Skip to content

Fix ACL hook routing for internal proxy system resources#10372

Open
somiljain2006 wants to merge 2 commits into
apache:developfrom
somiljain2006:Proxy-acl-cluster-mode
Open

Fix ACL hook routing for internal proxy system resources#10372
somiljain2006 wants to merge 2 commits into
apache:developfrom
somiljain2006:Proxy-acl-cluster-mode

Conversation

@somiljain2006
Copy link
Copy Markdown

@somiljain2006 somiljain2006 commented May 24, 2026

Which Issue(s) This PR Fixes

Brief Description

This PR fixes ACL authentication issues for internal proxy system-resource requests in cluster mode when enableAclRpcHookForClusterMode=true is enabled. Introduced SystemResourceAwareRpcHook and InternalContextHolder to ensure that only trusted internal proxy operations targeting RocketMQ system resources use proxy admin ACL credentials, while normal client requests continue using user credentials.

How Did You Test This Change?

Added comprehensive unit tests covering:

  • internal vs external request routing
  • system resource detection
  • fallback extFields handling
  • unregister client validation
  • response hook routing
  • ThreadLocal context propagation and cleanup

Manual verification was also performed successfully using NameServer + Broker + Proxy with ACL enabled.

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented May 25, 2026

Codecov Report

❌ Patch coverage is 56.79012% with 35 lines in your changes missing coverage. Please review.
✅ Project coverage is 48.90%. Comparing base (54708be) to head (f84f5f1).
⚠️ Report is 5 commits behind head on develop.

Files with missing lines Patch % Lines
...ketmq/proxy/common/SystemResourceAwareRpcHook.java 63.15% 11 Missing and 10 partials ⚠️
.../rocketmq/proxy/service/ClusterServiceManager.java 0.00% 9 Missing ⚠️
...etmq/proxy/service/sysmessage/HeartbeatSyncer.java 50.00% 4 Missing ⚠️
...e/rocketmq/proxy/common/InternalContextHolder.java 85.71% 1 Missing ⚠️
Additional details and impacted files 
@@              Coverage Diff              @@
##             develop   #10372      +/-   ##
=============================================
- Coverage      48.96%   48.90%   -0.07%     
- Complexity     13473    13476       +3     
=============================================
  Files           1376     1378       +2     
  Lines         100546   100620      +74     
  Branches       12984    13000      +16     
=============================================
- Hits           49236    49211      -25     
- Misses         45310    45378      +68     
- Partials        6000     6031      +31

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug] acl 2.0 system topic TBW102 and group CLIENT_INNER_PRODUCER need manual authorization when i use cluster proxy mode

2 participants

@somiljain2006 @codecov-commenter