optimize: support Nacos ram role authentication (apache#6148)

changes/en-us/2.x.md

@@ -24,6 +24,7 @@ Add changes here for all PR submitted to the 2.x branch.
 - [[#6098](https://github.com/seata/seata/pull/6098)] optimize the retry logic in the acquireMetadata method
 - [[#6034](https://github.com/seata/seata/pull/6034)] using namespace from command line when deployment with helm charts
 - [[#6116](https://github.com/seata/seata/pull/6034)] remove lgtm.com stuff
+- [[#6148](https://github.com/seata/seata/pull/6148)] support Nacos ram role authentication
 - [[#6145](https://github.com/seata/seata/pull/6145)] upgrade jettison to 1.5.4
 - [[#6164](https://github.com/seata/seata/pull/6164)] redis registry push empty protection optimize
 - [[#6174](https://github.com/seata/seata/pull/6174)] add ASF basic config
@@ -34,6 +35,7 @@ Add changes here for all PR submitted to the 2.x branch.
 
 ### security:
 - [[#6069](https://github.com/seata/seata/pull/6069)] Upgrade Guava dependencies to fix security vulnerabilities
+- [[#6145](https://github.com/seata/seata/pull/6145)] upgrade jettison to 1.5.4
 - [[#6144](https://github.com/seata/seata/pull/6144)] upgrade nacos client to 1.4.6
 - [[#6147](https://github.com/seata/seata/pull/6147)] upgrade kafka-clients to 3.6.1
 

changes/zh-cn/2.x.md

@@ -26,6 +26,7 @@
 - [[#6116](https://github.com/seata/seata/pull/6034)] 移除 lgtm.com 
 - [[#6164](https://github.com/seata/seata/pull/6164)] redis 注册中心推空保护优化
 - [[#6174](https://github.com/seata/seata/pull/6174)] 增加 ASF 基础配置
+- [[#6148](https://github.com/seata/seata/pull/6148)] 支持 Nacos ram role 鉴权方式
 - [[#6181](https://github.com/seata/seata/pull/6181)] 更新贡献指引文档
 - [[#6179](https://github.com/seata/seata/pull/6179)] 移除 @author 信息
 - [[#6176](https://github.com/seata/seata/pull/6176)] 更新源文件header信息

config/seata-config-nacos/src/main/java/io/seata/config/nacos/NacosConfiguration.java

