optimize: support Nacos ram role authentication

changes/en-us/2.x.md

@@ -24,6 +24,7 @@ Add changes here for all PR submitted to the 2.x branch.
 - [[#6098](https://github.com/seata/seata/pull/6098)] optimize the retry logic in the acquireMetadata method
 - [[#6034](https://github.com/seata/seata/pull/6034)] using namespace from command line when deployment with helm charts
 - [[#6116](https://github.com/seata/seata/pull/6034)] remove lgtm.com stuff
+- [[#6148](https://github.com/seata/seata/pull/6148)] support Nacos ram role authentication
 
 
 ### security:

changes/zh-cn/2.x.md

@@ -24,6 +24,7 @@
 - [[#6098](https://github.com/seata/seata/pull/6098)] 优化acquireMetadata方法的重试逻辑
 - [[#6034](https://github.com/seata/seata/pull/6034)] 使用helm图表进行部署时使用命令行中的命名空间
 - [[#6116](https://github.com/seata/seata/pull/6034)] 移除 lgtm.com 
+- [[#6148](https://github.com/seata/seata/pull/6148)] 支持 Nacos ram role 鉴权方式
 
 ### security:
 - [[#6069](https://github.com/seata/seata/pull/6069)] 升级Guava依赖版本，修复安全漏洞

config/seata-config-nacos/src/main/java/io/seata/config/nacos/NacosConfiguration.java

@@ -27,6 +27,7 @@
 import com.alibaba.nacos.api.config.ConfigService;
 import com.alibaba.nacos.api.config.listener.AbstractSharedListener;
 import com.alibaba.nacos.api.exception.NacosException;
+
 import io.seata.common.exception.NotSupportYetException;
 import io.seata.common.util.CollectionUtils;
 import io.seata.common.util.StringUtils;
@@ -63,6 +64,7 @@ public class NacosConfiguration extends AbstractConfiguration {
     private static final String PASSWORD = "password";
     private static final String ACCESS_KEY = "accessKey";
     private static final String SECRET_KEY = "secretKey";
+    private static final String RAM_ROLE_NAME_KEY = "ramRoleName";
     private static final String USE_PARSE_RULE = "false";
     private static final String CONTEXT_PATH = "contextPath";
     private static final Configuration FILE_CONFIG = ConfigurationFactory.CURRENT_FILE_INSTANCE;
@@ -224,32 +226,51 @@ private static Properties getConfigProperties() {
             }
             properties.setProperty(PRO_NAMESPACE_KEY, namespace);
         }
+        if (!initNacosAuthProperties(properties)) {
+            LOGGER.info("Nacos config auth properties empty.");
+        }
+        String contextPath = StringUtils.isNotBlank(System.getProperty(CONTEXT_PATH)) ? System.getProperty(CONTEXT_PATH) : FILE_CONFIG.getConfig(getNacosContextPathKey());
+        if (StringUtils.isNotBlank(contextPath)) {
+            properties.setProperty(CONTEXT_PATH, contextPath);
+        }
+        return properties;
+    }
+
+    /**
+     * init nacos auth properties
+     *
+     * username/password > ak/sk > ramRoleName
+     * @param sourceProperties the source properties
+     * @return auth properties
+     */
+    private static boolean initNacosAuthProperties(Properties sourceProperties) {
         String userName = StringUtils.isNotBlank(System.getProperty(USER_NAME)) ? System.getProperty(USER_NAME) : FILE_CONFIG.getConfig(getNacosUserName());
         if (StringUtils.isNotBlank(userName)) {
             String password = StringUtils.isNotBlank(System.getProperty(PASSWORD)) ? System.getProperty(PASSWORD) : FILE_CONFIG.getConfig(getNacosPassword());
             if (StringUtils.isNotBlank(password)) {
-                properties.setProperty(USER_NAME, userName);
-                properties.setProperty(PASSWORD, password);
+                sourceProperties.setProperty(USER_NAME, userName);
+                sourceProperties.setProperty(PASSWORD, password);
                 LOGGER.info("Nacos check auth with userName/password.");
+                return true;
             }
         } else {
-            String accessKey = StringUtils.isNotBlank(System.getProperty(ACCESS_KEY)) ?
-                System.getProperty(ACCESS_KEY) : FILE_CONFIG.getConfig(getNacosAccessKey());
+            String accessKey = StringUtils.isNotBlank(System.getProperty(ACCESS_KEY)) ? System.getProperty(ACCESS_KEY) : FILE_CONFIG.getConfig(getNacosAccessKey());
+            String ramRoleName = StringUtils.isNotBlank(System.getProperty(RAM_ROLE_NAME_KEY)) ? System.getProperty(RAM_ROLE_NAME_KEY) : FILE_CONFIG.getConfig(getNacosRamRoleNameKey());
             if (StringUtils.isNotBlank(accessKey)) {
-                String secretKey = StringUtils.isNotBlank(System.getProperty(SECRET_KEY)) ?
-                    System.getProperty(SECRET_KEY) : FILE_CONFIG.getConfig(getNacosSecretKey());
+                String secretKey = StringUtils.isNotBlank(System.getProperty(SECRET_KEY)) ? System.getProperty(SECRET_KEY) : FILE_CONFIG.getConfig(getNacosSecretKey());
                 if (StringUtils.isNotBlank(secretKey)) {
-                    properties.put(ACCESS_KEY, accessKey);
-                    properties.put(SECRET_KEY, secretKey);
+                    sourceProperties.put(ACCESS_KEY, accessKey);
+                    sourceProperties.put(SECRET_KEY, secretKey);
                     LOGGER.info("Nacos check auth with ak/sk.");
+                    return true;
                 }
+            } else if (StringUtils.isNotBlank(ramRoleName)) {
+                sourceProperties.put(RAM_ROLE_NAME_KEY, ramRoleName);
+                LOGGER.info("Nacos check auth with ram role.");
+                return true;
             }
         }
-        String contextPath = StringUtils.isNotBlank(System.getProperty(CONTEXT_PATH)) ? System.getProperty(CONTEXT_PATH) : FILE_CONFIG.getConfig(getNacosContextPathKey());
-        if (StringUtils.isNotBlank(contextPath)) {
-            properties.setProperty(CONTEXT_PATH, contextPath);
-        }
-        return properties;
+        return false;
     }
 
