Enable authentication for a Nacos instance to implement access control - Microservices Engine

You can enable the authentication feature for Nacos instances on Microservices Engine (MSE). The authentication feature helps prevent malicious users from obtaining or modifying information about an MSE Nacos instance. This topic describes how to configure access authentication for Nacos instances in the MSE console and how to use the Nacos client to perform authorized access to Nacos instances.

Prerequisites

MSE is activated. For more information, see Activate MSE.
A Nacos engine is created. For more information, see Create a Nacos engine.

Access methods

This topic describes how to configure access authentication if you use the direct connection of the engine. After the authorization is successful, you can use the Nacos client to access the MSE Nacos instance as a RAM user or by using a RAM role. The following access methods are supported:

Direct connection of the engine: You can use an SDK or a client to directly access the Nacos engine. This access method is suitable for scenarios in which an application attempts to access the Nacos engine.
Console-based connection of the engine: You can manage, view, and perform O&M on the Nacos engine in the MSE console. This access method is suitable for all users who want to use the Nacos engine. For more information about how to authorize a RAM user to use the MSE console, see Grant permissions on Microservices Registry resources.

Enable authentication

Important

For a newly created Nacos engine, authentication is not enabled by default. In this case, the Nacos engine responds to all requests.
The logon feature of the open source Nacos console is used only to record information about users, and is unable to authenticate or intercept requests. You can enable the authentication feature by following the instructions in this topic. After you enable the authentication feature for a Nacos instance, you cannot access the instance in the open source Nacos console. You must access the instance in the MSE console.

Log on to the MSE console and select a region in the top navigation bar.
In the left-side navigation pane, choose Microservices Registry > Instances.
On the Instances page, click the name of the instance.
In the left-side navigation pane of the Basic Information page, click Parameter Settings. On the page that appears, click Edit.

Set the ConfigAuthEnabled or NamingAuthEnabled parameter to Yes, and click Save and Restart Instance.

Important

Before you enable the authentication feature for a configuration center or registry, you need to configure an AccessKey pair on the Nacos client. Otherwise, you cannot obtain configurations or services.
The two parameters are independent of each other.

Parameter	Description
ConfigAuthEnabled	Specifies whether to enable the authentication feature for a configuration center. This parameter is supported by MSE Nacos instances in version 1.2.1 or later of the Basic Edition and all versions of the Professional Edition and Developer Edition.
NamingAuthEnabled	Specifies whether to enable the authentication feature for a registry. This parameter is supported by MSE Nacos instances in version 2.0.4 or later of the Professional Edition or Developer Edition.

Configure authentication for a RAM user

(Optional) Step 1: Create a RAM user

Perform this step if you do not have a RAM user or need to create a RAM user. For more information, see Create a RAM user.

Step 2: Grant permissions to a RAM user

Grant permissions to an existing RAM user or the RAM user that you created in Step 1, and attach one of the following system policies to the RAM user. In this step, a coarse-grained authorization operation is performed to grant the RAM user read permissions and write permissions or read-only permissions on the configurations and services of all MSE Nacos instances. For more information about authorization, see Grant permissions to a RAM user.

Policy	Description
AliyunMSEFullAccess	The permissions that are required to manage MSE. You can use a RAM user to which this policy is attached to manage all features the same way you use an Alibaba Cloud account to manage all features.
AliyunMSEReadOnlyAccess	The read-only permissions on the resources of MSE. A RAM user to which this policy is attached can only read all MSE resources of the Alibaba Cloud account.

Note

You can attach a maximum of five policies at a time. If you want to attach more than five policies, repeat the step multiple times.

Step 3: Configure authentication for the Nacos client (SDK)

An AccessKey pair consists of an AccessKey ID and an AccessKey secret. After you enable the authentication feature for an MSE Nacos instance, you must specify the AccessKey ID and AccessKey secret of a RAM user if you want to access the Nacos instance as the RAM user by using the Nacos client. If you do not specify the AccessKey ID and AccessKey secret of a RAM user for the Nacos client, you cannot access the Nacos instance as the RAM user. For more information about how to obtain an AccessKey pair, see Create an AccessKey pair.

