feature: support double token for seata authentication and support raft ssl communication #6878
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Ⅰ. Describe what this PR did
Ⅱ. Does this pull request fix one issue?
Ⅲ. Why don't you add test cases (unit test/integration test)?
Ⅳ. Describe how to verify it
server:
raft:
ssl:
enabled: true //是否开启ssl支持
server:
keystore: bolt.pfx //raft节点rpc服务端keystore文件路径
keystore.password: sfbolt //keystore密码
keystore.type: pkcs12 //keystore类型
kmf.algorithm: SunX509 //kmf算法
client:
keystore: cbolt.pfx //raft节点rpc客户端keystore文件路径
keystore.password: sfbolt //keystore密码
keystore.type: pkcs12 //keystore类型
kmf.algorithm: SunX509 //kmf算法
其中服务端 SSL keystore 文件 bolt.pfx 和客户端 SSL keystore 文件 cbolt.pfx 按照以下步骤生成:
keytool -genkey -alias securebolt -keysize 2048 -validity 365 -keyalg RSA -dname "CN=localhost" -keypass sfbolt -storepass sfbolt -keystore bolt.pfx -deststoretype pkcs12
keytool -export -alias securebolt -keystore bolt.pfx -storepass sfbolt -file bolt.cer
keytool -genkey -alias smcc -keysize 2048 -validity 365 -keyalg RSA -dname "CN=localhost" -keypass sfbolt -storepass sfbolt -keystore cbolt.pfx -deststoretype pkcs12
keytool -export -alias smcc -keystore cbolt.pfx -storepass sfbolt -file cbolt.cer
3.最后导入服务端认证文件到客户端 keystore, 导入客户端认证文件到服务端 keystore。
keytool -import -trustcacerts -alias securebolt -file bolt.cer -storepass sfbolt -keystore cbolt.pfx
keytool -import -trustcacerts -alias smcc -file cbolt.cer -storepass sfbolt -keystore bolt.pfx
将生成的证书copy到每个节点用keytool导入到keystore。
然后启动seata集群,可以看到raft集群已经开启ssl支持,没有证书的节点无法与其他节点进行通信。
Ⅴ. Special notes for reviews
所有双token方案逻辑一致。