                            
                                                                                
                                                                                
                      
           topicPerms:                                                          
                                                                                
                                                                                
                      
             - topicA=DENY                                                      
                                                                                
                                                                                
                      
             - topicB=PUB|SUB                                                   
                                                                                
                                                                                
                      
             - topicC=SUB                                                       
                                                                                
                                                                                
                      
           groupPerms:                                                          
                                                                                
                                                                                
                      
             # the group should convert to retry topic                          
                                                                                
                                                                                
                      
             - groupA=DENY                                                      
                                                                                
                                                                                
                      
             - groupB=PUB|SUB                                                   
                                                                                
                                                                                
                      
             - groupC=SUB                                                       
                                                                                
                                                                                
                      
                                                                                
                                                                                
                                                                                
                      
         - accessKey: xxxxxxxxxxxx
           secretKey: xxxxxxxxxxxx
           whiteRemoteAddress:                                                  
                                                                                
                                                                                
                      
           # if it is admin, it could access all resources                      
                                                                                
                                                                                
                      
           admin: true  
   ```
   
   2. 在 mq 集群 statefulsets broker-0-master 和 broker-0-replica-1 挂载configmap，如下所示
   ```yaml
       spec:
         volumes:
     ...
           - name: broker-acl
             configMap:
               name: broker-config
               items:
                 - key: plain_acl.yml
                   path: plain_acl.yml
               defaultMode: 420
    ...           
             volumeMounts:
    ...
               - name: broker-acl
                 mountPath: /root/rocketmq/broker/conf/plain_acl.yml
                 subPath: plain_acl.yml
   ```
   
   3. 删除 statefulsets  broker-0-master 和 broker-0-replica-1 的 pod
   4. 进入 pod 终端，执行命令查看集群/Broker的ACL配置文件全部内容，nameserver 的 IP 需要替换为你自己的
   ```shell
   ./mqadmin getAccessConfigSubCommand -n 10.210.95.195:9876 -c broker
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@rocketmq.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [I] How to custom plain_acl.yml content? [rocketmq-operator]

Reply via email to