Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add potential authentication mechanism for port 8091 of Seata Server #6961

Closed
linghengqian opened this issue Oct 30, 2024 · 3 comments
Closed

Comments

@linghengqian
Copy link
Member

Why you need it?

Is your feature request related to a problem? Please describe in details

  • I noticed something strange when trying to improve the unit test execution time of https://github.com/apache/shardingsphere/blob/5.5.1/test/native/src/test/java/org/apache/shardingsphere/test/natived/jdbc/transactions/base/SeataTest.java .
  • For the 7091 port of Seata Server, there is an authentication mechanism that requires users to log in with the account of seata and the password of seata.
  • But for the 8091 port of Seata Server, it seems that there is no authentication mechanism. Any Seata Client can directly connect to the 8091 port of Seata Server. This does not seem to change anything because Seata Server switches to Nacos's configuration center or registration center. After Seata Client connects to Nacos Server, it still needs to directly access port 8091 of Seata Server.
  • I know that Seata Server should be deployed in an intranet environment, but in this case, the authentication of Seata Server's port 7091 seems redundant. Docker Images like keycloak, zitadel, and nginx can quickly add authentication functions to Seata Server's port 7091.
  • A potential understanding is that the docker imager of the seata server should allow the passing of environment variables like SEATA_SERVER_SECRET_TOKEN="yourStrongPassword123!", and the configuration file registry.conf of the seata client allows the setting of content like seata.server.secret_token="yourStrongPassword123!". To ensure communication security, Seata Server may also support the generation of self-signed TLS certificates or custom TLS certificates.
  • Or another possibility is to support JVM arguments like Zookeeper Server does which reads JAAS java.security.auth.login.config. Like https://shardingsphere.apache.org/elasticjob/current/cn/user-manual/configuration/external-integration/sasl/ does.
services:
  zookeeper-test:
    image: zookeeper:3.9.2
    volumes:
      - ./jaas-server-test.conf:/jaas-test.conf
    environment:
      JVMFLAGS: "-Djava.security.auth.login.config=/jaas-test.conf"
      ZOO_CFG_EXTRA: "authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider sessionRequireClientSASLAuth=true"
    ports:
      - "2181:2181"
Server {
    org.apache.zookeeper.server.auth.DigestLoginModule required
    user_bob="bobsecret";
};

How it could be?

A clear and concise description of what you want to happen. You can explain more about input of the feature, and output of it.

Other related information

Add any other context or screenshots about the feature request here.

  • Null.
@funky-eyes
Copy link
Contributor

#6317
It should be the above PR, but the community already has new authorization topics related to OSPP, which are expected to be included in future versions.

@linghengqian
Copy link
Member Author

@funky-eyes Given that PR already exists, should I close the current issue to avoid misunderstandings?

@funky-eyes
Copy link
Contributor

Yes, we can close this issue because I found the latest progress in the PR: #6913. We can discuss it there

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants