Access authentication by the Nacos client - Microservices Engine

You can enable the authentication feature for Nacos instances on Microservices Engine (MSE). The authentication feature helps prevent malicious users from obtaining or modifying information about a specific instance. This topic describes how to configure access authentication for Nacos instances in the MSE console and how to use the Nacos client to perform authorized access to Nacos instances.

Prerequisites

MSE is activated. For more information, see Activate MSE.
A Nacos instance is created. For more information, see Create a Nacos engine.

Usage notes

After a Nacos client is authorized to access an MSE Nacos instance, you can use the Nacos client as a RAM user.

Note

For more information about how to grant RAM users the permissions to access MSE in Console Access mode or OpenAPI Access mode, see Grant permissions to access Microservices Registry.

Enable authentication

Important

After you enable the authentication feature for a Nacos instance, you cannot access the Nacos instance in the open source Nacos console. You must access the instance in the MSE console. The MSE console supports finer-grained access control based on the Alibaba Cloud Resource Access Management (RAM) user system. For more information, see Grant permissions to access Microservices Registry.

Log on to the MSE console and select a region in the top navigation bar.
In the left-side navigation pane, choose Microservices Registry > Instances.
On the Instances page, click the name of the instance.
In the left-side navigation pane of the Basic Information page, click Parameter Settings. On the page that appears, click Edit.
Set the ConfigAuthEnabled or NamingAuthEnabled parameter to Yes, and click Save and restart the instance.
- ConfigAuthEnabled specifies whether to enable the authentication feature for a configuration center. This parameter is supported by MSE Nacos instances in version 1.2.1 or later of the Basic Edition and all versions of the Professional Edition and Developer Edition.
- NamingAuthEnabled specifies whether to enable the authentication feature for a registry. This parameter is supported by MSE Nacos instances in version 2.0.4 or later of the Professional Edition and Developer Edition.
The two parameters are independent of each other.

Important

After you enable the authentication feature for a configuration center or a registry, you cannot use the Nacos client for which no AccessKey pairs are configured to access the configurations or services of the configuration center or registry. Proceed with caution.

Configure authentication for a RAM user

Step 1: Create a RAM user

Log on to the RAM console by using your Alibaba Cloud account.
In the left-side navigation pane, choose Identities > Users.
On the Users page, click Create User.
In the User Account Information section of the Create User page, configure the following parameters:
- Logon Name: The logon name can be up to 64 characters in length, and can contain letters, digits, periods (.), hyphens (-), and underscores (_).
- Display Name: The display name can be up to 128 characters in length.
- Optional:Tag: You can click the icon. In the dialog box that appears, specify the Tag Key and Tag Value parameters. You can add one or more tags to the RAM user. This way, you can manage the RAM user based on the tags.
Note You can click Add User to create multiple RAM users at a time.
In the Access Mode section, select OpenAPI Access.
- Console Access: If you select Console Access, configure the console logon password, password reset policies, and multi-factor authentication (MFA) policies.
  Note
  If you select Reset Custom Password in the Console Password section, specify a password. The password must meet the complexity requirements. For more information about the password complexity requirements, see Configure a password policy for RAM users.
- OpenAPI Access: If you select OpenAPI Access, the system automatically generates an AccessKey pair for the RAM user. The RAM user can then call API operations or use other development tools to access Alibaba Cloud resources.
Note
To ensure account security, we recommend that you select only one access mode for the RAM user. This way, the user who uses the RAM user can no longer use an AccessKey pair to access Alibaba Cloud resources after the user leaves your organization.
Click OK.

Step 2: Grant permissions to the RAM user

Note

In this step, a coarse-grained authorization operation is performed to grant the RAM user read permissions and write permissions or read-only permissions on the configurations and services of all Nacos instances of the RAM user. For more information about fine-grained authorization management, see Fine-grained authorization in registries and Fine-grained authorization in configuration centers.

Log on to the RAM console by using your Alibaba Cloud account.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the RAM user to which you want to attach the custom policy, and click Add Permissions in the Actions column.

In the Add Permissions panel, grant permissions to the RAM user.

Specify Authorized Scope.
- Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
- Specific Resource Group: The authorization takes effect in a specific resource group.
  Note
  If you select Specific Resource Group for Authorized Scope, you must make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
Specify the principal.
The principal is a RAM user to which you want to grant permissions. By default, the current RAM user is specified as the principal. You can also specify a different RAM user.

Attach policies to the RAM user.

Policy	Description
AliyunMSEFullAccess	The permissions that are required to manage MSE. You can use a RAM user to which this policy is attached to manage all features the same way you use an Alibaba Cloud account to manage MSE.
AliyunMSEReadOnlyAccess	The read-only permissions on the resources of MSE. A RAM user to which this policy is attached can only read all MSE resources of the Alibaba Cloud account.

Note

You can attach a maximum of five policies to a RAM user at a time. If you want to attach more than five policies to a RAM user, repeat the operation.

Click OK.
Click Complete.

Step 3: Configure authentication for the Nacos client (SDK)

An AccessKey pair consists of an AccessKey ID and an AccessKey secret. After you enable the authentication feature for a Nacos instance, you must specify the AccessKey ID and AccessKey secret of a RAM user if you want to access the Nacos instance as the RAM user by using the Nacos client. If you do not specify the AccessKey ID and AccessKey secret of a RAM user for the Nacos client, you cannot access the Nacos instance as the RAM user. For more information about how to obtain an AccessKey pair, see Create an AccessKey pair.

If you use an SDK for Java for the Nacos client, you must add the following configuration to the code of your application:

properties.put(PropertyKeyConst.SERVER_ADDR, "${Endpoint of the MSE Nacos instance}");
properties.put(PropertyKeyConst.ACCESS_KEY, "${accessKey}");
properties.put(PropertyKeyConst.SECRET_KEY, "${secretKey}");
NamingService naming = NamingFactory.createNamingService(properties);
ConfigService configService = ConfigFactory.createConfigService(properties);

If your application is a Spring Cloud Alibaba application, you must add the following configuration to the configuration file of your application:

## Nacos registry
spring.cloud.nacos.discovery.accessKey=${accessKey}
spring.cloud.nacos.discovery.secretKey=${secretKey}

## Nacos configuration center
spring.cloud.nacos.config.accessKey=${accessKey}
spring.cloud.nacos.config.secretKey=${secretKey}

If your application is a Dubbo application, add the following configuration to the registry URL in the configuration file of your Dubbo application:
```
dubbo.registry.address=nacos://${Endpoint of the MSE Nacos instance}:8848?accessKey=${accessKey}&secretKey=${secretKey}
```

If you use an SDK for Go for the Nacos client, you must add the following configuration to the code of your application:

cc := constant.ClientConfig{
    AccessKey:   "${accessKey}",
    SecretKey:   "${secretKey}"
}

serverConfigs := []constant.ServerConfig{
    {
        IpAddr:      "${Endpoint of the MSE Nacos instance}",
        Port:        8848
    }
}

namingClient, err := clients.NewNamingClient(
    vo.NacosClientParam{
        ClientConfig:  &clientConfig,
        ServerConfigs: serverConfigs,
    },
)

configClient, err := clients.NewConfigClient(
    vo.NacosClientParam{
        ClientConfig:  &clientConfig,
        ServerConfigs: serverConfigs,
    },
)

Configure authentication for a RAM role

If an application that is deployed on an Elastic Compute Service (ECS) instance needs to access MSE, you must save the AccessKey pair as a configuration file or in a different format on the ECS instance. In this case, AccessKey pair management is complex and the AccessKey pair may be leaked.

You can associate a RAM role with the ECS instance and notify the Nacos client of the RAM role name. This way, your application can access MSE without requiring you to specify the AccessKey pair. You can configure RAM roles and policies for instances to control the granularity or the scope of access permissions of the RAM roles. For example, if you grant read-only permissions to a RAM role, your application on the ECS instance with which the RAM role is associated can only read the configurations and services of MSE. Configurations and services of MSE cannot be added or modified. For more information, see RAM roles of ECS instances and RAM role overview.

Note

To use a RAM role for access authentication, you must deploy your application on an ECS instance and make sure that the network type of the ECS instance is virtual private cloud (VPC). For more information, see What is ECS? and What is a VPC?.

Step 1: Create a RAM role and attach policies to the RAM role

Log on to the RAM console by using your Alibaba Cloud account.
In the left-side navigation pane, click RAM Roles.
On the RAM Roles page, click Create RAM Role.
In the Create RAM Role panel, select Alibaba Cloud Service for the Trusted entity type parameter and click Next.
Select Normal Service Role for the Role Type parameter.
Specify the RAM Role Name and Note parameters.
Select a trusted service.
Note Available services are listed in the Select Trusted Service drop-down list.
Click OK.
On the Roles page, find the RAM role to which you want to grant permissions and click Add Permissions in the Actions column.

In the Add Permissions panel, grant permissions to the RAM role.

Specify Authorized Scope.
- Alibaba Cloud Account: The authorization takes effect on the current Alibaba Cloud account.
- Specific Resource Group: The authorization takes effect in a specific resource group.
  Note
  If you select Specific Resource Group for Authorized Scope, you must make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group.
Specify the principal.
The principal is a RAM role to which you want to grant permissions. By default, the current RAM role is specified as the principal. You can also specify a different RAM role.

Attach policies to the RAM user.

Policy	Description
AliyunMSEFullAccess	The permissions that are required to manage MSE. You can use a RAM user to which this policy is attached to manage all features the same way you use an Alibaba Cloud account to manage MSE.
AliyunMSEReadOnlyAccess	The read-only permissions on the resources of MSE. A RAM user to which this policy is attached can only read all MSE resources of the Alibaba Cloud account.

Note

You can attach a maximum of five policies to a RAM user at a time. If you want to attach more than five policies to a RAM user, repeat the operation.

Click OK.
Click Complete.

Step 2: Attach the RAM role to the ECS instance

Log on to the ECS console.
In the left-side navigation pane, choose Instances & Images > Instances.
In the top navigation bar, select the region where the ECS instance resides.
Find the ECS instance to which you want to attach the RAM role and choose More > Instance Settings > Bind/Unbind RAM Role in the Actions column.
In the Bind/Unbind RAM Role dialog box, select the RAM role from the RAM Role drop-down list and click OK.

Step 3: Configure the RAM role on the Nacos client (SDK) and access the Nacos instance

If you are using the Java version of Nacos Client, configure and use it in the program code as follows:

properties.put(PropertyKeyConst.SERVER_ADDR, "${Endpoint of the MSE Nacos instance}");
properties.put(PropertyKeyConst.RAM_ROLE_NAME, "${roleName}");
NamingService naming = NamingFactory.createNamingService(properties);
ConfigService configService = ConfigFactory.createConfigService(properties);

If your application is a Spring Cloud Alibaba application, you must add the following configuration to the configuration file of your application.

## Nacos registry
spring.cloud.nacos.discovery.ramRoleName=${roleName}

## Nacos configuration center
spring.cloud.nacos.config.ramRoleName=${roleName}

If your application is a Dubbo application, add the following configuration to the registry URL in the configuration file of your Dubbo application:
```
dubbo.registry.address=nacos://${Endpoint of the MSE Nacos instance}:8848?ramRoleName=${roleName}
```