@@ -28,6 +28,7 @@
 import com.alibaba.nacos.api.config.ConfigService;
 import com.alibaba.nacos.api.config.listener.AbstractSharedListener;
 import com.alibaba.nacos.api.exception.NacosException;
+
 import io.seata.common.exception.NotSupportYetException;
 import io.seata.common.util.CollectionUtils;
 import io.seata.common.util.StringUtils;
@@ -62,6 +63,7 @@ public class NacosConfiguration extends AbstractConfiguration {
     private static final String PASSWORD = "password";
     private static final String ACCESS_KEY = "accessKey";
     private static final String SECRET_KEY = "secretKey";
+    private static final String RAM_ROLE_NAME_KEY = "ramRoleName";
     private static final String USE_PARSE_RULE = "false";
     private static final String CONTEXT_PATH = "contextPath";
     private static final Configuration FILE_CONFIG = ConfigurationFactory.CURRENT_FILE_INSTANCE;
@@ -223,32 +225,51 @@ private static Properties getConfigProperties() {
             }
             properties.setProperty(PRO_NAMESPACE_KEY, namespace);
         }
+        if (!initNacosAuthProperties(properties)) {
+            LOGGER.info("Nacos config auth properties empty.");
+        }
+        String contextPath = StringUtils.isNotBlank(System.getProperty(CONTEXT_PATH)) ? System.getProperty(CONTEXT_PATH) : FILE_CONFIG.getConfig(getNacosContextPathKey());
+        if (StringUtils.isNotBlank(contextPath)) {
+            properties.setProperty(CONTEXT_PATH, contextPath);
+        }
+        return properties;
+    }
+
+    /**
+     * init nacos auth properties
+     *
+     * username/password > ak/sk > ramRoleName
+     * @param sourceProperties the source properties
+     * @return auth properties
+     */
+    private static boolean initNacosAuthProperties(Properties sourceProperties) {
         String userName = StringUtils.isNotBlank(System.getProperty(USER_NAME)) ? System.getProperty(USER_NAME) : FILE_CONFIG.getConfig(getNacosUserName());
         if (StringUtils.isNotBlank(userName)) {
             String password = StringUtils.isNotBlank(System.getProperty(PASSWORD)) ? System.getProperty(PASSWORD) : FILE_CONFIG.getConfig(getNacosPassword());
             if (StringUtils.isNotBlank(password)) {
-                properties.setProperty(USER_NAME, userName);
-                properties.setProperty(PASSWORD, password);
+                sourceProperties.setProperty(USER_NAME, userName);
+                sourceProperties.setProperty(PASSWORD, password);
                 LOGGER.info("Nacos check auth with userName/password.");
+                return true;
             }
         } else {
-            String accessKey = StringUtils.isNotBlank(System.getProperty(ACCESS_KEY)) ?
-                System.getProperty(ACCESS_KEY) : FILE_CONFIG.getConfig(getNacosAccessKey());
+            String accessKey = StringUtils.isNotBlank(System.getProperty(ACCESS_KEY)) ? System.getProperty(ACCESS_KEY) : FILE_CONFIG.getConfig(getNacosAccessKey());
+            String ramRoleName = StringUtils.isNotBlank(System.getProperty(RAM_ROLE_NAME_KEY)) ? System.getProperty(RAM_ROLE_NAME_KEY) : FILE_CONFIG.getConfig(getNacosRamRoleNameKey());
             if (StringUtils.isNotBlank(accessKey)) {
-                String secretKey = StringUtils.isNotBlank(System.getProperty(SECRET_KEY)) ?
-                    System.getProperty(SECRET_KEY) : FILE_CONFIG.getConfig(getNacosSecretKey());
+                String secretKey = StringUtils.isNotBlank(System.getProperty(SECRET_KEY)) ? System.getProperty(SECRET_KEY) : FILE_CONFIG.getConfig(getNacosSecretKey());
                 if (StringUtils.isNotBlank(secretKey)) {
-                    properties.put(ACCESS_KEY, accessKey);
-                    properties.put(SECRET_KEY, secretKey);
+                    sourceProperties.put(ACCESS_KEY, accessKey);
+                    sourceProperties.put(SECRET_KEY, secretKey);
                     LOGGER.info("Nacos check auth with ak/sk.");
+                    return true;
                 }
+            } else if (StringUtils.isNotBlank(ramRoleName)) {
+                sourceProperties.put(RAM_ROLE_NAME_KEY, ramRoleName);
+                LOGGER.info("Nacos check auth with ram role.");
+                return true;
             }
         }
-        String contextPath = StringUtils.isNotBlank(System.getProperty(CONTEXT_PATH)) ? System.getProperty(CONTEXT_PATH) : FILE_CONFIG.getConfig(getNacosContextPathKey());
-        if (StringUtils.isNotBlank(contextPath)) {
-            properties.setProperty(CONTEXT_PATH, contextPath);
-        }
-        return properties;
+        return false;
     }
 
     public static String getNacosNameSpaceFileKey() {
@@ -285,6 +306,10 @@ public static String getNacosSecretKey() {
         return String.join(ConfigurationKeys.FILE_CONFIG_SPLIT_CHAR, ConfigurationKeys.FILE_ROOT_CONFIG, CONFIG_TYPE, SECRET_KEY);
     }
 
+    public static String getNacosRamRoleNameKey() {
+        return String.join(ConfigurationKeys.FILE_CONFIG_SPLIT_CHAR, ConfigurationKeys.FILE_ROOT_CONFIG, CONFIG_TYPE, RAM_ROLE_NAME_KEY);
+    }
+
     private static String getNacosGroup() {
         return FILE_CONFIG.getConfig(getNacosGroupKey(), DEFAULT_GROUP);
     }

discovery/seata-discovery-nacos/src/main/java/io/seata/discovery/registry/nacos/NacosRegistryServiceImpl.java

