feat(encryption): add kms key management

src/replica/kms_key_provider.h

@@ -30,7 +30,7 @@ class replica_kms_info;
 } // namespace replication
 
 namespace security {
-// This class is to generating EEK IV KV from KMS (a.k.a Key Manager Service) and get DEK from KMS.
+// This class generates EEK IV KV from KMS (a.k.a Key Management Service) and retrieves DEK from KMS.
 class KMSKeyProvider
 {
 public:
@@ -41,12 +41,11 @@ class KMSKeyProvider
     {
     }
 
-    // Use KMS client which decrypted the encryption key from KMS and decrypted key is a hex string
-    // which could be used derectly.
+    // Decrypt the encryption key in 'kms_info' via KMS. The 'decrypted_key' will be a hex string.
     dsn::error_s DecryptEncryptionKey(const dsn::replication::replica_kms_info &kms_info,
                                       std::string *decrypted_key);
 
-    // Use KMS client which generated an encryption key from KMS (the generated key is encrypted).
+    // Generate an encryption key from KMS.
     dsn::error_s GenerateEncryptionKey(dsn::replication::replica_kms_info *kms_info);
 
 private:

src/replica/replica_stub.cpp

@@ -303,14 +303,14 @@ DSN_DEFINE_int32(
 DSN_DEFINE_string(pegasus.server,
                   encryption_cluster_key_name,
                   "pegasus",
-                  "The cluster name of encrypted server which use to get server key from kms.");
+                  "The cluster name of the server is used to retrieve its encryption key from KMS.");
 
 DSN_DEFINE_string(
     pegasus.server,
     hadoop_kms_url,
     "",
-    "Where the server key of file system can get from. "
-    "Url should be comma-separated list, such as 'hostname1:1234/kms,hostname2:1234/kms'");
+    "Provide the comma-separated list of URLs from which to retrieve the "
+    "file system's server key. Example format: 'hostname1:1234/kms,hostname2:1234/kms'.");
 
 DSN_DECLARE_bool(duplication_enabled);
 DSN_DECLARE_int32(fd_beacon_interval_seconds);
@@ -337,14 +337,14 @@ DSN_DEFINE_group_validator(encrypt_data_not_support_close, [](std::string &messa
     } else {
         return true;
     }
-    utils::split_args(data_dirs.c_str(), dirs, ',');
-    std::string kms_path = utils::filesystem::path_combine(dirs[0], ".kms_info");
+    ::absl::StrSplit(data_dirs.c_str(), dirs, ',');
+    std::string kms_path = utils::filesystem::path_combine(dirs[0], replica_kms_info::kKmsInfo);
     if (!FLAGS_encrypt_data_at_rest && utils::filesystem::path_exists(kms_path)) {
         message = fmt::format(
-            "[pegasus.server] encrypt_data_at_rest = ({}), but kms_info file path = ({}) is exist."
-            "Pegasus dont support close encrypte after enable encrypte.",
-            FLAGS_encrypt_data_at_rest,
-            kms_path);
+            "The kms_info file exists at ({}), but [pegasus.server] encrypt_data_at_rest is set to ({})."
+            "Encryption in Pegasus is irreversible after its initial activation.",
+            kms_path,
+            FLAGS_encrypt_data_at_rest);
         return false;
     }
     return true;
@@ -446,29 +446,27 @@ void replica_stub::initialize(const replication_options &opts, bool clear /* = f
         key_provider.reset(new dsn::security::KMSKeyProvider(
             ::absl::StrSplit(FLAGS_hadoop_kms_url, ",", ::absl::SkipEmpty()),
             FLAGS_encryption_cluster_key_name));
-        auto err = kms_info.load(_options.data_dirs[0]);
-        if (err != dsn::ERR_OK) {
-            LOG_WARNING("Can't open kms-info file to read, this is normal when first launch "
-                        "process. err = {}",
-                        err);
+        auto error_code = kms_info.load(_options.data_dirs[0]);
+        if (error_code != dsn::ERR_OK) {
+            LOG_WARNING("It's normal to encounter a temporary inability to open the kms-info file during the first process launch. error_code = {}",
+                        error_code);
         }
-        // The encryption key should empty when process upon the first launch. And the process will
-        // get EEK, IV, KV from KMS.
-        // After first launch, the encryption key should not empty and get from kms-info file. The
-        // process get DEK from KMS.
-        if (kms_info.eek.empty()) {
+        // Upon the first launch, the encryption key should be empty. The process will then retrieve EEK, IV, and KV from KMS.
+        // After the first launch, the encryption key, obtained from the kms-info file, should not be empty. The process will then acquire the DEK from KMS.
+        std::string kms_path = utils::filesystem::path_combine(_options.data_dirs[0], replica_kms_info::kKmsInfo);
+        if (!utils::filesystem::path_exists(kms_path)) {
             auto err = key_provider->GenerateEncryptionKey(&kms_info);
             CHECK(err, "get encryption key failed, err = {}", err);
         }
-        CHECK(key_provider->DecryptEncryptionKey(kms_info, &server_key),
-              "get decryption key failed");
+        auto err = key_provider->DecryptEncryptionKey(kms_info, &server_key);
+        CHECK(err, "get decryption key failed, err = {}", err);
         FLAGS_server_key = server_key.c_str();
     }
 
     // Initialize the file system manager.
     _fs_manager.initialize(_options.data_dirs, _options.data_dir_tags);
 
-    if (FLAGS_encrypt_data_at_rest && !utils::is_empty(FLAGS_hadoop_kms_url)) {
+    if (key_provider) {
         auto err = kms_info.store(_options.data_dirs[0]);
         CHECK(err == dsn::ERR_OK, "Can't store kms key to kms-info file, err = {}", err);
     }

src/replica/storage/simple_kv/test/case-000.ini

@@ -151,6 +151,11 @@ server_list = localhost:34601
 [pegasus.server]
 encrypt_data_at_rest = false
 
+[security]
+enable_acl = false
+super_users = Pegasus
+meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_FD_FAILURE_DETECTOR_PING,RPC_PREPARE,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_GROUP_CHECK,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_LEARN_COMPLETION_NOTIFY,RPC_CONFIG_PROPOSAL,RPC_CM_DUPLICATION_SYNC,RPC_LEARN_ADD_LEARNER
+
 [replication.app]
 app_name = simple_kv.instance0
 app_type = simple_kv

src/replica/storage/simple_kv/test/case-001.ini

@@ -151,6 +151,11 @@ server_list = localhost:34601
 [pegasus.server]
 encrypt_data_at_rest = false
 
+[security]
+enable_acl = false
+super_users = Pegasus
+meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_CONFIG_PROPOSAL,RPC_FD_FAILURE_DETECTOR_PING,RPC_GROUP_CHECK,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_PREPARE
+
 [replication.app]
 app_name = simple_kv.instance0
 app_type = simple_kv

src/replica/storage/simple_kv/test/case-002.ini

@@ -151,6 +151,11 @@ server_list = localhost:34601
 [pegasus.server]
 encrypt_data_at_rest = false
 
+[security]
+enable_acl = false
+super_users = Pegasus
+meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_CONFIG_PROPOSAL,RPC_FD_FAILURE_DETECTOR_PING,RPC_GROUP_CHECK,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_PREPARE
+
 [replication.app]
 app_name = simple_kv.instance0
 app_type = simple_kv

src/replica/storage/simple_kv/test/case-003.ini

@@ -151,6 +151,11 @@ server_list = localhost:34601
 [pegasus.server]
 encrypt_data_at_rest = false
 
+[security]
+enable_acl = false
+super_users = Pegasus
+meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL
+
 [replication.app]
 app_name = simple_kv.instance0
 app_type = simple_kv

src/replica/storage/simple_kv/test/case-004.ini

@@ -151,6 +151,11 @@ server_list = localhost:34601
 [pegasus.server]
 encrypt_data_at_rest = false
 
+[security]
+enable_acl = false
+super_users = Pegasus
+meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL
+
 [replication.app]
 app_name = simple_kv.instance0
 app_type = simple_kv

src/replica/storage/simple_kv/test/case-005.ini

@@ -151,6 +151,11 @@ server_list = localhost:34601
 [pegasus.server]
 encrypt_data_at_rest = false
 
+[security]
+enable_acl = false
+super_users = Pegasus
+meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL
+
 [replication.app]
 app_name = simple_kv.instance0
 app_type = simple_kv

src/replica/storage/simple_kv/test/case-006.ini

@@ -152,6 +152,11 @@ server_list = localhost:34601
 [pegasus.server]
 encrypt_data_at_rest = false
 
+[security]
+enable_acl = false
+super_users = Pegasus
+meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL
+
 [replication.app]
 app_name = simple_kv.instance0
 app_type = simple_kv

src/replica/storage/simple_kv/test/case-100.ini

@@ -152,6 +152,11 @@ server_list = localhost:34601
 [pegasus.server]
 encrypt_data_at_rest = false
 
+[security]
+enable_acl = false
+super_users = Pegasus
+meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL
+
 [replication.app]
 app_name = simple_kv.instance0
 app_type = simple_kv

src/replica/storage/simple_kv/test/case-101.ini

@@ -152,6 +152,11 @@ server_list = localhost:34601
 [pegasus.server]
 encrypt_data_at_rest = false
 
+[security]
+enable_acl = false
+super_users = Pegasus
+meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL
+
 [replication.app]
 app_name = simple_kv.instance0
 app_type = simple_kv

src/replica/storage/simple_kv/test/case-102.ini

@@ -152,6 +152,11 @@ server_list = localhost:34601
 [pegasus.server]
 encrypt_data_at_rest = false
 
+[security]
+enable_acl = false
+super_users = Pegasus
+meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL
+
 [replication.app]
 app_name = simple_kv.instance0
 app_type = simple_kv

src/replica/storage/simple_kv/test/case-103.ini

@@ -152,6 +152,11 @@ server_list = localhost:34601
 [pegasus.server]
 encrypt_data_at_rest = false
 
+[security]
+enable_acl = false
+super_users = Pegasus
+meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL
+
 [replication.app]
 app_name = simple_kv.instance0
 app_type = simple_kv

src/replica/storage/simple_kv/test/case-104.ini

@@ -152,6 +152,11 @@ server_list = localhost:34601
 [pegasus.server]
 encrypt_data_at_rest = false
 
+[security]
+enable_acl = false
+super_users = Pegasus
+meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL
+
 [replication.app]
 app_name = simple_kv.instance0
 app_type = simple_kv

src/replica/storage/simple_kv/test/case-105.ini

@@ -152,6 +152,11 @@ server_list = localhost:34601
 [pegasus.server]
 encrypt_data_at_rest = false
 
+[security]
+enable_acl = false
+super_users = Pegasus
+meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL
+
 [replication.app]
 app_name = simple_kv.instance0
 app_type = simple_kv

src/replica/storage/simple_kv/test/case-106.ini

@@ -152,6 +152,11 @@ server_list = localhost:34601
 [pegasus.server]
 encrypt_data_at_rest = false
 
+[security]
+enable_acl = false
+super_users = Pegasus
+meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL
+
 [replication.app]
 app_name = simple_kv.instance0
 app_type = simple_kv

src/replica/storage/simple_kv/test/case-107.ini

@@ -152,6 +152,11 @@ server_list = localhost:34601
 [pegasus.server]
 encrypt_data_at_rest = false
 
+[security]
+enable_acl = false
+super_users = Pegasus
+meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL
+
 [replication.app]
 app_name = simple_kv.instance0
 app_type = simple_kv

src/replica/storage/simple_kv/test/case-108.ini

@@ -152,6 +152,11 @@ server_list = localhost:34601
 [pegasus.server]
 encrypt_data_at_rest = false
 
+[security]
+enable_acl = false
+super_users = Pegasus
+meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL
+
 [replication.app]
 app_name = simple_kv.instance0
 app_type = simple_kv

src/replica/storage/simple_kv/test/case-109.ini

@@ -152,6 +152,11 @@ server_list = localhost:34601
 [pegasus.server]
 encrypt_data_at_rest = false
 
+[security]
+enable_acl = false
+super_users = Pegasus
+meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_PROPOSE_BALANCER,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL
+
 [replication.app]
 app_name = simple_kv.instance0
 app_type = simple_kv

src/replica/storage/simple_kv/test/case-200.ini

@@ -152,6 +152,11 @@ server_list = localhost:34601
 [pegasus.server]
 encrypt_data_at_rest = false
 
+[security]
+enable_acl = false
+super_users = Pegasus
+meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL
+
 [replication.app]
 app_name = simple_kv.instance0
 app_type = simple_kv

src/replica/storage/simple_kv/test/case-201.ini

@@ -152,6 +152,11 @@ server_list = localhost:34601
 [pegasus.server]
 encrypt_data_at_rest = false
 
+[security]
+enable_acl = false
+super_users = Pegasus
+meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL
+
 [replication.app]
 app_name = simple_kv.instance0
 app_type = simple_kv

src/replica/storage/simple_kv/test/case-202-0.ini

@@ -152,6 +152,11 @@ server_list = localhost:34601
 [pegasus.server]
 encrypt_data_at_rest = false
 
+[security]
+enable_acl = false
+super_users = Pegasus
+meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL
+
 [replication.app]
 app_name = simple_kv.instance0
 app_type = simple_kv

src/replica/storage/simple_kv/test/case-202-1.ini

@@ -152,6 +152,11 @@ server_list = localhost:34601
 [pegasus.server]
 encrypt_data_at_rest = false
 
+[security]
+enable_acl = false
+super_users = Pegasus
+meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL
+
 [replication.app]
 app_name = simple_kv.instance0
 app_type = simple_kv

src/replica/storage/simple_kv/test/case-203-0.ini

@@ -152,6 +152,11 @@ server_list = localhost:34601
 [pegasus.server]
 encrypt_data_at_rest = false
 
+[security]
+enable_acl = false
+super_users = Pegasus
+meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL
+
 [replication.app]
 app_name = simple_kv.instance0
 app_type = simple_kv

src/replica/storage/simple_kv/test/case-204.ini

@@ -152,6 +152,11 @@ server_list = localhost:34601
 [pegasus.server]
 encrypt_data_at_rest = false
 
+[security]
+enable_acl = false
+super_users = Pegasus
+meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_PROPOSE_BALANCER,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL
+
 [replication.app]
 app_name = simple_kv.instance0
 app_type = simple_kv

src/replica/storage/simple_kv/test/case-205.ini

@@ -152,6 +152,11 @@ server_list = localhost:34601
 [pegasus.server]
 encrypt_data_at_rest = false
 
+[security]
+enable_acl = false
+super_users = Pegasus
+meta_acl_rpc_allow_list = RPC_CM_CONFIG_SYNC,RPC_CM_DUPLICATION_SYNC,RPC_CM_PROPOSE_BALANCER,RPC_CM_QUERY_PARTITION_CONFIG_BY_INDEX,RPC_CM_UPDATE_PARTITION_CONFIGURATION,RPC_PREPARE,RPC_LEARN_ADD_LEARNER,RPC_LEARN_COMPLETION_NOTIFY,RPC_GROUP_CHECK,RPC_FD_FAILURE_DETECTOR_PING,RPC_CONFIG_PROPOSAL
+
 [replication.app]
 app_name = simple_kv.instance0
 app_type = simple_kv