原本都是把rocketmq都放在集群内部使用的,这样也不担心权限问题,前几天有个需求要求把rocketmq允许集群外部的服务调用,但是还要求必须进行权限控制。翻阅了很多,都是在docker环境中使用的,但是在kubernetes集群中没有,就自己在docker中演示了一下,我使用的是公有镜像不是自己制作的镜像,因为后期升级如果自己制作的镜像会很麻烦。先看一下,使用docker发现的问题,如果开头acl,必须在配置文件中增加一个开启acl选择。aclEnable=true,在rockermq中配置权限是在plain_acl.ymlplain_acl.yml文件中配置后,不需要重启,权限就会生效。
如果在kubernetes中,我需要做的是把plain_acl.yml文件做成持久化存储,就是把plain_acl.yml挂到pod里,pod重启不会影响到plain_acl.yml文件的内容。看一下我正常的pod是什么样的。
# cat rocketmq-cm.yaml kind: ConfigMap apiVersion: v1 metadata: name: rocketmq-broker-config data: BROKER_MEM: ' -Xms2g -Xmx2g -Xmn1g ' broker-common.conf: |- brokerClusterName = DefaultCluster brokerName = broker-0 brokerId = 0 deleteWhen = 04 fileReservedTime = 48 brokerRole = ASYNC_MASTER flushDiskType = ASYNC_FLUSH plain_acl.yml: |- globalWhiteRemoteAddresses: - 10.10.103.* - 10.244.*.* - 10.108.*.* - 192.168.*.* accounts: - accessKey: RocketMQ secretKey: 12345678 whiteRemoteAddress: admin: false defaultTopicPerm: DENY defaultGroupPerm: SUB topicPerms: - topicA=DENY - topicB=PUB|SUB - topicC=SUB groupPerms: # the group should convert to retry topic - groupA=DENY - groupB=PUB|SUB - groupC=SUB - accessKey: rocketmq2 secretKey: 12345678 whiteRemoteAddress: 192.168.1.* # if it is admin, it could access all resources admin: true - accessKey: rocketmq-admin secretKey: rocketmq-admin whiteRemoteAddress: 192.168.6.* # if it is admin, it could access all resources admin: true ########################分割线######################################### # cat rocketmq-broker-sts.yaml kind: StatefulSet apiVersion: apps/v1 metadata: name: rocketmq-broker-0-master spec: replicas: 1 selector: matchLabels: app: rocketmq-broker broker_cr: rocketmq-broker template: metadata: labels: app: rocketmq-broker broker_cr: rocketmq-broker spec: volumes: - name: rocketmq-broker-config configMap: name: rocketmq-broker-config items: - key: broker-common.conf path: broker-common.conf defaultMode: 420 - name: rocketmq-broker-acl configMap: name: rocketmq-broker-config items: - key: plain_acl.yml path: plain_acl.yml defaultMode: 420 - name: host-time hostPath: path: /etc/localtime type: '' containers: - name: rocketmq-broker image: 'apache/rocketmq:4.9.7' command: - /bin/sh args: - mqbroker - "-c" - /home/rocketmq/conf/broker-common.conf ports: - name: tcp-vip-10909 containerPort: 10909 protocol: TCP - name: tcp-main-10911 containerPort: 10911 protocol: TCP - name: tcp-ha-10912 containerPort: 10912 protocol: TCP env: - name: NAMESRV_ADDR value: 'rocketmq-name-server-service:9876' - name: BROKER_MEM valueFrom: configMapKeyRef: name: rocketmq-broker-config key: BROKER_MEM resources: limits: cpu: 500m memory: 12Gi requests: cpu: 250m memory: 2Gi volumeMounts: - name: host-time readOnly: true mountPath: /etc/localtime - name: rocketmq-broker-storage mountPath: /home/rocketmq/logs subPath: logs/broker-0-master - name: rocketmq-broker-storage mountPath: /home/rocketmq/store subPath: store/broker-0-master - name: rocketmq-broker-config mountPath: /home/rocketmq/conf/broker-common.conf subPath: broker-common.conf - name: rocketmq-broker-acl mountPath: /home/rocketmq/rocketmq-4.9.7/conf/plain_acl.yml subPath: plain_acl.yml imagePullPolicy: Always volumeClaimTemplates: - kind: PersistentVolumeClaim apiVersion: v1 metadata: name: rocketmq-broker-storage spec: accessModes: - ReadWriteOnce resources: requests: storage: 8Gi storageClassName: nfs-storage volumeMode: Filesystem serviceName: '' ########################分割线######################################### # cat rocketmq-name-service-sts.yaml kind: StatefulSet apiVersion: apps/v1 metadata: name: rocketmq-name-service spec: replicas: 1 selector: matchLabels: app: rocketmq-name-service name_service_cr: rocketmq-name-service template: metadata: labels: app: rocketmq-name-service name_service_cr: rocketmq-name-service spec: volumes: - name: host-time hostPath: path: /etc/localtime type: '' containers: - name: rocketmq-name-service image: 'apache/rocketmq:4.9.7' command: - /bin/sh args: - mqnamesrv ports: - name: tcp-9876 containerPort: 9876 protocol: TCP resources: limits: cpu: 500m memory: 1Gi requests: cpu: 250m memory: 512Mi volumeMounts: - name: rocketmq-namesrv-storage mountPath: /home/rocketmq/logs subPath: logs - name: host-time readOnly: true mountPath: /etc/localtime imagePullPolicy: Always volumeClaimTemplates: - kind: PersistentVolumeClaim apiVersion: v1 metadata: name: rocketmq-namesrv-storage spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi storageClassName: nfs-storage volumeMode: Filesystem serviceName: '' --- kind: Service apiVersion: v1 metadata: name: rocketmq-name-server-service spec: ports: - name: tcp-9876 protocol: TCP port: 9876 targetPort: 9876 selector: name_service_cr: rocketmq-name-service type: ClusterIP
这是一个rocketmq服务,还需要有一个rocketmq-dashboard管理rocketmq。
# cat rocketmq-dashboard.yaml kind: Deployment apiVersion: apps/v1 metadata: name: rocketmq-dashboard spec: replicas: 1 selector: matchLabels: app: rocketmq-dashboard template: metadata: labels: app: rocketmq-dashboard spec: containers: - name: rocketmq-dashboard image: 'apacherocketmq/rocketmq-dashboard:1.0.0' ports: - name: http-8080 containerPort: 8080 protocol: TCP env: - name: JAVA_OPTS value: >- -Drocketmq.namesrv.addr=rocketmq-name-server-service:9876 -Dcom.rocketmq.sendMessageWithVIPChannel=false resources: limits: cpu: 500m memory: 2Gi requests: cpu: 50m memory: 512Mi imagePullPolicy: Always --- kind: Service apiVersion: v1 metadata: name: rocketmq-dashboard-service spec: ports: - name: http-8080 protocol: TCP port: 8080 targetPort: 8080 selector: app: rocketmq-dashboard type: ClusterIP
部署好之后,我们在rocketmq-broker-0-master里可以看挂载了一个broker-common.conf文件,只需要在这个文件中红增加aclEnable=true在/home/rocketmq/rocketmq-4.9.7/conf目录下有一个plain_acl.yml文件,权限配置就是在这个文件中,我们在上面的文件中已经把plain_acl.yml文件挂载到容器里了,这样才可以保证容器重启后,plain_acl.yml文件内容不丢失。
您可以选择一种方式赞助本站
支付宝扫一扫赞助
微信钱包扫描赞助
赏