Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[4.9.x] Add validation in broker/namesrv configure updating command #7649

Merged
merged 1 commit into from
Dec 15, 2023
Merged

[4.9.x] Add validation in broker/namesrv configure updating command #7649

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions broker/src/main/java/org/apache/rocketmq/broker/processor/AdminBrokerProcessor.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@
import com.alibaba.fastjson.JSON;
import io.netty.channel.Channel;
import io.netty.channel.ChannelHandlerContext;
import java.util.Arrays;
import org.apache.rocketmq.acl.AccessValidator;
import org.apache.rocketmq.acl.plain.PlainAccessValidator;
import org.apache.rocketmq.broker.BrokerController;
Expand Down Expand Up @@ -143,8 +144,19 @@ public class AdminBrokerProcessor extends AsyncNettyRequestProcessor {
private static final InternalLogger log = InternalLoggerFactory.getLogger(LoggerName.BROKER_LOGGER_NAME);
private final BrokerController brokerController;

protected Set<String> configBlackList = new HashSet<>();

public AdminBrokerProcessor(final BrokerController brokerController) {
this.brokerController = brokerController;
initConfigBlackList();
}

private void initConfigBlackList() {
configBlackList.add("brokerConfigPath");
configBlackList.add("rocketmqHome");
configBlackList.add("configBlackList");
String[] configArray = brokerController.getBrokerConfig().getConfigBlackList().split(";");
configBlackList.addAll(Arrays.asList(configArray));
}

@Override
Expand Down Expand Up @@ -522,6 +534,11 @@ private synchronized RemotingCommand updateBrokerConfig(ChannelHandlerContext ct
String bodyStr = new String(body, MixAll.DEFAULT_CHARSET);
Properties properties = MixAll.string2Properties(bodyStr);
if (properties != null) {
if (validateBlackListConfigExist(properties)) {
response.setCode(ResponseCode.NO_PERMISSION);
response.setRemark("Can not update config in black list.");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should return response here!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it

}

log.info("updateBrokerConfig, new config: [{}] client: {} ", properties, ctx.channel().remoteAddress());
this.brokerController.getConfiguration().update(properties);
if (properties.containsKey("brokerPermission")) {
Expand All @@ -547,6 +564,16 @@ private synchronized RemotingCommand updateBrokerConfig(ChannelHandlerContext ct
return response;
}


private boolean validateBlackListConfigExist(Properties properties) {
for (String blackConfig:configBlackList) {
if (properties.containsKey(blackConfig)) {
return true;
}
}
return false;
}

private RemotingCommand getBrokerConfig(ChannelHandlerContext ctx, RemotingCommand request) {

final RemotingCommand response = RemotingCommand.createResponseCommand(GetBrokerConfigResponseHeader.class);
Expand Down
16 changes: 16 additions & 0 deletions common/src/main/java/org/apache/rocketmq/common/BrokerConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,6 +196,14 @@ public class BrokerConfig {
*/
private boolean isolateLogEnable = false;


/**
* Config in this black list will be not allowed to update by command.
* Try to update this config black list by restart process.
* Try to update configures in black list by restart process.
*/
private String configBlackList = "configBlackList;brokerConfigPath";

public static String localHostName() {
try {
return InetAddress.getLocalHost().getHostName();
Expand Down Expand Up @@ -845,4 +853,12 @@ public boolean isIsolateLogEnable() {
public void setIsolateLogEnable(boolean isolateLogEnable) {
this.isolateLogEnable = isolateLogEnable;
}

public String getConfigBlackList() {
return configBlackList;
}

public void setConfigBlackList(String configBlackList) {
this.configBlackList = configBlackList;
}
}
15 changes: 15 additions & 0 deletions common/src/main/java/org/apache/rocketmq/common/namesrv/NamesrvConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,13 @@ public class NamesrvConfig {
private boolean clusterTest = false;
private boolean orderMessageEnable = false;

/**
* Config in this black list will be not allowed to update by command.
* Try to update this config black list by restart process.
* Try to update configures in black list by restart process.
*/
private String configBlackList = "configBlackList;configStorePath;kvConfigPath";

public boolean isOrderMessageEnable() {
return orderMessageEnable;
}
Expand Down Expand Up @@ -83,4 +90,12 @@ public String getConfigStorePath() {
public void setConfigStorePath(final String configStorePath) {
this.configStorePath = configStorePath;
}

public String getConfigBlackList() {
return configBlackList;
}

public void setConfigBlackList(String configBlackList) {
this.configBlackList = configBlackList;
}
}
30 changes: 28 additions & 2 deletions namesrv/src/main/java/org/apache/rocketmq/namesrv/processor/DefaultRequestProcessor.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@
import com.alibaba.fastjson.serializer.SerializerFeature;
import io.netty.channel.ChannelHandlerContext;
import java.io.UnsupportedEncodingException;
import java.util.Arrays;
import java.util.Set;
import java.util.HashSet;
import java.util.Properties;
import java.util.concurrent.atomic.AtomicLong;
import org.apache.rocketmq.common.DataVersion;
Expand Down Expand Up @@ -69,8 +72,20 @@ public class DefaultRequestProcessor extends AsyncNettyRequestProcessor implemen

protected final NamesrvController namesrvController;

protected Set<String> configBlackList = new HashSet<>();

public DefaultRequestProcessor(NamesrvController namesrvController) {
this.namesrvController = namesrvController;
initConfigBlackList();
}

private void initConfigBlackList() {
configBlackList.add("configBlackList");
configBlackList.add("configStorePath");
configBlackList.add("kvConfigPath");
configBlackList.add("rocketmqHome");
String[] configArray = namesrvController.getNamesrvConfig().getConfigBlackList().split(";");
configBlackList.addAll(Arrays.asList(configArray));
}

@Override
Expand Down Expand Up @@ -581,9 +596,9 @@ private RemotingCommand updateConfig(ChannelHandlerContext ctx, RemotingCommand
return response;
}

if (properties.containsKey("kvConfigPath") || properties.containsKey("configStorePath")) {
if (validateBlackListConfigExist(properties)) {
response.setCode(ResponseCode.NO_PERMISSION);
response.setRemark("Can not update config path");
response.setRemark("Can not update config in black list.");
return response;
}

Expand All @@ -595,6 +610,17 @@ private RemotingCommand updateConfig(ChannelHandlerContext ctx, RemotingCommand
return response;
}

private boolean validateBlackListConfigExist(Properties properties) {
for (String blackConfig : configBlackList) {
if (properties.containsKey(blackConfig)) {
return true;
}
}
return false;
}



private RemotingCommand getConfig(ChannelHandlerContext ctx, RemotingCommand request) {
final RemotingCommand response = RemotingCommand.createResponseCommand(null);

Expand Down
15 changes: 13 additions & 2 deletions namesrv/src/test/java/org/apache/rocketmq/namesrv/processor/DefaultRequestProcessorTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -185,7 +185,7 @@ public void testProcessRequest_UpdateConfigPath() throws RemotingCommandExceptio

assertThat(response).isNotNull();
assertThat(response.getCode()).isEqualTo(ResponseCode.NO_PERMISSION);
assertThat(response.getRemark()).contains("Can not update config path");
assertThat(response.getRemark()).contains("Can not update config in black list.");

//update disallowed values
properties.clear();
Expand All @@ -196,7 +196,18 @@ public void testProcessRequest_UpdateConfigPath() throws RemotingCommandExceptio

assertThat(response).isNotNull();
assertThat(response.getCode()).isEqualTo(ResponseCode.NO_PERMISSION);
assertThat(response.getRemark()).contains("Can not update config path");
assertThat(response.getRemark()).contains("Can not update config in black list");

//update disallowed values
properties.clear();
properties.setProperty("configBlackList", "test;path");
updateConfigRequest.setBody(MixAll.properties2String(properties).getBytes(StandardCharsets.UTF_8));

response = defaultRequestProcessor.processRequest(null, updateConfigRequest);

assertThat(response).isNotNull();
assertThat(response.getCode()).isEqualTo(ResponseCode.NO_PERMISSION);
assertThat(response.getRemark()).contains("Can not update config in black list");
}

@Test
Expand Down