     public static String getNacosNameSpaceFileKey() {
@@ -286,6 +307,10 @@ public static String getNacosSecretKey() {
         return String.join(ConfigurationKeys.FILE_CONFIG_SPLIT_CHAR, ConfigurationKeys.FILE_ROOT_CONFIG, CONFIG_TYPE, SECRET_KEY);
     }
 
+    public static String getNacosRamRoleNameKey() {
+        return String.join(ConfigurationKeys.FILE_CONFIG_SPLIT_CHAR, ConfigurationKeys.FILE_ROOT_CONFIG, CONFIG_TYPE, RAM_ROLE_NAME_KEY);
+    }
+
     private static String getNacosGroup() {
         return FILE_CONFIG.getConfig(getNacosGroupKey(), DEFAULT_GROUP);
     }

discovery/seata-discovery-nacos/src/main/java/io/seata/discovery/registry/nacos/NacosRegistryServiceImpl.java

@@ -68,6 +68,7 @@ public class NacosRegistryServiceImpl implements RegistryService<EventListener>
     private static final String PASSWORD = "password";
     private static final String ACCESS_KEY = "accessKey";
     private static final String SECRET_KEY = "secretKey";
+    private static final String RAM_ROLE_NAME_KEY = "ramRoleName";
     private static final String SLB_PATTERN = "slbPattern";
     private static final String CONTEXT_PATH = "contextPath";
     private static final String USE_PARSE_RULE = "false";
@@ -254,29 +255,51 @@ private static Properties getNamingProperties() {
             }
             properties.setProperty(PRO_NAMESPACE_KEY, namespace);
         }
+        if (!initNacosAuthProperties(properties)) {
+            LOGGER.info("Nacos naming auth properties empty.");
+        }
+        String contextPath = StringUtils.isNotBlank(System.getProperty(CONTEXT_PATH)) ? System.getProperty(CONTEXT_PATH) : FILE_CONFIG.getConfig(getNacosContextPathKey());
+        if (StringUtils.isNotBlank(contextPath)) {
+            properties.setProperty(CONTEXT_PATH, contextPath);
+        }
+        return properties;
+    }
+
+    /**
+     * init nacos auth properties
+     *
+     * username/password > ak/sk > ramRoleName
+     * @param sourceProperties the source properties
+     * @return auth properties
+     */
+    private static boolean initNacosAuthProperties(Properties sourceProperties) {
         String userName = StringUtils.isNotBlank(System.getProperty(USER_NAME)) ? System.getProperty(USER_NAME) : FILE_CONFIG.getConfig(getNacosUserName());
         if (StringUtils.isNotBlank(userName)) {
             String password = StringUtils.isNotBlank(System.getProperty(PASSWORD)) ? System.getProperty(PASSWORD) : FILE_CONFIG.getConfig(getNacosPassword());
             if (StringUtils.isNotBlank(password)) {
-                properties.setProperty(USER_NAME, userName);
-                properties.setProperty(PASSWORD, password);
+                sourceProperties.setProperty(USER_NAME, userName);
+                sourceProperties.setProperty(PASSWORD, password);
+                LOGGER.info("Nacos check auth with userName/password.");
+                return true;
             }
         } else {
             String accessKey = StringUtils.isNotBlank(System.getProperty(ACCESS_KEY)) ? System.getProperty(ACCESS_KEY) : FILE_CONFIG.getConfig(getNacosAccessKey());
+            String ramRoleName = StringUtils.isNotBlank(System.getProperty(RAM_ROLE_NAME_KEY)) ? System.getProperty(RAM_ROLE_NAME_KEY) : FILE_CONFIG.getConfig(getNacosRamRoleNameKey());
             if (StringUtils.isNotBlank(accessKey)) {
                 String secretKey = StringUtils.isNotBlank(System.getProperty(SECRET_KEY)) ? System.getProperty(SECRET_KEY) : FILE_CONFIG.getConfig(getNacosSecretKey());
                 if (StringUtils.isNotBlank(secretKey)) {
-                    properties.put(ACCESS_KEY, accessKey);
-                    properties.put(SECRET_KEY, secretKey);
+                    sourceProperties.put(ACCESS_KEY, accessKey);
+                    sourceProperties.put(SECRET_KEY, secretKey);
                     LOGGER.info("Nacos check auth with ak/sk.");
+                    return true;
                 }
+            } else if (StringUtils.isNotBlank(ramRoleName)) {
+                sourceProperties.put(RAM_ROLE_NAME_KEY, ramRoleName);
+                LOGGER.info("Nacos check auth with ram role.");
+                return true;
             }
         }
-        String contextPath = StringUtils.isNotBlank(System.getProperty(CONTEXT_PATH)) ? System.getProperty(CONTEXT_PATH) : FILE_CONFIG.getConfig(getNacosContextPathKey());
-        if (StringUtils.isNotBlank(contextPath)) {
-            properties.setProperty(CONTEXT_PATH, contextPath);
-        }
-        return properties;
+        return false;
     }
 
     private static String getClusterName() {
@@ -327,6 +350,10 @@ public static String getNacosSecretKey() {
         return String.join(ConfigurationKeys.FILE_CONFIG_SPLIT_CHAR, ConfigurationKeys.FILE_ROOT_REGISTRY, REGISTRY_TYPE, SECRET_KEY);
     }
 
+    public static String getNacosRamRoleNameKey() {
+        return String.join(ConfigurationKeys.FILE_CONFIG_SPLIT_CHAR, ConfigurationKeys.FILE_ROOT_CONFIG, REGISTRY_TYPE, RAM_ROLE_NAME_KEY);
+    }
+
     public static String getClientApplication() {
         return String.join(ConfigurationKeys.FILE_CONFIG_SPLIT_CHAR, ConfigurationKeys.FILE_ROOT_REGISTRY, REGISTRY_TYPE, PRO_CLIENT_APPLICATION);
     }

