[ISSUE #70] The rocketmq-dashboard supports ACL configuration (#71)

* Add Acl menu, support config acl.

* Optimize one line code.

* Add some unit tests for acl.

* Add permission control by role and optimize some code.

* The secret keys are hidden by asterisks.

* Search acl data will exclude secretKey info if the login role is not admin in the background.

* Optimize some code again.

* recover default application.yml config
This commit is contained in:
Xiaodong Xu
2022-03-05 10:34:39 +08:00
committed by GitHub
parent 0fc7ca904d
commit 4269879d93
17 changed files with 2065 additions and 13 deletions

View File

@@ -0,0 +1,368 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.rocketmq.dashboard.controller;
import com.alibaba.fastjson.JSON;
import com.google.common.collect.Lists;
import java.util.List;
import org.apache.rocketmq.common.AclConfig;
import org.apache.rocketmq.common.PlainAccessConfig;
import org.apache.rocketmq.common.protocol.body.ClusterInfo;
import org.apache.rocketmq.dashboard.model.request.AclRequest;
import org.apache.rocketmq.dashboard.service.impl.AclServiceImpl;
import org.apache.rocketmq.dashboard.util.MockObjectUtil;
import org.junit.Before;
import org.junit.Test;
import org.mockito.InjectMocks;
import org.mockito.Spy;
import org.springframework.http.MediaType;
import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.Mockito.doNothing;
import static org.mockito.Mockito.when;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
public class AclControllerTest extends BaseControllerTest {
@InjectMocks
private AclController aclController;
@Spy
private AclServiceImpl aclService;
@Before
public void init() throws Exception {
AclConfig aclConfig = MockObjectUtil.createAclConfig();
when(mqAdminExt.examineBrokerClusterAclConfig(anyString())).thenReturn(aclConfig);
ClusterInfo clusterInfo = MockObjectUtil.createClusterInfo();
when(mqAdminExt.examineBrokerClusterInfo()).thenReturn(clusterInfo);
doNothing().when(mqAdminExt).createAndUpdatePlainAccessConfig(anyString(), any(PlainAccessConfig.class));
doNothing().when(mqAdminExt).deletePlainAccessConfig(anyString(), anyString());
doNothing().when(mqAdminExt).updateGlobalWhiteAddrConfig(anyString(), anyString());
}
@Test
public void testIsEnableAcl() throws Exception {
final String url = "/acl/enable.query";
// 1. disable acl.
requestBuilder = MockMvcRequestBuilders.get(url);
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.data").value(false));
// 2.enable acl.
super.mockRmqConfigure();
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.data").value(true));
}
@Test
public void testGetAclConfig() throws Exception {
final String url = "/acl/config.query";
// 1. broker addr table is not empty.
ClusterInfo clusterInfo = MockObjectUtil.createClusterInfo();
when(mqAdminExt.examineBrokerClusterInfo()).thenReturn(clusterInfo);
requestBuilder = MockMvcRequestBuilders.get(url);
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.data").isMap())
.andExpect(jsonPath("$.data.globalWhiteAddrs").isNotEmpty())
.andExpect(jsonPath("$.data.plainAccessConfigs").isNotEmpty())
.andExpect(jsonPath("$.data.plainAccessConfigs[0].secretKey").isNotEmpty());
// 2. broker addr table is empty.
clusterInfo.getBrokerAddrTable().clear();
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.data").isMap())
.andExpect(jsonPath("$.data.globalWhiteAddrs").isEmpty())
.andExpect(jsonPath("$.data.plainAccessConfigs").isEmpty());
// 3. login required and user info is null.
when(configure.isLoginRequired()).thenReturn(true);
when(mqAdminExt.examineBrokerClusterInfo()).thenReturn(MockObjectUtil.createClusterInfo());
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.data").isMap())
.andExpect(jsonPath("$.data.globalWhiteAddrs").isNotEmpty())
.andExpect(jsonPath("$.data.plainAccessConfigs").isNotEmpty())
.andExpect(jsonPath("$.data.plainAccessConfigs[0].secretKey").isEmpty());
// 4. login required, but user is not admin. emmmm, Mockito may can not mock static method.
}
@Test
public void testAddAclConfig() throws Exception {
final String url = "/acl/add.do";
PlainAccessConfig accessConfig = new PlainAccessConfig();
requestBuilder = MockMvcRequestBuilders.post(url);
requestBuilder.contentType(MediaType.APPLICATION_JSON_UTF8);
// 1. access key is null.
requestBuilder.content(JSON.toJSONString(accessConfig));
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.status").value(-1))
.andExpect(jsonPath("$.errMsg").exists());
// 2. secret key is null.
accessConfig.setAccessKey("test-access-key");
requestBuilder.content(JSON.toJSONString(accessConfig));
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.status").value(-1))
.andExpect(jsonPath("$.errMsg").exists());
ClusterInfo clusterInfo = MockObjectUtil.createClusterInfo();
when(mqAdminExt.examineBrokerClusterInfo()).thenReturn(clusterInfo);
// 3. add if the access key not exist.
accessConfig.setSecretKey("12345678");
requestBuilder.content(JSON.toJSONString(accessConfig));
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.status").value(0));
// 4. add failed if the access key is existed.
accessConfig.setAccessKey("rocketmq2");
requestBuilder.content(JSON.toJSONString(accessConfig));
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.status").value(-1))
.andExpect(jsonPath("$.errMsg").exists());
// 5. add failed if there is no alive broker.
clusterInfo.getBrokerAddrTable().clear();
accessConfig.setAccessKey("test-access-key");
requestBuilder.content(JSON.toJSONString(accessConfig));
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.status").value(-1))
.andExpect(jsonPath("$.errMsg").exists());
}
@Test
public void testDeleteAclConfig() throws Exception {
final String url = "/acl/delete.do";
PlainAccessConfig accessConfig = new PlainAccessConfig();
requestBuilder = MockMvcRequestBuilders.post(url);
requestBuilder.contentType(MediaType.APPLICATION_JSON_UTF8);
// 1. access key is null.
requestBuilder.content(JSON.toJSONString(accessConfig));
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.status").value(-1))
.andExpect(jsonPath("$.errMsg").exists());
// 2. access key is not null.
accessConfig.setAccessKey("rocketmq");
requestBuilder.content(JSON.toJSONString(accessConfig));
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.status").value(0));
}
@Test
public void testUpdateAclConfig() throws Exception {
final String url = "/acl/update.do";
PlainAccessConfig accessConfig = new PlainAccessConfig();
requestBuilder = MockMvcRequestBuilders.post(url);
requestBuilder.contentType(MediaType.APPLICATION_JSON_UTF8);
// 1. secret key is null.
accessConfig.setAccessKey("rocketmq");
requestBuilder.content(JSON.toJSONString(accessConfig));
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.status").value(-1))
.andExpect(jsonPath("$.errMsg").exists());
// 2. update.
accessConfig.setSecretKey("abcdefghjkl");
requestBuilder.content(JSON.toJSONString(accessConfig));
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.status").value(0));
}
@Test
public void testAddAclTopicConfig() throws Exception {
final String url = "/acl/topic/add.do";
AclRequest request = new AclRequest();
request.setConfig(createDefaultPlainAccessConfig());
// 1. if not exist.
request.setTopicPerm("test_topic=PUB");
requestBuilder = MockMvcRequestBuilders.post(url);
requestBuilder.contentType(MediaType.APPLICATION_JSON_UTF8);
requestBuilder.content(JSON.toJSONString(request));
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.status").value(0));
// 2. if exist.
request.setTopicPerm("topicA=PUB");
requestBuilder.content(JSON.toJSONString(request));
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.status").value(0));
// 3. if access key not exist.
request.getConfig().setAccessKey("test_access_key123");
requestBuilder.content(JSON.toJSONString(request));
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.status").value(0));
}
@Test
public void testAddAclGroupConfig() throws Exception {
final String url = "/acl/group/add.do";
AclRequest request = new AclRequest();
request.setConfig(createDefaultPlainAccessConfig());
// 1. if not exist.
request.setGroupPerm("test_consumer=PUB|SUB");
requestBuilder = MockMvcRequestBuilders.post(url);
requestBuilder.contentType(MediaType.APPLICATION_JSON_UTF8);
requestBuilder.content(JSON.toJSONString(request));
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.status").value(0));
// 2. if exist.
request.setGroupPerm("groupA=PUB|SUB");
requestBuilder.content(JSON.toJSONString(request));
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.status").value(0));
// 3. if access key not exist.
request.getConfig().setAccessKey("test_access_key123");
requestBuilder.content(JSON.toJSONString(request));
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.status").value(0));
}
@Test
public void testDeletePermConfig() throws Exception {
final String url = "/acl/perm/delete.do";
AclRequest request = new AclRequest();
request.setConfig(createDefaultPlainAccessConfig());
requestBuilder = MockMvcRequestBuilders.post(url);
requestBuilder.contentType(MediaType.APPLICATION_JSON_UTF8);
requestBuilder.content(JSON.toJSONString(request));
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.status").value(0));
// if access key not exist.
request.getConfig().setAccessKey("test_access_key123");
requestBuilder.content(JSON.toJSONString(request));
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.status").value(0));
}
@Test
public void testSyncConfig() throws Exception {
final String url = "/acl/sync.do";
requestBuilder = MockMvcRequestBuilders.post(url);
requestBuilder.contentType(MediaType.APPLICATION_JSON_UTF8);
requestBuilder.content(JSON.toJSONString(createDefaultPlainAccessConfig()));
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.status").value(0));
}
@Test
public void testAddWhiteList() throws Exception {
final String url = "/acl/white/list/add.do";
List<String> whiteList = Lists.newArrayList("192.168.0.1");
// 1. if global white list is not null.
requestBuilder = MockMvcRequestBuilders.post(url);
requestBuilder.contentType(MediaType.APPLICATION_JSON_UTF8);
requestBuilder.content(JSON.toJSONString(whiteList));
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.status").value(0));
// 2. if global white list is null.
AclConfig aclConfig = MockObjectUtil.createAclConfig();
aclConfig.setGlobalWhiteAddrs(null);
when(mqAdminExt.examineBrokerClusterAclConfig(anyString())).thenReturn(aclConfig);
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.status").value(0));
}
@Test
public void testDeleteWhiteAddr() throws Exception {
final String url = "/acl/white/list/delete.do";
requestBuilder = MockMvcRequestBuilders.delete(url);
requestBuilder.param("request", "localhost");
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.status").value(0));
}
@Test
public void testSynchronizeWhiteList() throws Exception {
final String url = "/acl/white/list/sync.do";
List<String> whiteList = Lists.newArrayList();
// 1. if white list for syncing is empty.
requestBuilder = MockMvcRequestBuilders.post(url);
requestBuilder.contentType(MediaType.APPLICATION_JSON_UTF8);
requestBuilder.content(JSON.toJSONString(whiteList));
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.status").value(-1))
.andExpect(jsonPath("$.errMsg").exists());
// 2. if white list for syncing is not empty.
whiteList.add("localhost");
requestBuilder.content(JSON.toJSONString(whiteList));
perform = mockMvc.perform(requestBuilder);
perform.andExpect(status().isOk())
.andExpect(jsonPath("$.status").value(0));
}
@Override protected Object getTestController() {
return aclController;
}
private PlainAccessConfig createDefaultPlainAccessConfig() {
PlainAccessConfig config = new PlainAccessConfig();
config.setAdmin(false);
config.setAccessKey("rocketmq");
config.setSecretKey("123456789");
config.setDefaultGroupPerm("SUB");
config.setDefaultTopicPerm("DENY");
config.setTopicPerms(Lists.newArrayList("topicA=DENY", "topicB=PUB|SUB"));
config.setGroupPerms(Lists.newArrayList("groupA=DENY", "groupB=PUB|SUB"));
return config;
}
}

