一、概述
因安全需求,需要对RocketMQ添加ACL设置
注意:ACL功能需要高版本支持,低版本不行,本文使用的版本为4.9.4
关于搭建RocketMQ集群,请参考链接:https://www.cnblogs.com/xiao987334176/p/16771899.html
二、配置
修改配置文件broker-a/broker-a.conf,broker-b/broker-b.conf最后一行增加
aclEnable=true
表示开启ACL功能
修改broker-a/plain_acl.yml,broker-b/plain_acl.yml
globalWhiteRemoteAddresses:
- 10.10.103.*
- 192.168.0.*
- 172.24.0.*
# - 101.95.106.218
# - 192.168.137.138
accounts:
- accessKey: RocketMQ
secretKey: 12345678
whiteRemoteAddress:
admin: false
defaultTopicPerm: DENY
defaultGroupPerm: SUB
topicPerms:
- topicA=DENY
- topicB=PUB|SUB
- topicC=SUB
groupPerms:
# the group should convert to retry topic
- groupA=DENY
- groupB=PUB|SUB
- groupC=SUB
- accessKey: rocketmq2
secretKey: 12345678
whiteRemoteAddress: 192.168.137.138
# if it is admin, it could access all resources
admin: true
说明:
globalWhiteRemoteAddresses: 表示全局白名单远程地址,也就是客户端连接地址,即使密码错误,也可以连接。
accessKey和secretKey,表示连接的用户名和密码
whiteRemoteAddress:表示连接的白名单地址,这里的用户名和密码不能出错。
PUB是发布权限,SUB是订阅权限、也就是消费权限,按需配
修改docker-compose.yml
version: '3.5'
services:
rmqnamesrv-a:
image: apache/rocketmq:4.9.4
container_name: rmqnamesrv-a
ports:
- 9876:9876
volumes:
- /opt/rocketmq/logs/nameserver-a:/home/rocketmq/logs
- /opt/rocketmq/broker-b/broker-b.conf:/home/rocketmq/rocketmq-4.9.4/conf/broker.conf
- /opt/rocketmq/broker-a/plain_acl.yml:/home/rocketmq/rocketmq-4.9.4/conf/plain_acl.yml
command: sh mqnamesrv
networks:
rmq:
aliases:
- rmqnamesrv-a
rmqnamesrv-b:
image: apache/rocketmq:4.9.4
container_name: rmqnamesrv-b
ports:
- 9877:9876
volumes:
- /opt/rocketmq/logs/nameserver-b:/home/rocketmq/logs
- /opt/rocketmq/broker-b/broker-b.conf:/home/rocketmq/rocketmq-4.9.4/conf/broker.conf
- /opt/rocketmq/broker-a/plain_acl.yml:/home/rocketmq/rocketmq-4.9.4/conf/plain_acl.yml
command: sh mqnamesrv
networks:
rmq:
aliases:
- rmqnamesrv-b
rmqbroker-a:
image: apache/rocketmq:4.9.4
container_name: rmqbroker-a
ports:
- 10911:10911
volumes:
- /opt/rocketmq/logs/broker-a/logs:/home/rocketmq/logs
- /opt/rocketmq/store/broker-a/store:/home/rocketmq/store
- /opt/rocketmq/broker-a/broker-a.conf:/home/rocketmq/rocketmq-4.9.4/conf/broker.conf
- /opt/rocketmq/broker-a/plain_acl.yml:/home/rocketmq/rocketmq-4.9.4/conf/plain_acl.yml
environment:
TZ: Asia/Shanghai
NAMESRV_ADDR: "rmqnamesrv-a:9876"
JAVA_OPTS: " -Duser.home=/opt"
JAVA_OPT_EXT: "-server -Xms256m -Xmx256m -Xmn256m"
command: sh mqbroker -c /home/rocketmq/rocketmq-4.9.4/conf/broker.conf
links:
- rmqnamesrv-a:rmqnamesrv-a
- rmqnamesrv-b:rmqnamesrv-b
networks:
rmq:
aliases:
- rmqbroker-a
rmqbroker-b:
image: apache/rocketmq:4.9.4
container_name: rmqbroker-b
ports:
- 10912:10912
volumes:
- /opt/rocketmq/logs/broker-b/logs:/home/rocketmq/logs
- /opt/rocketmq/store/broker-b/store:/home/rocketmq/store
- /opt/rocketmq/broker-b/broker-b.conf:/home/rocketmq/rocketmq-4.9.4/conf/broker.conf
- /opt/rocketmq/broker-a/plain_acl.yml:/home/rocketmq/rocketmq-4.9.4/conf/plain_acl.yml
environment:
TZ: Asia/Shanghai
NAMESRV_ADDR: "rmqnamesrv-b:9877"
JAVA_OPTS: " -Duser.home=/opt"
JAVA_OPT_EXT: "-server -Xms256m -Xmx256m -Xmn256m"
command: sh mqbroker -c /home/rocketmq/rocketmq-4.9.4/conf/broker.conf
links:
- rmqnamesrv-a:rmqnamesrv-a
- rmqnamesrv-b:rmqnamesrv-b
networks:
rmq:
aliases:
- rmqbroker-b
rmqconsole:
image: apacherocketmq/rocketmq-dashboard
container_name: rmqconsole
ports:
- 8087:8080
environment:
JAVA_OPTS: -Drocketmq.namesrv.addr=rmqnamesrv-a:9876;rmqnamesrv-b:9877 -Dcom.rocketmq.sendMessageWithVIPChannel=false -Drocketmq.config.accessKey=rocketmq2 -Drocketmq.config.secretKey=12345678
volumes:
- /opt/rocketmq/console-ng/data:/tmp/rocketmq-console/data
networks:
rmq:
aliases:
- rmqconsole
networks:
rmq:
name: rmq
driver: bridge
如果开启了ACL,注意配置accessKey、secretKey,建议配置admin的账户,不然有些功能没有权限使用,
访问控制台,查看数据是否显示正常。
扫一扫
1012
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