script/client/conf/registry.conf

@@ -29,12 +29,15 @@ registry {
     serverAddr = "127.0.0.1:8848"
     group = "SEATA_GROUP"
     namespace = ""
+    contextPath = ""
+    ##1.The following configuration is for the open source version of Nacos
     username = ""
     password = ""
-    contextPath = ""
-    ##if use MSE Nacos with auth, mutex with username/password attribute
+    ##2.The following configuration is for the MSE Nacos on aliyun
     #accessKey = ""
     #secretKey = ""
+    ##3.The following configuration is used to deploy on Aliyun ECS or ACK without authentication
+    #ramRoleName = ""
     ##if use Nacos naming meta-data for SLB service registry, specify nacos address pattern rules here
     #slbPattern = ""
   }
@@ -88,12 +91,15 @@ config {
     serverAddr = "127.0.0.1:8848"
     namespace = ""
     group = "SEATA_GROUP"
+    contextPath = ""
+    ##1.The following configuration is for the open source version of Nacos
     username = ""
     password = ""
-    contextPath = ""
-    ##if use MSE Nacos with auth, mutex with username/password attribute
+    ##2.The following configuration is for the MSE Nacos on aliyun
     #accessKey = ""
     #secretKey = ""
+    ##3.The following configuration is used to deploy on Aliyun ECS or ACK without authentication
+    #ramRoleName = ""
     dataId = "seata.properties"
   }
   consul {

seata-spring-autoconfigure/seata-spring-autoconfigure-core/src/main/java/io/seata/spring/boot/autoconfigure/properties/config/ConfigNacosProperties.java

@@ -15,6 +15,7 @@
  */
 package io.seata.spring.boot.autoconfigure.properties.config;
 
+import io.seata.spring.boot.autoconfigure.properties.registry.RegistryNacosProperties;
 import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.stereotype.Component;
 
@@ -33,6 +34,7 @@ public class ConfigNacosProperties {
     private String password;
     private String accessKey;
     private String secretKey;
+    private String ramRoleName;
     private String dataId = "seata.properties";
     private String contextPath;
 
@@ -116,4 +118,13 @@ public ConfigNacosProperties setContextPath(String contextPath) {
         this.contextPath = contextPath;
         return this;
     }
+
+    public String getRamRoleName() {
+        return ramRoleName;
+    }
+
+    public ConfigNacosProperties setRamRoleName(String ramRoleName) {
+        this.ramRoleName = ramRoleName;
+        return this;
+    }
 }

seata-spring-autoconfigure/seata-spring-autoconfigure-core/src/main/java/io/seata/spring/boot/autoconfigure/properties/registry/RegistryNacosProperties.java

@@ -34,6 +34,7 @@ public class RegistryNacosProperties {
     private String password;
     private String accessKey;
     private String secretKey;
+    private String ramRoleName;
     private String application = "seata-server";
     private String slbPattern;
     private String contextPath;
@@ -140,7 +141,17 @@ public String getClientApplication() {
         return clientApplication;
     }
 
-    public void setClientApplication(String clientApplication) {
+    public RegistryNacosProperties setClientApplication(String clientApplication) {
         this.clientApplication = clientApplication;
+        return this;
+    }
+
+    public String getRamRoleName() {
+        return ramRoleName;
+    }
+
+    public RegistryNacosProperties setRamRoleName(String ramRoleName) {
+        this.ramRoleName = ramRoleName;
+        return this;
     }
 }

server/src/main/resources/application.example.yml

@@ -38,12 +38,15 @@ seata:
       server-addr: 127.0.0.1:8848
       namespace:
       group: SEATA_GROUP
+      context-path:
+      ##1.The following configuration is for the open source version of Nacos
       username:
       password:
-      context-path:
-      ##if use MSE Nacos with auth, mutex with username/password attribute
+      ##2.The following configuration is for the MSE Nacos on aliyun
       #access-key:
       #secret-key:
+      ##3.The following configuration is used to deploy on Aliyun ECS or ACK without authentication
+      #ram-role-name:
       data-id: seataServer.properties
     consul:
       server-addr: 127.0.0.1:8500
@@ -76,12 +79,15 @@ seata:
       group: SEATA_GROUP
       namespace:
       cluster: default
+      context-path:
+      ##1.The following configuration is for the open source version of Nacos
       username:
       password:
-      context-path:
-      ##if use MSE Nacos with auth, mutex with username/password attribute
+      ##2.The following configuration is for the MSE Nacos on aliyun
       #access-key:
       #secret-key:
+      ##3.The following configuration is used to deploy on Aliyun ECS or ACK without authentication
+      #ram-role-name:
     eureka:
       service-url: http://localhost:8761/eureka
       application: default