Nacos registries of Microservices Engine (MSE) allow you to configure access permissions based on instances, namespaces, groups, or service names. This prevents malicious users from obtaining or modifying information about an instance. This topic describes how to configure fine-grained authentication for Nacos registries of MSE.
Prerequisites
MSE is activated. For more information, see Activate MSE.
A Nacos instance is created. For more information, see Create a Nacos engine.
Authentication is enabled. For more information, see the "Enable authentication" section in Access authentication by the Nacos client.
A RAM user or a RAM role is created. For more information, see Create a RAM user or Create a RAM role.
Usage notes
This topic describes how to grant and configure access permissions on the direct connection of the engine shown in the following figure. After the permissions are granted, you can use the Nacos client to access the MSE Nacos instance as a RAM user.
To configure and use access authentication for engine control, you need to grant the RAM user the permissions to use the MSE console. For more information, see Grant permissions on Microservices Registry resources.
Step 1: Create a fine-grained policy
Log on to the RAM console with an Alibaba Cloud account.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
Configure the policy and click Next to edit policy information.
The following table describes the actions that are involved in fine-grained authentication in registries.
Action
Description
mse:QueryNacosNaming
The read permissions on services of an MSE Nacos registry. These permissions allow you to obtain and monitor services by using SDKs.
mse:UpdateNacosNaming
The update permission on services of an MSE Nacos registry. This permission allows you to release and modify services by using SDKs.
The resources that are involved in fine-grained authentication in a registry must be specified in the following format:
acs:mse:*:*:instance/{instance_id}/{namespaceId}/{group}/naming/{serviceName}
You can also modify the policy document based on the description provided in Examples.
For more information about the syntax and structure of RAM policies, see Policy structure and syntax.
Specify the Name and Description fields.
Check and optimize the document of the custom policy.
Basic optimization
The system automatically optimizes the policy statement. The system performs the following operations during basic optimization:
Deletes unnecessary conditions.
Deletes unnecessary arrays.
Optional: Advanced optimization
You can move the pointer over Optional advanced optimize and click Perform. The system performs the following operations during the advanced optimization:
Splits resources or conditions that are incompatible with actions.
Narrows down resources.
Deduplicates or merges policy statements.
Click OK.
Step 2: Grant permissions to a RAM user or a RAM role
Grant permissions to a RAM user
Log on to the RAM console with an Alibaba Cloud account.
In the left-side navigation pane, choose .
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
In the Select Policy section of the Add Permissions panel, click the Custom Policy tab. Enter the name of the policy that you created in Step 1, click the name of the policy, and then click OK.
In the Add Permissions panel, confirm the authorization information and click Complete.
Grant permissions to a RAM role
Log on to the RAM console with an Alibaba Cloud account.
- In the left-side navigation pane, choose .
- On the Roles page, find the RAM role to which you want to grant permissions and click Add Permissions in the Actions column.
In the Select Policy section of the Add Permissions panel, click the Custom Policy tab. Enter the name of the policy that you created in Step 1, click the name of the policy, and then click OK.
In the Add Permissions panel, confirm the authorization information and click Complete.
Examples
Grant a user the read-only permissions on services of specific instances.
{ "Version": "1", "Statement": [ { "Action": [ "mse:QueryNacosNaming" ], "Resource": [ "acs:mse:*:*:instance/${instanceId1}", "acs:mse:*:*:instance/${instanceId2}" ], "Effect": "Allow" } ] }
Grant a user the permissions to read and modify services of specific instances.
{ "Version": "1", "Statement": [ { "Action": [ "mse:QueryNacosNaming", "mse:UpdateNacosNaming" ], "Resource": [ "acs:mse:*:*:instance/${instanceId1}", "acs:mse:*:*:instance/${instanceId2}" ], "Effect": "Allow" } ] }
Grant a user the read-only permissions on services in a specific namespace of an instance.
{ "Statement": [ { "Effect": "Allow", "Action": "mse:QueryNacosNaming", "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}" } ], "Version": "1" }
Grant a user the permissions to read and modify services of the ${group} group in a specific namespace of an instance.
{ "Statement": [ { "Effect": "Allow", "Action": [ "mse:QueryNacosNaming", "mse:UpdateNacosNaming" ], "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}" } ], "Version": "1" }
Grant a user the read-only permissions on the ${serviceName} service of the ${group} group.
{ "Statement": [ { "Effect": "Allow", "Action": "mse:QueryNacosNaming", "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}/naming/${serviceName}" } ], "Version": "1" }
Grant a user the permissions to read and modify the ${serviceName} service of the ${group} group.
{ "Statement": [ { "Effect": "Allow", "Action": [ "mse:QueryNacosNaming", "mse:UpdateNacosNaming" ], "Resource": "acs:mse:*:*:instance/${instance_id}/${namespaceId}/${group}/naming/${serviceName}" } ], "Version": "1" }