This is an automated email from the ASF dual-hosted git repository.
dinglei pushed a commit to branch 4.9.x
in repository https://gitbox.apache.org/repos/asf/rocketmq.git
The following commit(s) were added to refs/heads/4.9.x by this push:
new 20b838838d Add validation in broker/namesrv configure updating command
(#7649)
20b838838d is described below
commit 20b838838d064a0726b2f6f650fed7f21be0825f
Author: rongtong <jinrongto...@163.com>
AuthorDate: Fri Dec 15 10:08:48 2023 +0800
Add validation in broker/namesrv configure updating command (#7649)
---
.../broker/processor/AdminBrokerProcessor.java | 27 +++++++++++++++++++
.../org/apache/rocketmq/common/BrokerConfig.java | 16 ++++++++++++
.../rocketmq/common/namesrv/NamesrvConfig.java | 15 +++++++++++
.../namesrv/processor/DefaultRequestProcessor.java | 30 ++++++++++++++++++++--
.../processor/DefaultRequestProcessorTest.java | 15 +++++++++--
5 files changed, 99 insertions(+), 4 deletions(-)
diff --git
a/broker/src/main/java/org/apache/rocketmq/broker/processor/AdminBrokerProcessor.java
b/broker/src/main/java/org/apache/rocketmq/broker/processor/AdminBrokerProcessor.java
index 95594ac4e1..c9d2cacf60 100644
---
a/broker/src/main/java/org/apache/rocketmq/broker/processor/AdminBrokerProcessor.java
+++
b/broker/src/main/java/org/apache/rocketmq/broker/processor/AdminBrokerProcessor.java
@@ -19,6 +19,7 @@ package org.apache.rocketmq.broker.processor;
import com.alibaba.fastjson.JSON;
import io.netty.channel.Channel;
import io.netty.channel.ChannelHandlerContext;
+import java.util.Arrays;
import org.apache.rocketmq.acl.AccessValidator;
import org.apache.rocketmq.acl.plain.PlainAccessValidator;
import org.apache.rocketmq.broker.BrokerController;
@@ -143,8 +144,19 @@ public class AdminBrokerProcessor extends
AsyncNettyRequestProcessor {
private static final InternalLogger log =
InternalLoggerFactory.getLogger(LoggerName.BROKER_LOGGER_NAME);
private final BrokerController brokerController;
+ protected Set<String> configBlackList = new HashSet<>();
+
public AdminBrokerProcessor(final BrokerController brokerController) {
this.brokerController = brokerController;
+ initConfigBlackList();
+ }
+
+ private void initConfigBlackList() {
+ configBlackList.add("brokerConfigPath");
+ configBlackList.add("rocketmqHome");
+ configBlackList.add("configBlackList");
+ String[] configArray =
brokerController.getBrokerConfig().getConfigBlackList().split(";");
+ configBlackList.addAll(Arrays.asList(configArray));
}
@Override
@@ -522,6 +534,11 @@ public class AdminBrokerProcessor extends
AsyncNettyRequestProcessor {
String bodyStr = new String(body, MixAll.DEFAULT_CHARSET);
Properties properties = MixAll.string2Properties(bodyStr);
if (properties != null) {
+ if (validateBlackListConfigExist(properties)) {
+ response.setCode(ResponseCode.NO_PERMISSION);
+ response.setRemark("Can not update config in black
list.");
+ }
+
log.info("updateBrokerConfig, new config: [{}] client: {}
", properties, ctx.channel().remoteAddress());
this.brokerController.getConfiguration().update(properties);
if (properties.containsKey("brokerPermission")) {
@@ -547,6 +564,16 @@ public class AdminBrokerProcessor extends
AsyncNettyRequestProcessor {
return response;
}
+
+ private boolean validateBlackListConfigExist(Properties properties) {
+ for (String blackConfig:configBlackList) {
+ if (properties.containsKey(blackConfig)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
private RemotingCommand getBrokerConfig(ChannelHandlerContext ctx,
RemotingCommand request) {
final RemotingCommand response =
RemotingCommand.createResponseCommand(GetBrokerConfigResponseHeader.class);
diff --git a/common/src/main/java/org/apache/rocketmq/common/BrokerConfig.java
b/common/src/main/java/org/apache/rocketmq/common/BrokerConfig.java
index 401b457881..6c995fe05a 100644
--- a/common/src/main/java/org/apache/rocketmq/common/BrokerConfig.java
+++ b/common/src/main/java/org/apache/rocketmq/common/BrokerConfig.java
@@ -196,6 +196,14 @@ public class BrokerConfig {
*/
private boolean isolateLogEnable = false;
+
+ /**
+ * Config in this black list will be not allowed to update by command.
+ * Try to update this config black list by restart process.
+ * Try to update configures in black list by restart process.
+ */
+ private String configBlackList = "configBlackList;brokerConfigPath";
+
public static String localHostName() {
try {
return InetAddress.getLocalHost().getHostName();
@@ -845,4 +853,12 @@ public class BrokerConfig {
public void setIsolateLogEnable(boolean isolateLogEnable) {
this.isolateLogEnable = isolateLogEnable;
}
+
+ public String getConfigBlackList() {
+ return configBlackList;
+ }
+
+ public void setConfigBlackList(String configBlackList) {
+ this.configBlackList = configBlackList;
+ }
}
diff --git
a/common/src/main/java/org/apache/rocketmq/common/namesrv/NamesrvConfig.java
b/common/src/main/java/org/apache/rocketmq/common/namesrv/NamesrvConfig.java
index f687d2c243..955fe4ba4d 100644
--- a/common/src/main/java/org/apache/rocketmq/common/namesrv/NamesrvConfig.java
+++ b/common/src/main/java/org/apache/rocketmq/common/namesrv/NamesrvConfig.java
@@ -36,6 +36,13 @@ public class NamesrvConfig {
private boolean clusterTest = false;
private boolean orderMessageEnable = false;
+ /**
+ * Config in this black list will be not allowed to update by command.