Nacos client (SDK for Java)

If you use an SDK for Java for the Nacos client, add the following configuration to the code of your application:

properties.put(PropertyKeyConst.SERVER_ADDR, "${Endpoint of the MSE Nacos instance}");
properties.put(PropertyKeyConst.ACCESS_KEY, "${accessKey}");
properties.put(PropertyKeyConst.SECRET_KEY, "${secretKey}");
NamingService naming = NamingFactory.createNamingService(properties);
ConfigService configService = ConfigFactory.createConfigService(properties);

Spring Cloud Alibaba framework

If you use the Spring Cloud Alibaba framework, add the following configuration to the configuration file of your application:

## Nacos registry
spring.cloud.nacos.discovery.accessKey=${accessKey}
spring.cloud.nacos.discovery.secretKey=${secretKey}

## Nacos configuration center
spring.cloud.nacos.config.accessKey=${accessKey}
spring.cloud.nacos.config.secretKey=${secretKey}

Dubbo framework

If you use the Dubbo framework, add the following configuration to the registry URL in the configuration file of your Dubbo application:

dubbo.registry.address=nacos://${Endpoint of the MSE Nacos instance}:8848?accessKey=${accessKey}&secretKey=${secretKey}

Nacos client (SDK for Go)

If you use an SDK for Go for the Nacos client, add the following configuration to the code of your application:

cc := constant.ClientConfig{
    AccessKey:   "${accessKey}",
    SecretKey:   "${secretKey}"
}

serverConfigs := []constant.ServerConfig{
    {
        IpAddr:      "${Endpoint of the MSE Nacos instance}",
        Port:        8848
    }
}

namingClient, err := clients.NewNamingClient(
    vo.NacosClientParam{
        ClientConfig:  &clientConfig,
        ServerConfigs: serverConfigs,
    },
)

configClient, err := clients.NewConfigClient(
    vo.NacosClientParam{
        ClientConfig:  &clientConfig,
        ServerConfigs: serverConfigs,
    },
)

Configure authentication for a RAM role

You can associate a RAM role with an Elastic Compute Service (ECS) instance or Container Service for Kubernetes (ACK) cluster and notify the Nacos client of the RAM role name. This way, your application can access the MSE Nacos instance without requiring you to specify the AccessKey pair. You can configure RAM roles and policies for instances to control the granularity or the scope of access permissions of the RAM roles. For more information, see Overview, Authorization overview, and RAM role overview.

Note

To use a RAM role for access authentication, you must deploy your application on an ECS instance or in an ACK cluster and make sure that the network type of the ECS instance or ACK cluster is virtual private cloud (VPC). For more information, see What is ECS, What is ACK?, and What is a VPC?

Use the RAM role of an ECS instance to access the MSE Nacos instance

Step 1: Create a RAM role and attach policies to the RAM role

Optional. Create a RAM role whose trusted entity is an Alibaba Cloud service. For more information, see Create a normal service role.

Grant permissions to an existing RAM role or the RAM role that you created, and attach one of the following system policies to the RAM role. In this step, a coarse-grained authorization operation is performed to grant the RAM role read permissions and write permissions or read-only permissions on the configurations and services of all MSE Nacos instances. For more information about authorization, see Grant permissions to a RAM role.

Policy	Description
AliyunMSEFullAccess	The permissions that are required to manage MSE. You can use a RAM role to which this policy is attached to manage all features the same way you use an Alibaba Cloud account to manage all features.
AliyunMSEReadOnlyAccess	The read-only permissions on the resources of MSE. A RAM role to which this policy is attached can only read all MSE resources of the Alibaba Cloud account.

Note

You can attach a maximum of five policies at a time. If you want to attach more than five policies, repeat the step multiple times.

Step 2: Attach the RAM role to the ECS instance

Log on to the ECS console.
In the left-side navigation pane, choose Instances & Images > Instances.
In the top navigation bar, select the region and resource group to which the resource belongs.
Find the ECS instance that you want to manage and choose > Instance Settings > Attach/Detach RAM Role in the Actions column.
In the Attach/Detach RAM Role dialog box, select the instance RAM role that you created from the RAM Role drop-down list and click Confirm.

Step 3: Configure authentication on the client (SDK)

Nacos client (SDK for Java)

If you use an SDK for Java for the Nacos client, add the following configuration to the code of your application.

Note

To use a RAM role for authentication, you need to upgrade the client to the required version. For more information, see Support for service authentication and encryption and decryption by the Nacos client.

properties.put(PropertyKeyConst.SERVER_ADDR, "${Endpoint of the MSE Nacos instance}");
properties.put(PropertyKeyConst.RAM_ROLE_NAME, "${roleName}");
// Nacos registry
NamingService naming = NamingFactory.createNamingService(properties);
// Nacos configuration center
ConfigService configService = ConfigFactory.createConfigService(properties);

Spring Cloud Alibaba framework

If you use the Spring Cloud Alibaba framework, add the following configuration to the configuration file of your application:

Note

You need to upgrade the Spring Cloud Alibaba framework to 2.2.9.RELEASE or later.

## Nacos registry
spring.cloud.nacos.discovery.ramRoleName=${roleName}

## Nacos configuration center
spring.cloud.nacos.config.ramRoleName=${roleName}

Dubbo framework

If you use the Dubbo framework, add the following configuration to the registry URL in the configuration file of your Dubbo application:

dubbo.registry.address=nacos://${Endpoint of the MSE Nacos instance}:8848?ramRoleName=${roleName}

Use the RAM role of an ACK cluster to access the MSE Nacos instance

Step 1: Grant permissions to the worker RAM role in the ACK cluster

Create a custom policy that contains the following content. For more information, see Step 1: Create a custom policy.

Grant the worker RAM role the management permissions on MSE.

{
    "Action": "mse:*",
    "Resource": "*",
    "Effect": "Allow"
},
{
    "Action": "ram:CreateServiceLinkedRole",
    "Resource": "*",
    "Effect": "Allow",
    "Condition": {
        "StringEquals": {
            "ram:ServiceName": "mse.aliyuncs.com"
        }
    }
}

Grant the worker RAM role the read-only permissions on MSE.

{
    "Action": [
        "mse:Query*",
        "mse:List*",
        "mse:Get*"
    ],
    "Resource": "*",
    "Effect": "Allow"
},
{
    "Action": "ram:CreateServiceLinkedRole",
    "Resource": "*",
    "Effect": "Allow",
    "Condition": {
        "StringEquals": {
            "ram:ServiceName": "mse.aliyuncs.com"
        }
    }
}

Note

If you want to grant fine-grained permissions to the worker RAM role, you need to create a custom policy. For more information, see Fine-grained authorization in registries and Fine-grained authorization in configuration centers.

Attach the custom policy to the worker RAM role. For more information, see Step 2: Attach the custom policy to the worker RAM role.

Step 2: Configure authentication on the client (SDK)

Nacos client (SDK for Java)

If you use an SDK for Java for the Nacos client, add the following configuration to the code of your application.

Note

properties.put(PropertyKeyConst.SERVER_ADDR, "${Endpoint of the MSE Nacos instance}");
properties.put(PropertyKeyConst.RAM_ROLE_NAME, "${roleName}");
// Nacos registry
NamingService naming = NamingFactory.createNamingService(properties);
// Nacos configuration center
ConfigService configService = ConfigFactory.createConfigService(properties);

Spring Cloud Alibaba framework

If you use the Spring Cloud Alibaba framework, add the following configuration to the configuration file of your application:

Note

You need to upgrade the Spring Cloud Alibaba framework to 2.2.9.RELEASE or later.

## Nacos registry
spring.cloud.nacos.discovery.ramRoleName=${roleName}

## Nacos configuration center
spring.cloud.nacos.config.ramRoleName=${roleName}

Dubbo framework

If you use the Dubbo framework, add the following configuration to the registry URL in the configuration file of your Dubbo application:

dubbo.registry.address=nacos://${Endpoint of the MSE Nacos instance}:8848?ramRoleName=${roleName}

References

For more information about fine-grained authorization, see Fine-grained authentication in registries and Fine-grained authentication in configuration centers.
For more information about how to grant permissions in the MSE console, see Grant permissions on Microservices Registry resources.