@@ -67,6 +67,7 @@ public class NacosRegistryServiceImpl implements RegistryService<EventListener>
     private static final String PASSWORD = "password";
     private static final String ACCESS_KEY = "accessKey";
     private static final String SECRET_KEY = "secretKey";
+    private static final String RAM_ROLE_NAME_KEY = "ramRoleName";
     private static final String SLB_PATTERN = "slbPattern";
     private static final String CONTEXT_PATH = "contextPath";
     private static final String USE_PARSE_RULE = "false";
@@ -253,29 +254,51 @@ private static Properties getNamingProperties() {
             }
             properties.setProperty(PRO_NAMESPACE_KEY, namespace);
         }
+        if (!initNacosAuthProperties(properties)) {
+            LOGGER.info("Nacos naming auth properties empty.");
+        }
+        String contextPath = StringUtils.isNotBlank(System.getProperty(CONTEXT_PATH)) ? System.getProperty(CONTEXT_PATH) : FILE_CONFIG.getConfig(getNacosContextPathKey());
+        if (StringUtils.isNotBlank(contextPath)) {
+            properties.setProperty(CONTEXT_PATH, contextPath);
+        }
+        return properties;
+    }
+
+    /**
+     * init nacos auth properties
+     *
+     * username/password > ak/sk > ramRoleName
+     * @param sourceProperties the source properties
+     * @return auth properties
+     */
+    private static boolean initNacosAuthProperties(Properties sourceProperties) {
         String userName = StringUtils.isNotBlank(System.getProperty(USER_NAME)) ? System.getProperty(USER_NAME) : FILE_CONFIG.getConfig(getNacosUserName());
         if (StringUtils.isNotBlank(userName)) {
             String password = StringUtils.isNotBlank(System.getProperty(PASSWORD)) ? System.getProperty(PASSWORD) : FILE_CONFIG.getConfig(getNacosPassword());
             if (StringUtils.isNotBlank(password)) {
-                properties.setProperty(USER_NAME, userName);
-                properties.setProperty(PASSWORD, password);
+                sourceProperties.setProperty(USER_NAME, userName);
+                sourceProperties.setProperty(PASSWORD, password);
+                LOGGER.info("Nacos check auth with userName/password.");
+                return true;
             }
         } else {
             String accessKey = StringUtils.isNotBlank(System.getProperty(ACCESS_KEY)) ? System.getProperty(ACCESS_KEY) : FILE_CONFIG.getConfig(getNacosAccessKey());
+            String ramRoleName = StringUtils.isNotBlank(System.getProperty(RAM_ROLE_NAME_KEY)) ? System.getProperty(RAM_ROLE_NAME_KEY) : FILE_CONFIG.getConfig(getNacosRamRoleNameKey());
             if (StringUtils.isNotBlank(accessKey)) {
                 String secretKey = StringUtils.isNotBlank(System.getProperty(SECRET_KEY)) ? System.getProperty(SECRET_KEY) : FILE_CONFIG.getConfig(getNacosSecretKey());
                 if (StringUtils.isNotBlank(secretKey)) {
-                    properties.put(ACCESS_KEY, accessKey);
-                    properties.put(SECRET_KEY, secretKey);
+                    sourceProperties.put(ACCESS_KEY, accessKey);
+                    sourceProperties.put(SECRET_KEY, secretKey);
                     LOGGER.info("Nacos check auth with ak/sk.");
+                    return true;
                 }
+            } else if (StringUtils.isNotBlank(ramRoleName)) {
+                sourceProperties.put(RAM_ROLE_NAME_KEY, ramRoleName);
+                LOGGER.info("Nacos check auth with ram role.");
+                return true;
             }
         }
-        String contextPath = StringUtils.isNotBlank(System.getProperty(CONTEXT_PATH)) ? System.getProperty(CONTEXT_PATH) : FILE_CONFIG.getConfig(getNacosContextPathKey());
-        if (StringUtils.isNotBlank(contextPath)) {
-            properties.setProperty(CONTEXT_PATH, contextPath);
-        }
-        return properties;
+        return false;
     }
 
     private static String getClusterName() {
@@ -326,6 +349,10 @@ public static String getNacosSecretKey() {
         return String.join(ConfigurationKeys.FILE_CONFIG_SPLIT_CHAR, ConfigurationKeys.FILE_ROOT_REGISTRY, REGISTRY_TYPE, SECRET_KEY);
     }
 
+    public static String getNacosRamRoleNameKey() {
+        return String.join(ConfigurationKeys.FILE_CONFIG_SPLIT_CHAR, ConfigurationKeys.FILE_ROOT_CONFIG, REGISTRY_TYPE, RAM_ROLE_NAME_KEY);
+    }
+
     public static String getClientApplication() {
         return String.join(ConfigurationKeys.FILE_CONFIG_SPLIT_CHAR, ConfigurationKeys.FILE_ROOT_REGISTRY, REGISTRY_TYPE, PRO_CLIENT_APPLICATION);
     }

script/client/conf/registry.conf

@@ -32,12 +32,15 @@ registry {
     serverAddr = "127.0.0.1:8848"
     group = "SEATA_GROUP"
     namespace = ""
+    contextPath = ""
+    ##1.The following configuration is for the open source version of Nacos
     username = ""
     password = ""
-    contextPath = ""
-    ##if use MSE Nacos with auth, mutex with username/password attribute
+    ##2.The following configuration is for the MSE Nacos on aliyun
     #accessKey = ""
     #secretKey = ""
+    ##3.The following configuration is used to deploy on Aliyun ECS or ACK without authentication
+    #ramRoleName = ""
     ##if use Nacos naming meta-data for SLB service registry, specify nacos address pattern rules here
     #slbPattern = ""
   }
@@ -91,13 +94,16 @@ config {
     serverAddr = "127.0.0.1:8848"
     namespace = ""
     group = "SEATA_GROUP"
+    contextPath = ""
+    dataId = "seata.properties"
+    ##1.The following configuration is for the open source version of Nacos
     username = ""
     password = ""
-    contextPath = ""
-    ##if use MSE Nacos with auth, mutex with username/password attribute
+    ##2.The following configuration is for the MSE Nacos on aliyun
     #accessKey = ""
     #secretKey = ""
-    dataId = "seata.properties"
+    ##3.The following configuration is used to deploy on Aliyun ECS or ACK without authentication
+    #ramRoleName = ""
   }
   consul {
     serverAddr = "127.0.0.1:8500"

script/client/spring/application.properties

@@ -100,13 +100,16 @@ seata.config.etcd3.server-addr=http://localhost:2379
 seata.config.nacos.namespace=
 seata.config.nacos.server-addr=127.0.0.1:8848
 seata.config.nacos.group=SEATA_GROUP
+seata.config.nacos.contextPath=
+seata.config.nacos.data-id=seata.properties
+##1.The following configuration is for the open source version of Nacos
 seata.config.nacos.username=
 seata.config.nacos.password=
-seata.config.nacos.contextPath=
-##if use MSE Nacos with auth, mutex with username/password attribute
+##2.The following configuration is for the MSE Nacos on aliyun
 #seata.config.nacos.access-key=
 #seata.config.nacos.secret-key=
-seata.config.nacos.data-id=seata.properties
+##3.The following configuration is used to deploy on Aliyun ECS or ACK without authentication
+#seata.config.nacos.ram-role-name=
 
 seata.config.zk.server-addr=127.0.0.1:2181
 seata.config.zk.session-timeout=6000
@@ -135,13 +138,16 @@ seata.registry.nacos.application=seata-server
 seata.registry.nacos.server-addr=127.0.0.1:8848
 seata.registry.nacos.group=SEATA_GROUP
 seata.registry.nacos.namespace=
-seata.registry.nacos.username=
-seata.registry.nacos.password=
 seata.registry.nacos.contextPath=
 seata.registry.nacos.clientApplication=${spring.application.name}
-##if use MSE Nacos with auth, mutex with username/password attribute
+##1.The following configuration is for the open source version of Nacos
+seata.registry.nacos.username=
+seata.registry.nacos.password=
+##2.The following configuration is for the MSE Nacos on aliyun
 #seata.registry.nacos.access-key=
 #seata.registry.nacos.secret-key=
+##3.The following configuration is used to deploy on Aliyun ECS or ACK without authentication
+#seata.registry.nacos.ram-role-name=
 ##if use Nacos naming meta-data for SLB  service registry, specify nacos address pattern rules here
 #seata.registry.nacos.slb-pattern=
 

script/client/spring/application.yml

@@ -110,13 +110,16 @@ seata:
       namespace:
       server-addr: 127.0.0.1:8848
       group: SEATA_GROUP
+      context-path:
+      data-id: seata.properties
+      ##1.The following configuration is for the open source version of Nacos
       username:
       password:
-      context-path:
-      ##if use MSE Nacos with auth, mutex with username/password attribute
+      ##2.The following configuration is for the MSE Nacos on aliyun
       #access-key:
       #secret-key:
-      data-id: seata.properties
+      ##3.The following configuration is used to deploy on Aliyun ECS or ACK without authentication
+      #ram-role-name:
     zk:
       server-addr: 127.0.0.1:2181
       session-timeout: 6000
@@ -149,13 +152,16 @@ seata:
       server-addr: 127.0.0.1:8848
       group : "SEATA_GROUP"
       namespace:
-      username:
-      password:
       context-path:
       client-application: ${spring.application.name}
-      ##if use MSE Nacos with auth, mutex with username/password attribute
+      ##1.The following configuration is for the open source version of Nacos
+      username:
+      password:
+      ##2.The following configuration is for the MSE Nacos on aliyun
       #access-key:
       #secret-key:
+      ##3.The following configuration is used to deploy on Aliyun ECS or ACK without authentication
+      #ram-role-name:
       ##if use Nacos naming meta-data for SLB service registry, specify nacos address pattern rules here
       #slbPattern =
     redis:

seata-spring-autoconfigure/seata-spring-autoconfigure-core/src/main/java/io/seata/spring/boot/autoconfigure/properties/config/ConfigNacosProperties.java

@@ -33,6 +33,7 @@ public class ConfigNacosProperties {
     private String password;
     private String accessKey;
     private String secretKey;
+    private String ramRoleName;
     private String dataId = "seata.properties";
     private String contextPath;
 
@@ -116,4 +117,13 @@ public ConfigNacosProperties setContextPath(String contextPath) {
         this.contextPath = contextPath;
         return this;
     }
+
+    public String getRamRoleName() {
+        return ramRoleName;
+    }
+
+    public ConfigNacosProperties setRamRoleName(String ramRoleName) {
+        this.ramRoleName = ramRoleName;
+        return this;
+    }
 }

seata-spring-autoconfigure/seata-spring-autoconfigure-core/src/main/java/io/seata/spring/boot/autoconfigure/properties/registry/RegistryNacosProperties.java

@@ -34,6 +34,7 @@ public class RegistryNacosProperties {
     private String password;
     private String accessKey;
     private String secretKey;
+    private String ramRoleName;
     private String application = "seata-server";
     private String slbPattern;
     private String contextPath;
@@ -140,7 +141,17 @@ public String getClientApplication() {
         return clientApplication;
     }
 
-    public void setClientApplication(String clientApplication) {
+    public RegistryNacosProperties setClientApplication(String clientApplication) {
         this.clientApplication = clientApplication;
+        return this;
+    }
+
+    public String getRamRoleName() {
+        return ramRoleName;
+    }
+
+    public RegistryNacosProperties setRamRoleName(String ramRoleName) {
+        this.ramRoleName = ramRoleName;
+        return this;
     }
 }

server/src/main/resources/application.example.yml

@@ -41,12 +41,15 @@ seata:
       server-addr: 127.0.0.1:8848
       namespace:
       group: SEATA_GROUP
+      context-path:
+      ##1.The following configuration is for the open source version of Nacos
       username:
       password:
-      context-path:
-      ##if use MSE Nacos with auth, mutex with username/password attribute
+      ##2.The following configuration is for the MSE Nacos on aliyun
       #access-key:
       #secret-key:
+      ##3.The following configuration is used to deploy on Aliyun ECS or ACK without authentication
+      #ram-role-name:
       data-id: seataServer.properties
     consul:
       server-addr: 127.0.0.1:8500
@@ -79,12 +82,15 @@ seata:
       group: SEATA_GROUP
       namespace:
       cluster: default
+      context-path:
+      ##1.The following configuration is for the open source version of Nacos
       username:
       password:
-      context-path:
-      ##if use MSE Nacos with auth, mutex with username/password attribute
+      ##2.The following configuration is for the MSE Nacos on aliyun
       #access-key:
       #secret-key:
+      ##3.The following configuration is used to deploy on Aliyun ECS or ACK without authentication
+      #ram-role-name:
     eureka:
       service-url: http://localhost:8761/eureka
       application: default