RocketMQ 安全性是企业级应用的核心要求。本文将深入探讨 RocketMQ 安全加固的完整方案,包括 ACL 授权、白名单、加密传输、审计日志等。
一、安全架构
1.1 安全层次
graph TB
subgraph 网络安全
WL[IP 白名单]
SSL[SSL 加密]
end
subgraph 认证层
ACL[ACL 认证]
TOKEN[Token 认证]
end
subgraph 授权层
TOPIC[Topic 权限]
GROUP[Group 权限]
end
subgraph 审计层
AUDIT[审计日志]
MONITOR[监控告警]
end
WL --> ACL
ACL --> TOPIC
TOPIC --> AUDIT
1.2 安全特性对比
| 特性 | 4.x | 5.0 | 说明 |
|---|---|---|---|
| ACL | ✅ | ✅ | 访问控制列表 |
| 白名单 | ✅ | ✅ | IP 白名单 |
| SSL | ✅ | ✅ | 加密传输 |
| 鉴权插件 | ❌ | ✅ | 可扩展鉴权 |
| 审计日志 | ✅ | ✅ | 操作审计 |
二、ACL 配置
2.1 启用 ACL
Broker 配置:
# broker.conf
# 启用 ACL
aclEnable=true
# ACL 配置文件路径
aclConfigFilePath=/etc/rocketmq/plain_acl.yml
# 访问密钥(可选)
accessKey=rocketmq
secretKey=123456782.2 ACL 配置文件
plain_acl.yml:
# ACL 配置
accounts:
# 管理员账户
- accessKey: admin
secretKey: admin123
whiteRemoteAddress: "*"
admin: true
defaultTopicPerm: DENY
defaultGroupPerm: DENY
topicPerms:
- topicA=PUB|SUB
- topicB=PUB|SUB
- topicC=PUB|SUB
groupPerms:
- groupA=SUB
- groupB=SUB
# 生产者账户
- accessKey: producer
secretKey: producer123
whiteRemoteAddress: "192.168.1.*"
admin: false
defaultTopicPerm: DENY
defaultGroupPerm: DENY
topicPerms:
- order-topic=PUB
- pay-topic=PUB
groupPerms: []
# 消费者账户
- accessKey: consumer
secretKey: consumer123
whiteRemoteAddress: "192.168.2.*"
admin: false
defaultTopicPerm: DENY
defaultGroupPerm: DENY
topicPerms:
- order-topic=SUB
- pay-topic=SUB
groupPerms:
- order-consumer-group=SUB
- pay-consumer-group=SUB
# 全局白名单
whiteRemoteAddress: 192.168.1.1;192.168.1.2;192.168.1.*2.3 客户端配置
Producer 配置:
DefaultMQProducer producer = new DefaultMQProducer("producer-group");
producer.setNamesrvAddr("ns1:9876");
// ACL 配置
producer.setVipChannelEnabled(false);
producer.setInstanceName("producer-instance");
// 添加认证信息
Map<String, String> headers = new HashMap<>();
headers.put(RemotingHelper.ROCKETMQ_SECURITY_HEADER, "producer:producer123");
producer.start();Consumer 配置:
DefaultMQPushConsumer consumer = new DefaultMQPushConsumer("consumer-group");
consumer.setNamesrvAddr("ns1:9876");
consumer.subscribe("order-topic", "*");
// ACL 配置
consumer.setVipChannelEnabled(false);
consumer.setInstanceName("consumer-instance");
// 添加认证信息
Map<String, String> headers = new HashMap<>();
headers.put(RemotingHelper.ROCKETMQ_SECURITY_HEADER, "consumer:consumer123");
consumer.start();三、IP 白名单
3.1 Broker 白名单
# broker.conf
# 全局白名单
whiteRemoteAddress=192.168.1.1;192.168.1.2;192.168.1.*
# NameServer 白名单
namesrvAddr=192.168.1.10:9876;192.168.1.11:98763.2 动态白名单
public class WhiteListManager {
private final Set<String> whiteList = ConcurrentHashMap.newKeySet();
/**
* 添加白名单
*/
public void addWhiteList(String ip) {
whiteList.add(ip);
log.info("添加白名单:{}", ip);
}
/**
* 移除白名单
*/
public void removeWhiteList(String ip) {
whiteList.remove(ip);
log.info("移除白名单:{}", ip);
}
/**
* 检查 IP
*/
public boolean isAllowed(String ip) {
// 检查精确匹配
if (whiteList.contains(ip)) {
return true;
}
// 检查通配符匹配
for (String pattern : whiteList) {
if (pattern.endsWith("*")) {
String prefix = pattern.substring(0, pattern.length() - 1);
if (ip.startsWith(prefix)) {
return true;
}
}
}
return false;
}
}四、SSL 加密
4.1 证书生成
#!/bin/bash
# 生成 SSL 证书
# 生成 CA 证书
openssl req -new -x509 -keyout ca-key -out ca-cert -days 365 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=MyCompany/CN=my-ca"
# 生成 Broker 密钥库
keytool -keystore /var/ssl/private/rocketmq.server.keystore.jks \
-alias localhost -validity 365 -genkey -keyalg RSA \
-dname "CN=rocketmq-broker-1, OU=IT, O=MyCompany, L=Beijing, ST=Beijing, C=CN"
# 生成 CSR
keytool -keystore /var/ssl/private/rocketmq.server.keystore.jks \
-alias localhost -certreq \
-file /tmp/rocketmq-server-signing-request.crt
# CA 签名
openssl x509 -req -CA /tmp/ca-cert -CAkey /tmp/ca-key \
-in /tmp/rocketmq-server-signing-request.crt \
-out /tmp/rocketmq-server-signed.crt -days 365 -CAcreateserial
# 导入证书
keytool -keystore /var/ssl/private/rocketmq.server.keystore.jks \
-alias CARoot -import -file /tmp/ca-cert
keytool -keystore /var/ssl/private/rocketmq.server.keystore.jks \
-alias localhost -import -file /tmp/rocketmq-server-signed.crt
# 生成信任库
keytool -keystore /var/ssl/private/rocketmq.server.truststore.jks \
-alias CARoot -import -file /tmp/ca-cert4.2 Broker SSL 配置
# broker.conf
# SSL 监听器
listenPort=9893
tlsTestModeEnable=false
tlsConfigFilePath=/etc/rocketmq/tls.propertiestls.properties:
# SSL 配置
tls.test.mode.enable=false
tls.server.need.client.auth=none
tls.server.keyPath=/var/ssl/private/rocketmq.server.keystore.jks
tls.server.keyPassword=keystore-password
tls.server.certPath=/var/ssl/private/rocketmq.server.keystore.jks
tls.server.authClient=false
tls.server.trustCertPath=/var/ssl/private/rocketmq.server.truststore.jks4.3 Client SSL 配置
// 开启 SSL
System.setProperty("tls.enable", "true");
System.setProperty("tls.config.file", "/etc/rocketmq/client-tls.properties");
// 客户端 TLS 配置
// client-tls.properties
tls.test.mode.enable=false
tls.client.keyPath=/var/ssl/private/rocketmq.client.keystore.jks
tls.client.keyPassword=keystore-password
tls.client.certPath=/var/ssl/private/rocketmq.client.keystore.jks
tls.client.trustCertPath=/var/ssl/private/rocketmq.client.truststore.jks
DefaultMQProducer producer = new DefaultMQProducer("producer-group");
producer.setNamesrvAddr("192.168.1.10:9893"); // SSL 端口
producer.start();五、审计日志
5.1 审计配置
# broker.conf
# 启用审计日志
enableAuditLog=true
# 审计日志路径
auditLogPath=/var/log/rocketmq/audit.log
# 审计日志级别
auditLogLevel=INFO5.2 审计日志格式
2026-08-15 10:00:00,123 INFO [AuditLog] action=send, topic=order-topic, producer=producer-group, ip=192.168.1.100, result=success
2026-08-15 10:00:01,456 INFO [AuditLog] action=receive, topic=order-topic, consumer=consumer-group, ip=192.168.1.101, result=success
2026-08-15 10:00:02,789 WARN [AuditLog] action=send, topic=order-topic, producer=producer-group, ip=192.168.1.102, result=denied5.3 审计分析脚本
#!/bin/bash
# 审计日志分析脚本
AUDIT_LOG="/var/log/rocketmq/audit.log"
echo "=== 操作统计 ==="
grep "action=" $AUDIT_LOG | \
awk -F'action=' '{print $2}' | \
awk -F',' '{print $1}' | \
sort | uniq -c | sort -rn
echo -e "\n=== 拒绝统计 ==="
grep "result=denied" $AUDIT_LOG | \
awk -F'producer=' '{print $2}' | \
awk -F',' '{print $1}' | \
sort | uniq -c | sort -rn
echo -e "\n=== 最近拒绝记录 ==="
grep "result=denied" $AUDIT_LOG | tail -20
echo -e "\n=== 按 IP 统计 ==="
grep "result=denied" $AUDIT_LOG | \
awk -F'ip=' '{print $2}' | \
awk -F',' '{print $1}' | \
sort | uniq -c | sort -rn六、安全最佳实践
6.1 配置建议
| 环境 | ACL | 白名单 | SSL | 审计 |
|---|---|---|---|---|
| 开发 | ❌ | ❌ | ❌ | ❌ |
| 测试 | ✅ | ✅ | ❌ | ❌ |
| 生产 | ✅ | ✅ | ✅ | ✅ |
| 金融 | ✅ | ✅ | ✅ | ✅ |
6.2 密钥管理
#!/bin/bash
# 密钥轮换脚本
OLD_SECRET="old-secret"
NEW_SECRET="new-secret"
ACCESS_KEY="producer"
# 更新 ACL 配置
sed -i "s/$ACCESS_KEY:$OLD_SECRET/$ACCESS_KEY:$NEW_SECRET/" /etc/rocketmq/plain_acl.yml
# 重启 Broker 使配置生效
mqshutdown broker
mqbroker -c /etc/rocketmq/broker.conf &
# 通知客户端更新密钥
# ...
echo "密钥已更新"6.3 安全检查清单
安全检查:
- [ ] 启用 ACL 授权
- [ ] 配置 IP 白名单
- [ ] 启用 SSL 加密
- [ ] 启用审计日志
- [ ] 定期轮换密钥
- [ ] 监控异常访问
- [ ] 定期安全审计
- [ ] 限制管理权限七、监控告警
7.1 安全指标
| 指标 | 说明 | 告警阈值 |
|---|---|---|
acl_denied_count | ACL 拒绝次数 | > 20/分钟 |
white_list_denied | 白名单拒绝次数 | > 10/分钟 |
ssl_handshake_failed | SSL 握手失败 | > 5/分钟 |
audit_log_denied | 审计拒绝记录 | > 50/小时 |
7.2 Prometheus 告警
# alerting_rules.yml
groups:
- name: rocketmq-security
rules:
- alert: RocketMQAclDenied
expr: rate(rocketmq_acl_denied_count[5m]) > 20
for: 5m
labels:
severity: warning
annotations:
summary: "ACL 拒绝率过高"
- alert: RocketMQWhiteListDenied
expr: rate(rocketmq_white_list_denied[5m]) > 10
for: 5m
labels:
severity: warning
annotations:
summary: "白名单拒绝率过高"
- alert: RocketMQSSLHandshakeFailed
expr: rate(rocketmq_ssl_handshake_failed[5m]) > 5
for: 5m
labels:
severity: warning
annotations:
summary: "SSL 握手失败率过高"八、故障排查
8.1 ACL 拒绝
排查步骤:
# 1. 检查 ACL 配置
cat /etc/rocketmq/plain_acl.yml
# 2. 检查客户端密钥
# 确认 accessKey 和 secretKey 正确
# 3. 检查 Topic/Group 权限
# 确认有对应权限
# 4. 查看审计日志
tail -f /var/log/rocketmq/audit.log | grep "denied"8.2 SSL 连接失败
排查步骤:
# 1. 检查证书
keytool -list -v -keystore /var/ssl/private/rocketmq.server.keystore.jks
# 2. 检查 SSL 配置
cat /etc/rocketmq/tls.properties
# 3. 测试 SSL 连接
openssl s_client -connect broker-1:9893
# 4. 查看 Broker 日志
tail -f /var/log/rocketmq/broker.log | grep -i "ssl"总结
RocketMQ 安全加固的核心要点:
- ACL 授权:账户管理、Topic 权限、Group 权限
- IP 白名单:全局白名单、动态白名单
- SSL 加密:证书管理、加密配置
- 审计日志:操作记录、分析脚本
- 最佳实践:配置建议、密钥管理、安全检查
核心要点:
- 生产环境必须启用 ACL+ 白名单 +SSL
- 定期轮换密钥和证书
- 开启审计日志记录
- 建立安全监控告警
- 定期安全审计
参考资料
- RocketMQ ACL 官方文档
- RocketMQ 安全最佳实践
- 《RocketMQ 技术内幕》第 11 章