View File

@@ -16,8 +16,10 @@
*/
package org.apache.rocketmq.dashboard.util;
import com.google.common.collect.Lists;
import java.net.InetSocketAddress;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
@@ -30,8 +32,10 @@ import java.util.concurrent.ConcurrentMap;
import org.apache.rocketmq.client.producer.LocalTransactionState;
import org.apache.rocketmq.client.trace.TraceConstants;
import org.apache.rocketmq.client.trace.TraceType;
import org.apache.rocketmq.common.AclConfig;
import org.apache.rocketmq.common.DataVersion;
import org.apache.rocketmq.common.MixAll;
import org.apache.rocketmq.common.PlainAccessConfig;
import org.apache.rocketmq.common.TopicConfig;
import org.apache.rocketmq.common.admin.ConsumeStats;
import org.apache.rocketmq.common.admin.OffsetWrapper;
@@ -59,6 +63,7 @@ import org.apache.rocketmq.common.protocol.route.TopicRouteData;
import org.apache.rocketmq.common.subscription.SubscriptionGroupConfig;
import org.apache.rocketmq.dashboard.model.DlqMessageRequest;
import org.apache.rocketmq.remoting.protocol.LanguageCode;
import org.checkerframework.checker.units.qual.A;
import static org.apache.rocketmq.common.protocol.heartbeat.ConsumeType.CONSUME_ACTIVELY;
@@ -311,4 +316,26 @@ public class MockObjectUtil {
}
return dlqMessages;
}
public static AclConfig createAclConfig() {
PlainAccessConfig adminConfig = new PlainAccessConfig();
adminConfig.setAdmin(true);
adminConfig.setAccessKey("rocketmq2");
adminConfig.setSecretKey("12345678");
PlainAccessConfig normalConfig = new PlainAccessConfig();
normalConfig.setAdmin(false);
normalConfig.setAccessKey("rocketmq");
normalConfig.setSecretKey("123456789");
normalConfig.setDefaultGroupPerm("SUB");
normalConfig.setDefaultTopicPerm("DENY");
normalConfig.setTopicPerms(Lists.newArrayList("topicA=DENY", "topicB=PUB|SUB"));
normalConfig.setGroupPerms(Lists.newArrayList("groupA=DENY", "groupB=PUB|SUB"));
AclConfig aclConfig = new AclConfig();
aclConfig.setPlainAccessConfigs(Lists.newArrayList(adminConfig, normalConfig));
aclConfig.setGlobalWhiteAddrs(Lists.newArrayList("localhost"));
return aclConfig;
}
}