Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feature: support ssl communication for raft nodes #6926

Open
wants to merge 5 commits into
base: 2.x
Choose a base branch
from

Conversation

Muluo-cyan
Copy link

  • I have registered the PR changes.

Ⅰ. Describe what this PR did

Raft集群节点之间的通信现在支持开启ssl
The communication between nodes in the Raft cluster now supports SSL.

Ⅱ. Does this pull request fix one issue?

Ⅲ. Why don't you add test cases (unit test/integration test)?

Ⅳ. Describe how to verify it

server的application.yml中添加如下配置开启ssl支持。
Add the following configuration to the application.yml file on the server to enable SSL support.
server:
raft:
ssl:
enabled: true //是否开启ssl支持
keystore.type: pkcs12 //keystore类型
kmf.algorithm: SunX509 //kmf算法
server:
keystore: bolt.pfx //raft节点rpc服务端keystore文件路径
keystore.password: sfbolt //keystore密码
client:
keystore: cbolt.pfx //raft节点rpc客户端keystore文件路径
keystore.password: sfbolt //keystore密码
其中服务端 SSL keystore 文件 bolt.pfx 和客户端 SSL keystore 文件 cbolt.pfx 按照以下步骤生成:
The server-side SSL keystore file bolt.pfx and the client-side SSL keystore file cbolt.pfx can be generated using the following steps:

1.首先生成 keystore 并且导出其认证文件。
First, generate the keystore and export its certificate.

keytool -genkey -alias securebolt -keysize 2048 -validity 365 -keyalg RSA -dname "CN=localhost" -keypass sfbolt -storepass sfbolt -keystore bolt.pfx -deststoretype pkcs12
keytool -export -alias securebolt -keystore bolt.pfx -storepass sfbolt -file bolt.cer

2.接着生成客户端 keystore并且导出其认证文件。
Next, generate the client keystore and export its certificate.

keytool -genkey -alias smcc -keysize 2048 -validity 365 -keyalg RSA -dname "CN=localhost" -keypass sfbolt -storepass sfbolt -keystore cbolt.pfx -deststoretype pkcs12
keytool -export -alias smcc -keystore cbolt.pfx -storepass sfbolt -file cbolt.cer

3.最后导入服务端认证文件到客户端 keystore, 导入客户端认证文件到服务端 keystore。
Finally, import the server certificate into the client keystore and the client certificate into the server keystore.

keytool -import -trustcacerts -alias securebolt -file bolt.cer -storepass sfbolt -keystore cbolt.pfx
keytool -import -trustcacerts -alias smcc -file cbolt.cer -storepass sfbolt -keystore bolt.pfx

将生成的证书copy到每个节点。
然后启动seata集群,可以看到raft集群已经开启ssl支持,没有证书的节点与其他节点的通信会被拒绝
Copy the generated certificates to each node.
Then, start the Seata cluster. You should see that the Raft cluster has SSL support enabled, and any node without the certificate will have its communication with other nodes rejected.

Ⅴ. Special notes for reviews

@xingfudeshi xingfudeshi added the first-time contributor first-time contributor label Oct 24, 2024
Copy link

codecov bot commented Oct 24, 2024

Codecov Report

Attention: Patch coverage is 5.88235% with 16 lines in your changes missing coverage. Please review.

Project coverage is 52.60%. Comparing base (dbe095a) to head (9c2aa14).

Files with missing lines Patch % Lines
...g/apache/seata/server/cluster/raft/RaftServer.java 5.88% 15 Missing and 1 partial ⚠️
Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff              @@
##                2.x    #6926      +/-   ##
============================================
- Coverage     52.61%   52.60%   -0.01%     
- Complexity     6579     6580       +1     
============================================
  Files          1126     1126              
  Lines         39928    39945      +17     
  Branches       4680     4683       +3     
============================================
+ Hits          21010    21015       +5     
- Misses        16916    16929      +13     
+ Partials       2002     2001       -1     
Files with missing lines Coverage Δ
...ava/org/apache/seata/common/ConfigurationKeys.java 0.00% <ø> (ø)
...g/apache/seata/server/cluster/raft/RaftServer.java 58.18% <5.88%> (-23.40%) ⬇️

... and 6 files with indirect coverage changes

Copy link
Contributor

@funky-eyes funky-eyes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@xingfudeshi
Copy link
Member

@Muluo-cyan Please register this PR in change logs[1].

[1]https://github.com/apache/incubator-seata/tree/2.x/changes

Copy link
Member

@slievrly slievrly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Muluo-cyan can you add some configuration docs on seata website?

@funky-eyes funky-eyes added this to the 2.3.0 milestone Nov 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
first-time contributor first-time contributor module/server server module store: raft
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants