[I] 服务端无法获取客户端的真实IP [rocketmq]

Wed, 15 Nov 2023 01:07:21 -0800 


hongshenggit opened a new issue, #7561:
URL: https://github.com/apache/rocketmq/issues/7561

   ### Before Creating the Bug Report
   
   - [X] I found a bug, not just asking a question, which should be created in 
[GitHub Discussions](https://github.com/apache/rocketmq/discussions).
   
   - [X] I have searched the [GitHub 
Issues](https://github.com/apache/rocketmq/issues) and [GitHub 
Discussions](https://github.com/apache/rocketmq/discussions)  of this 
repository and believe that this is not a duplicate.
   
   - [X] I have confirmed that this bug belongs to the current repository, not 
other repositories of RocketMQ.
   
   
   ### Runtime platform environment
   
   centos7
   
   ### RocketMQ version
   
   5.1.1
   
   ### JDK Version
   
   openjdk version "1.8.0_352"
   
   ### Describe the Bug
   
   k8s version: 1.23.7
   部署3节点Dledger高可用集群,并设置了acl,我电脑主机去请求nameserver地址后,查看slave节点的broker.log,
   问题一:服务端无法发现客户端的IP,
   问题二:主从同步异常,例如以下截图
   
![1](https://github.com/apache/rocketmq/assets/87966434/8ae99c2f-23cd-453c-8013-2ddb896f07af)
   
    L:/10.244.212.176:5002: 服务端POD的IP地址
   R:/10.79.126.3:36352:worker节点的地址
   clientId=10.108.129.92@12664:我电脑主机的IP地址
   
   10.79.126.188:5014 master地址 通过metalLB暴露
   ERROR BrokerControllerScheduledThread1 - SyncTopicConfig Exception, 
10.79.126.188:5014
   
   brokerIP1: 10.79.126.188
   brokerIP2: pod_ip
   
   问题一猜想:因为service设置externalTrafficPolicy: 
Cluster,因为snat了,服务端无法获取到客户端真实IP,因为使用问题,只能设置成cluster
   
   
问题二猜想:因为设置了acl,全局白名单设置了10.244.*.*,10.79.126.188,但是服务端通信是通过worker节点的IP进行通信,所以设置的白名单无效
   问题一疑问:如果我全局白名单设置了10.79.126.* 
主从同步是正常的,但是acl规则失效了,因为最终与服务端建立连接的是worker节点的地址(service策略问题),而全局白名单已经包含了worker节点的地址
   
