You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For the 7091 port of Seata Server, there is an authentication mechanism that requires users to log in with the account of seata and the password of seata.
But for the 8091 port of Seata Server, it seems that there is no authentication mechanism. Any Seata Client can directly connect to the 8091 port of Seata Server. This does not seem to change anything because Seata Server switches to Nacos's configuration center or registration center. After Seata Client connects to Nacos Server, it still needs to directly access port 8091 of Seata Server.
I know that Seata Server should be deployed in an intranet environment, but in this case, the authentication of Seata Server's port 7091 seems redundant. Docker Images like keycloak, zitadel, and nginx can quickly add authentication functions to Seata Server's port 7091.
A potential understanding is that the docker imager of the seata server should allow the passing of environment variables like SEATA_SERVER_SECRET_TOKEN="yourStrongPassword123!", and the configuration file registry.conf of the seata client allows the setting of content like seata.server.secret_token="yourStrongPassword123!". To ensure communication security, Seata Server may also support the generation of self-signed TLS certificates or custom TLS certificates.
According to multiple CVEs in the history of ElasticSearch, an authentication that does not support the configuration of TLS certificates does not seem to be secure enough.
Other related information
Add any other context or screenshots about the feature request here.
Null.
The text was updated successfully, but these errors were encountered:
#6317
It should be the above PR, but the community already has new authorization topics related to OSPP, which are expected to be included in future versions.
Why you need it?
Is your feature request related to a problem? Please describe in details
7091
port of Seata Server, there is an authentication mechanism that requires users to log in with the account ofseata
and the password ofseata
.8091
port of Seata Server, it seems that there is no authentication mechanism. Any Seata Client can directly connect to the8091
port of Seata Server. This does not seem to change anything because Seata Server switches to Nacos's configuration center or registration center. After Seata Client connects to Nacos Server, it still needs to directly access port 8091 of Seata Server.7091
seems redundant. Docker Images like keycloak, zitadel, and nginx can quickly add authentication functions to Seata Server's port7091
.SEATA_SERVER_SECRET_TOKEN="yourStrongPassword123!"
, and the configuration fileregistry.conf
of the seata client allows the setting of content likeseata.server.secret_token="yourStrongPassword123!"
. To ensure communication security, Seata Server may also support the generation of self-signed TLS certificates or custom TLS certificates.java.security.auth.login.config
. Like https://shardingsphere.apache.org/elasticjob/current/cn/user-manual/configuration/external-integration/sasl/ does.How it could be?
A clear and concise description of what you want to happen. You can explain more about input of the feature, and output of it.
https://github.com/apache/incubator-seata/wiki/20240427/57e39735794787dd5d6a6975ce80421ecde7e6c6 seems to mention this requirement, but I can't find the corresponding PR.
According to multiple CVEs in the history of ElasticSearch, an authentication that does not support the configuration of TLS certificates does not seem to be secure enough.
Other related information
Add any other context or screenshots about the feature request here.
The text was updated successfully, but these errors were encountered: