[ISSUE #12017] Split console authentication

auth/src/main/java/com/alibaba/nacos/auth/annotation/Secured.java

@@ -16,6 +16,7 @@
 
 package com.alibaba.nacos.auth.annotation;
 
+import com.alibaba.nacos.auth.enums.ApiType;
 import com.alibaba.nacos.auth.parser.DefaultResourceParser;
 import com.alibaba.nacos.auth.parser.ResourceParser;
 import com.alibaba.nacos.common.utils.StringUtils;
@@ -70,4 +71,12 @@
      * @return tags
      */
     String[] tags() default {};
+
+    /**
+     * The type of API. Distinguishing between ADMIN_API and OPEN_API.
+     *
+     * @return the type of the API
+     */
+    ApiType apiType() default ApiType.OPEN_API;
+
 }

auth/src/main/java/com/alibaba/nacos/auth/config/AuthConfigs.java

@@ -58,11 +58,17 @@ public class AuthConfigs extends Subscriber<ServerConfigChangeEvent> {
     private static Boolean cachingEnabled = null;
 
     /**
-     * Whether auth enabled.
+     * Whether server auth enabled.
      */
     @Value("${" + Constants.Auth.NACOS_CORE_AUTH_ENABLED + ":false}")
     private boolean authEnabled;
 
+    /**
+     * Whether console auth enabled.
+     */
+    @Value("${" + Constants.Auth.NACOS_CORE_AUTH_CONSOLE_ENABLED + ":true}")
+    private boolean consoleAuthEnabled;
+
     /**
      * Which auth system is in use.
      */
@@ -94,7 +100,7 @@ public AuthConfigs() {
      */
     @PostConstruct
     public void validate() throws NacosException {
-        if (!authEnabled) {
+        if (!authEnabled && !consoleAuthEnabled) {
             return;
         }
         if (StringUtils.isEmpty(nacosAuthSystemType)) {
@@ -152,14 +158,23 @@ public boolean isEnableUserAgentAuthWhite() {
     }
 
     /**
-     * auth function is open.
+     * console auth function is open.
+     *
+     * @return console auth function is open
+     */
+    public boolean isConsoleAuthEnabled() {
+        return consoleAuthEnabled;
+    }
+
+    /**
+     * server auth function is open.
      *
-     * @return auth function is open
+     * @return server auth function is open
      */
     public boolean isAuthEnabled() {
         return authEnabled;
     }
-    
+
     /**
      * Whether permission information can be cached.
      *
@@ -189,6 +204,7 @@ public static void setCachingEnabled(boolean cachingEnabled) {
     public void onEvent(ServerConfigChangeEvent event) {
         try {
             authEnabled = EnvUtil.getProperty(Constants.Auth.NACOS_CORE_AUTH_ENABLED, Boolean.class, false);
+            consoleAuthEnabled = EnvUtil.getProperty(Constants.Auth.NACOS_CORE_AUTH_CONSOLE_ENABLED, Boolean.class, true);
             cachingEnabled = EnvUtil.getProperty(Constants.Auth.NACOS_CORE_AUTH_CACHING_ENABLED, Boolean.class, true);
             serverIdentityKey = EnvUtil.getProperty(Constants.Auth.NACOS_CORE_AUTH_SERVER_IDENTITY_KEY, "");
             serverIdentityValue = EnvUtil.getProperty(Constants.Auth.NACOS_CORE_AUTH_SERVER_IDENTITY_VALUE, "");

auth/src/main/java/com/alibaba/nacos/auth/config/AuthModuleStateBuilder.java

@@ -47,7 +47,7 @@ public class AuthModuleStateBuilder implements ModuleStateBuilder {
     public ModuleState build() {
         ModuleState result = new ModuleState(AUTH_MODULE);
         AuthConfigs authConfigs = ApplicationUtils.getBean(AuthConfigs.class);
-        result.newState(AUTH_ENABLED, authConfigs.isAuthEnabled());
+        result.newState(AUTH_ENABLED, authConfigs.isConsoleAuthEnabled());
         result.newState(LOGIN_PAGE_ENABLED, isLoginPageEnabled(authConfigs));
         result.newState(AUTH_SYSTEM_TYPE, authConfigs.getNacosAuthSystemType());
         result.newState(AUTH_ADMIN_REQUEST, isAdminRequest(authConfigs));

auth/src/main/java/com/alibaba/nacos/auth/enums/ApiType.java

@@ -0,0 +1,45 @@
+/*
+ * Copyright 1999-2024 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package com.alibaba.nacos.auth.enums;
+
+/**
+ * The type of API.
+ *
+ * @author zhangyukun
+ */
+public enum ApiType {
+    /**
+     * console API.
+     */
+    CONSOLE_API("CONSOLE_API"),
+    /**
+     * server API.
+     */
+    OPEN_API("OPEN_API");
+
+    private final String description;
+
+    ApiType(String description) {
+        this.description = description;
+    }
+
+    @Override
+    public String toString() {
+        return description;
+    }
+}

console/src/main/resources/application.properties

@@ -112,8 +112,9 @@ nacos.security.ignore.urls=/,/error,/**/*.css,/**/*.js,/**/*.html,/**/*.map,/**/
 ### The auth system to use, currently only 'nacos' and 'ldap' is supported:
 nacos.core.auth.system.type=nacos
 
-### If turn on auth system:
+### If turn on auth system v3:
 nacos.core.auth.enabled=false
+nacos.core.auth.console.enabled=true
 
 ### Turn on/off caching of auth information. By turning on this switch, the update of auth information would have a 15 seconds delay.
 nacos.core.auth.caching.enabled=true
@@ -219,3 +220,7 @@ nacos.istio.mcp.server.enabled=false
 # nacos.core.protocol.raft.data.rpc_request_timeout_ms=5000
 ### enable to support prometheus service discovery
 #nacos.prometheus.metrics.enabled=true
+
+#*************** Deployment Type Configuration ***************#
+### Sets the deployment type: 'merged' for joint deployment, 'separate' for separate deployment
+nacos.deployment.type=merged

core/src/main/java/com/alibaba/nacos/core/auth/AuthFilter.java

@@ -19,6 +19,7 @@
 import com.alibaba.nacos.auth.HttpProtocolAuthService;
 import com.alibaba.nacos.auth.annotation.Secured;
 import com.alibaba.nacos.auth.config.AuthConfigs;
+import com.alibaba.nacos.auth.enums.ApiType;
 import com.alibaba.nacos.common.utils.ExceptionUtil;
 import com.alibaba.nacos.common.utils.StringUtils;
 import com.alibaba.nacos.core.code.ControllerMethodsCache;
@@ -67,7 +68,7 @@ public AuthFilter(AuthConfigs authConfigs, ControllerMethodsCache methodsCache)
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
             throws IOException, ServletException {
 
-        if (!authConfigs.isAuthEnabled()) {
+        if (!authConfigs.isConsoleAuthEnabled() && !authConfigs.isAuthEnabled()) {
             chain.doFilter(request, response);
             return;
         }
@@ -108,13 +109,22 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
                 return;
             }
 
-            if (method.isAnnotationPresent(Secured.class) && authConfigs.isAuthEnabled()) {
+            if (method.isAnnotationPresent(Secured.class) && (authConfigs.isConsoleAuthEnabled() || authConfigs.isAuthEnabled())) {
 
                 if (Loggers.AUTH.isDebugEnabled()) {
                     Loggers.AUTH.debug("auth start, request: {} {}", req.getMethod(), req.getRequestURI());
                 }
 
                 Secured secured = method.getAnnotation(Secured.class);
+                ApiType apiType = secured.apiType();
+                if (apiType == ApiType.CONSOLE_API && !authConfigs.isConsoleAuthEnabled()) {
+                    chain.doFilter(request, response);
+                    return;
+                }
+                if (apiType == ApiType.OPEN_API && !authConfigs.isAuthEnabled()) {
+                    chain.doFilter(request, response);
+                    return;
+                }
                 if (!protocolAuthService.enableAuth(secured)) {
                     chain.doFilter(request, response);
                     return;

core/src/main/java/com/alibaba/nacos/core/auth/RemoteRequestAuthFilter.java

@@ -23,6 +23,7 @@
 import com.alibaba.nacos.auth.GrpcProtocolAuthService;
 import com.alibaba.nacos.auth.annotation.Secured;
 import com.alibaba.nacos.auth.config.AuthConfigs;
+import com.alibaba.nacos.auth.enums.ApiType;
 import com.alibaba.nacos.common.utils.ExceptionUtil;
 import com.alibaba.nacos.core.context.RequestContext;
 import com.alibaba.nacos.core.context.RequestContextHolder;
@@ -62,13 +63,20 @@ public Response filter(Request request, RequestMeta meta, Class handlerClazz) th
         try {
 
             Method method = getHandleMethod(handlerClazz);
-            if (method.isAnnotationPresent(Secured.class) && authConfigs.isAuthEnabled()) {
+            if (method.isAnnotationPresent(Secured.class) && (authConfigs.isConsoleAuthEnabled() || authConfigs.isAuthEnabled())) {
 
                 if (Loggers.AUTH.isDebugEnabled()) {
                     Loggers.AUTH.debug("auth start, request: {}", request.getClass().getSimpleName());
                 }
 
                 Secured secured = method.getAnnotation(Secured.class);
+                ApiType apiType = secured.apiType();
+                if (apiType == ApiType.CONSOLE_API && !authConfigs.isConsoleAuthEnabled()) {
+                    return null;
+                }
+                if (apiType == ApiType.OPEN_API && !authConfigs.isAuthEnabled()) {
+                    return null;
+                }
                 if (!protocolAuthService.enableAuth(secured)) {
                     return null;
                 }

plugin-default-impl/nacos-default-auth-plugin/src/main/java/com/alibaba/nacos/plugin/auth/impl/NacosAuthPluginService.java

@@ -110,7 +110,7 @@ public String getAuthServiceName() {
 
     @Override
     public boolean isLoginEnabled() {
-        return ApplicationUtils.getBean(AuthConfigs.class).isAuthEnabled();
+        return ApplicationUtils.getBean(AuthConfigs.class).isConsoleAuthEnabled();
     }
 
     /**

plugin/auth/src/main/java/com/alibaba/nacos/plugin/auth/constant/Constants.java

@@ -26,6 +26,8 @@ public class Constants {
     public static class Auth {
 
         public static final String NACOS_CORE_AUTH_ENABLED = "nacos.core.auth.enabled";
+
+        public static final String NACOS_CORE_AUTH_CONSOLE_ENABLED = "nacos.core.auth.console.enabled";
 
         public static final String NACOS_CORE_AUTH_SYSTEM_TYPE = "nacos.core.auth.system.type";