   ### Steps to Reproduce
   
   如上面bug描述
   
   ### What Did You Expect to See?
   
   服务端能够获取到客户端的真实IP,也就是说由真实客户IP与服务端建立连接
   
   ### What Did You See Instead?
   
   如上面bug描述
   
   ### Additional Context
   
   slave日志
           at java.lang.Thread.run(Thread.java:750)
   2023-11-15 16:27:17 INFO HeartbeatThread_1 - new consumer connected, group: 
DEFAULT_CONSUMER CONSUME_PASSIVELY CLUSTERING channel: ClientChannelInfo 
[channel=[id: 0x42f15f08, L:/10.244.212.176:5002 - R:/10.79.126.3:47089], 
clientId=10.108.129.92@18872, language=GO, version=317, 
lastUpdateTimestamp=1700036837358]
   2023-11-15 16:27:17 INFO HeartbeatThread_1 - subscription changed, add new 
topic, group: DEFAULT_CONSUMER SubscriptionData [classFilterMode=false, 
topic=%RETRY%DEFAULT_CONSUMER, subString=*, tagsSet=[], codeSet=[], 
subVersion=1700036845629427700, expressionType=TAG]
   2023-11-15 16:27:17 INFO HeartbeatThread_1 - subscription changed, add new 
topic, group: DEFAULT_CONSUMER SubscriptionData [classFilterMode=false, 
topic=123123s, subString=*, tagsSet=[], codeSet=[], 
subVersion=1700036845628911200, expressionType=TAG]
   2023-11-15 16:27:17 INFO HeartbeatThread_1 - ClientManageProcessor: 
registerConsumer info changed, SDK address=10.79.126.3:47089, 
consumerData=ConsumerData [groupName=DEFAULT_CONSUMER, 
consumeType=CONSUME_PASSIVELY, messageModel=CLUSTERING, 
consumeFromWhere=CONSUME_FROM_LAST_OFFSET, unitMode=false, 
subscriptionDataSet=[SubscriptionData [classFilterMode=false, 
topic=%RETRY%DEFAULT_CONSUMER, subString=*, tagsSet=[], codeSet=[], 
subVersion=1700036845629427700, expressionType=TAG], SubscriptionData 
[classFilterMode=false, topic=123123s, subString=*, tagsSet=[], codeSet=[], 
subVersion=1700036845628911200, expressionType=TAG]]]
   2023-11-15 16:27:17 INFO HeartbeatThread_1 - new producer connected, group: 
DEFAULT_PRODUCER channel: ClientChannelInfo [channel=[id: 0x42f15f08, 
L:/10.244.212.176:5002 - R:/10.79.126.3:47089], clientId=10.108.129.92@18872, 
language=GO, version=317, lastUpdateTimestamp=1700036837358]
   2023-11-15 16:27:17 INFO HeartbeatThread_1 - subscription changed, group: 
DEFAULT_CONSUMER OLD: SubscriptionData [classFilterMode=false, topic=123123s, 
subString=*, tagsSet=[], codeSet=[], subVersion=1700036845628911200, 
expressionType=TAG] NEW: SubscriptionData [classFilterMode=false, 
topic=123123s, subString=*, tagsSet=[], codeSet=[], 
subVersion=1700036845645388900, expressionType=TAG]
   2023-11-15 16:27:20 ERROR BrokerControllerScheduledThread1 - 
syncTimerCheckPoint Exception, 10.79.126.188:5014
   org.apache.rocketmq.client.exception.MQBrokerException: CODE: 1  DESC: 
org.apache.rocketmq.acl.common.AclException: No accessKey is configured, 
org.apache.rocketmq.acl.plain.PlainPermissionManager.validate(PlainPermissionManager.java:607)
 BROKER: 10.79.126.188:5014
   For more information, please visit the url, 
https://rocketmq.apache.org/docs/bestPractice/06FAQ
           at 
org.apache.rocketmq.broker.out.BrokerOuterAPI.getTimerCheckPoint(BrokerOuterAPI.java:716)
           at 
org.apache.rocketmq.broker.slave.SlaveSynchronize.syncTimerCheckPoint(SlaveSynchronize.java:219)
           at 
org.apache.rocketmq.broker.controller.ReplicasManager.lambda$handleSlaveSynchronize$2(ReplicasManager.java:362)
           at 
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
           at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
           at 
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
           at 
java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
           at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
           at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
           at java.lang.Thread.run(Thread.java:750)
   
   
   broker配置
   deleteWhen = 04
   fileReservedTime = 48
   flushDiskType = ASYNC_FLUSH
   waitTimeMillsInSendQueue = 1000
   
   # generated config
   brokerName = broker-a
   enableControllerMode = true
   controllerAddr = 
rocketmq-nameserver-0:5001;rocketmq-nameserver-1:5005;rocketmq-nameserver-2:5009
   aclEnable = true
   brokerIP1 = 10.79.126.188
   listenPort = 5002"
   -----------------------------------------------------------------------
   deleteWhen = 04
   fileReservedTime = 48
   flushDiskType = ASYNC_FLUSH
   waitTimeMillsInSendQueue = 1000
   
   # generated config
   brokerName = broker-a
   enableControllerMode = true
   controllerAddr = 
rocketmq-nameserver-0:5001;rocketmq-nameserver-1:5005;rocketmq-nameserver-2:5009
   aclEnable = true
   brokerIP1 = 10.79.126.188
   listenPort = 5014"
   
   -----------------------------------------------------------------------
   acl配置
   globalWhiteRemoteAddresses:
   - 10.244.*.*
   - 10.79.126.188
   accounts:
   - accessKey: rocketmq
     secretKey: Csair@2023
     # whiteRemoteAddress: 10.79.126.188
     # if it is admin, it could access all resources
     admin: true
     defaultTopicPerm: PUB|SUB
     defaultGroupPerm: PUB


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@rocketmq.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to