+ * Try to update this config black list by restart process.
+ * Try to update configures in black list by restart process.
+ */
+ private String configBlackList =
"configBlackList;configStorePath;kvConfigPath";
+
public boolean isOrderMessageEnable() {
return orderMessageEnable;
}
@@ -83,4 +90,12 @@ public class NamesrvConfig {
public void setConfigStorePath(final String configStorePath) {
this.configStorePath = configStorePath;
}
+
+ public String getConfigBlackList() {
+ return configBlackList;
+ }
+
+ public void setConfigBlackList(String configBlackList) {
+ this.configBlackList = configBlackList;
+ }
}
diff --git
a/namesrv/src/main/java/org/apache/rocketmq/namesrv/processor/DefaultRequestProcessor.java
b/namesrv/src/main/java/org/apache/rocketmq/namesrv/processor/DefaultRequestProcessor.java
index e679dcafbc..1cf2fa8e2f 100644
---
a/namesrv/src/main/java/org/apache/rocketmq/namesrv/processor/DefaultRequestProcessor.java
+++
b/namesrv/src/main/java/org/apache/rocketmq/namesrv/processor/DefaultRequestProcessor.java
@@ -19,6 +19,9 @@ package org.apache.rocketmq.namesrv.processor;
import com.alibaba.fastjson.serializer.SerializerFeature;
import io.netty.channel.ChannelHandlerContext;
import java.io.UnsupportedEncodingException;
+import java.util.Arrays;
+import java.util.Set;
+import java.util.HashSet;
import java.util.Properties;
import java.util.concurrent.atomic.AtomicLong;
import org.apache.rocketmq.common.DataVersion;
@@ -69,8 +72,20 @@ public class DefaultRequestProcessor extends
AsyncNettyRequestProcessor implemen
protected final NamesrvController namesrvController;
+ protected Set<String> configBlackList = new HashSet<>();
+
public DefaultRequestProcessor(NamesrvController namesrvController) {
this.namesrvController = namesrvController;
+ initConfigBlackList();
+ }
+
+ private void initConfigBlackList() {
+ configBlackList.add("configBlackList");
+ configBlackList.add("configStorePath");
+ configBlackList.add("kvConfigPath");
+ configBlackList.add("rocketmqHome");
+ String[] configArray =
namesrvController.getNamesrvConfig().getConfigBlackList().split(";");
+ configBlackList.addAll(Arrays.asList(configArray));
}
@Override
@@ -581,9 +596,9 @@ public class DefaultRequestProcessor extends
AsyncNettyRequestProcessor implemen
return response;
}
- if (properties.containsKey("kvConfigPath") ||
properties.containsKey("configStorePath")) {
+ if (validateBlackListConfigExist(properties)) {
response.setCode(ResponseCode.NO_PERMISSION);
- response.setRemark("Can not update config path");
+ response.setRemark("Can not update config in black list.");
return response;
}
@@ -595,6 +610,17 @@ public class DefaultRequestProcessor extends
AsyncNettyRequestProcessor implemen
return response;
}
+ private boolean validateBlackListConfigExist(Properties properties) {
+ for (String blackConfig : configBlackList) {
+ if (properties.containsKey(blackConfig)) {
+ return true;
+ }
+ }
+ return false;
+ }
+
+
+
private RemotingCommand getConfig(ChannelHandlerContext ctx,
RemotingCommand request) {
final RemotingCommand response =
RemotingCommand.createResponseCommand(null);
diff --git
a/namesrv/src/test/java/org/apache/rocketmq/namesrv/processor/DefaultRequestProcessorTest.java
b/namesrv/src/test/java/org/apache/rocketmq/namesrv/processor/DefaultRequestProcessorTest.java
index f22031ea6e..beb9ec4992 100644
---
a/namesrv/src/test/java/org/apache/rocketmq/namesrv/processor/DefaultRequestProcessorTest.java
+++
b/namesrv/src/test/java/org/apache/rocketmq/namesrv/processor/DefaultRequestProcessorTest.java
@@ -185,7 +185,7 @@ public class DefaultRequestProcessorTest {
assertThat(response).isNotNull();
assertThat(response.getCode()).isEqualTo(ResponseCode.NO_PERMISSION);
- assertThat(response.getRemark()).contains("Can not update config
path");
+ assertThat(response.getRemark()).contains("Can not update config in
black list.");
//update disallowed values
properties.clear();
@@ -196,7 +196,18 @@ public class DefaultRequestProcessorTest {
assertThat(response).isNotNull();
assertThat(response.getCode()).isEqualTo(ResponseCode.NO_PERMISSION);
- assertThat(response.getRemark()).contains("Can not update config
path");
+ assertThat(response.getRemark()).contains("Can not update config in
black list");
+
+ //update disallowed values
+ properties.clear();
+ properties.setProperty("configBlackList", "test;path");
+
updateConfigRequest.setBody(MixAll.properties2String(properties).getBytes(StandardCharsets.UTF_8));
+
+ response = defaultRequestProcessor.processRequest(null,
updateConfigRequest);
+
+ assertThat(response).isNotNull();
+ assertThat(response.getCode()).isEqualTo(ResponseCode.NO_PERMISSION);
+ assertThat(response.getRemark()).contains("Can not update config in
black list");
}
@Test
