Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feature: support double token for seata authentication and support raft ssl communication #6878

Open
wants to merge 3 commits into
base: 2.x
Choose a base branch
from
Open

feature: support double token for seata authentication and support raft ssl communication #6878

wants to merge 3 commits into from

Conversation

Muluo-cyan
Copy link

  • I have registered the PR changes.

Ⅰ. Describe what this PR did

  1. Client注册RM与TM的同步请求与异步请求现在支持jwt authentication, 采用双token(accessToken和refreshToken)方案。
  2. Console后端的鉴权方案现在改为双token方案(前端还暂不支持,现在实际效果与之前保持一致。
  3. Client请求raft集群信息的鉴权方案现在采用双token方案。
  4. Raft集群节点之间的通信现在支持开启ssl
  5. 分离Console和Client请求raft集群信息使用的鉴权配置

Ⅱ. Does this pull request fix one issue?

Ⅲ. Why don't you add test cases (unit test/integration test)?

Ⅳ. Describe how to verify it

  1. 配置raft集群信息,启动seata server的raft集群
  2. 下载seata-samples/at-samples,配置对应的raft集群,配置便于测试的token有效时间
  3. 启动客户端
  • 验证Client注册RM与TM:查看RM和TM在客户端启动时的注册情况,可以修改seata-samples的代码,添加一个create RM的代码,根据配置的token有效期,在不同时间查看注册RM的鉴权流程。(首次注册使用用户名密码,登录成功获取access token和refresh token,在access token有效期内注册使用access token,access token即将过期或者已经过期时,使用refresh token刷新获取新的access token,refresh token过期后重新登录获取新的access token和refresh token)
  • 打开console控制台,登录后,浏览器查看登录请求,从响应中获取access token和refresh token。使用postman模拟上述流程进行测试。
  • Client启动后,会定期与TC进行交互,观察交互时Client向TC发起的http请求的鉴权流程即可
  • server的application.yml中添加如下配置开启ssl支持。
    server:
    raft:
    ssl:
    enabled: true //是否开启ssl支持
    server:
    keystore: bolt.pfx //raft节点rpc服务端keystore文件路径
    keystore.password: sfbolt //keystore密码
    keystore.type: pkcs12 //keystore类型
    kmf.algorithm: SunX509 //kmf算法
    client:
    keystore: cbolt.pfx //raft节点rpc客户端keystore文件路径
    keystore.password: sfbolt //keystore密码
    keystore.type: pkcs12 //keystore类型
    kmf.algorithm: SunX509 //kmf算法

其中服务端 SSL keystore 文件 bolt.pfx 和客户端 SSL keystore 文件 cbolt.pfx 按照以下步骤生成:

  1. 首先生成 keystore 并且导出其认证文件。
    keytool -genkey -alias securebolt -keysize 2048 -validity 365 -keyalg RSA -dname "CN=localhost" -keypass sfbolt -storepass sfbolt -keystore bolt.pfx -deststoretype pkcs12

keytool -export -alias securebolt -keystore bolt.pfx -storepass sfbolt -file bolt.cer

  1. 接着生成客户端 keystore并且导出其认证文件。
    keytool -genkey -alias smcc -keysize 2048 -validity 365 -keyalg RSA -dname "CN=localhost" -keypass sfbolt -storepass sfbolt -keystore cbolt.pfx -deststoretype pkcs12

keytool -export -alias smcc -keystore cbolt.pfx -storepass sfbolt -file cbolt.cer

3.最后导入服务端认证文件到客户端 keystore, 导入客户端认证文件到服务端 keystore。
keytool -import -trustcacerts -alias securebolt -file bolt.cer -storepass sfbolt -keystore cbolt.pfx

keytool -import -trustcacerts -alias smcc -file cbolt.cer -storepass sfbolt -keystore bolt.pfx

将生成的证书copy到每个节点用keytool导入到keystore。
然后启动seata集群,可以看到raft集群已经开启ssl支持,没有证书的节点无法与其他节点进行通信。

Ⅴ. Special notes for reviews

所有双token方案逻辑一致。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Muluo-cyan