optimize: optimize Raft SSL configuration items

changes/en-us/2.x.md

@@ -9,6 +9,7 @@ Add changes here for all PR submitted to the 2.x branch.
 - [[#6864](https://github.com/apache/incubator-seata/pull/6864)] support shentong database
 - [[#6974](https://github.com/apache/incubator-seata/pull/6974)] support fastjson2 undolog parser
 - [[#6992](https://github.com/apache/incubator-seata/pull/6992)] support grpc serializer
+- [[#6926](https://github.com/apache/incubator-seata/pull/6926)] support ssl communication for raft nodes
 
 
 ### bugfix:
@@ -53,6 +54,7 @@ Add changes here for all PR submitted to the 2.x branch.
 - [[#6996](https://github.com/apache/incubator-seata/pull/6996)] optimize lock release logic in AT transaction mode
 - [[#7023](https://github.com/apache/incubator-seata/pull/7023)] optimize fail fast, when all server not available
 - [[#7027](https://github.com/apache/incubator-seata/pull/7027)] raft mode maintains the reload logic consistent with the file
+- [[#6891](https://github.com/apache/incubator-seata/pull/6891)] add StateType Enum
 
 ### refactor:
 - [[#7017](https://github.com/apache/incubator-seata/pull/7017)] remove dependency on seata-server module
@@ -83,7 +85,8 @@ Thanks to these contributors for their code commits. Please report an unintended
 - [whaon](https://github.com/whaon)
 - [YvCeung](https://github.com/YvCeung)
 - [jsbxyyx](https://github.com/jsbxyyx)
-
+- [Muluo-cyan](https://github.com/Muluo-cyan)
+- [MaoMaoandSnail](https://github.com/MaoMaoandSnail)
 
 
 Also, we receive many valuable issues, questions and advices from our community. Thanks for you all.

changes/zh-cn/2.x.md

@@ -10,6 +10,7 @@
 - [[#6974](https://github.com/apache/incubator-seata/pull/6974)] 支持UndoLog的fastjson2序列化方式
 - [[#6992](https://github.com/apache/incubator-seata/pull/6992)] 支持grpc序列化器
 - [[#6995](https://github.com/apache/incubator-seata/pull/6995)] 升级过时的 npmjs 依赖
+- [[#6926](https://github.com/apache/incubator-seata/pull/6926)] 支持Raft节点间的SSL通信
 
 ### bugfix:
 - [[#6899](https://github.com/apache/incubator-seata/pull/6899)] 修复file.conf打包后的读取
@@ -56,6 +57,7 @@
 - [[#6996](https://github.com/apache/incubator-seata/pull/6996)] 优化 AT 事务模式锁释放逻辑
 - [[#7023](https://github.com/apache/incubator-seata/pull/7023)] 优化快速失败
 - [[#7027](https://github.com/apache/incubator-seata/pull/7027)] raft模式下reload行为与file保持一致
+- [[#6891](https://github.com/apache/incubator-seata/pull/6891)] 增加 StateType 类型
 
 ### refactor:
 - [[#7017](https://github.com/apache/incubator-seata/pull/7017)] 移除 seata-server 模块的依赖
@@ -88,6 +90,8 @@
 - [whaon](https://github.com/whaon)
 - [YvCeung](https://github.com/YvCeung)
 - [jsbxyyx](https://github.com/jsbxyyx)
+- [Muluo-cyan](https://github.com/Muluo-cyan)
+- [MaoMaoandSnail](https://github.com/MaoMaoandSnail)
 
 
 同时，我们收到了社区反馈的很多有价值的issue和建议，非常感谢大家。

common/src/main/java/org/apache/seata/common/ConfigurationKeys.java

@@ -947,12 +947,12 @@ public interface ConfigurationKeys {
     /**
      * The constant SERVER_RAFT_SSL_SERVER_KEYSTORE.
      */
-    String SERVER_RAFT_SSL_SERVER_KEYSTORE = SERVER_RAFT_SSL_SERVER + "keystore";
+    String SERVER_RAFT_SSL_SERVER_KEYSTORE_PATH = SERVER_RAFT_SSL_SERVER + "keystore.path";
 
     /**
      * The constant SERVER_RAFT_SSL_CLIENT_KEYSTORE.
      */
-    String SERVER_RAFT_SSL_CLIENT_KEYSTORE = SERVER_RAFT_SSL_CLIENT + "keystore";
+    String SERVER_RAFT_SSL_CLIENT_KEYSTORE_PATH = SERVER_RAFT_SSL_CLIENT + "keystore.path";
 
     /**
      * The constant SERVER_RAFT_SSL_SERVER_KEYSTORE_PASSWORD.

common/src/main/java/org/apache/seata/common/DefaultValues.java

@@ -496,4 +496,9 @@ public interface DefaultValues {
      * The constant DEFAULT_ROCKET_MQ_MSG_TIMEOUT.
      */
     int DEFAULT_ROCKET_MQ_MSG_TIMEOUT = 60 * 1000;
+
+    /**
+     * The constant DEFAULT_RAFT_SSL_ENABLED.
+     */
+    boolean DEFAULT_RAFT_SSL_ENABLED = false;
 }

mock-server/pom.xml

@@ -155,19 +155,14 @@
         </dependency>
         <dependency>
             <groupId>${project.groupId}</groupId>
-            <artifactId>seata-discovery-all</artifactId>
+            <artifactId>seata-discovery-core</artifactId>
             <version>${project.version}</version>
         </dependency>
         <dependency>
             <groupId>${project.groupId}</groupId>
             <artifactId>seata-serializer-all</artifactId>
             <version>${project.version}</version>
         </dependency>
-        <dependency>
-            <groupId>${project.groupId}</groupId>
-            <artifactId>seata-compressor-all</artifactId>
-            <version>${project.version}</version>
-        </dependency>
     </dependencies>
 
 

server/src/main/java/org/apache/seata/server/cluster/raft/RaftServer.java

@@ -21,29 +21,31 @@
 import java.io.IOException;
 import java.util.Optional;
 import java.util.concurrent.TimeUnit;
+
 import com.alipay.sofa.jraft.Node;
 import com.alipay.sofa.jraft.RaftGroupService;
 import com.alipay.sofa.jraft.RouteTable;
 import com.alipay.sofa.jraft.entity.PeerId;
 import com.alipay.sofa.jraft.option.NodeOptions;
 import com.alipay.sofa.jraft.rpc.RpcServer;
 import com.codahale.metrics.Slf4jReporter;
+import org.apache.commons.io.FileUtils;
 import org.apache.seata.config.Configuration;
 import org.apache.seata.config.ConfigurationFactory;
 import org.apache.seata.core.rpc.Disposable;
-import org.apache.commons.io.FileUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import static org.apache.seata.common.ConfigurationKeys.SERVER_RAFT_REPORTER_ENABLED;
 import static org.apache.seata.common.ConfigurationKeys.SERVER_RAFT_REPORTER_INITIAL_DELAY;
-import static org.apache.seata.common.ConfigurationKeys.SERVER_RAFT_SSL_CLIENT_KEYSTORE;
 import static org.apache.seata.common.ConfigurationKeys.SERVER_RAFT_SSL_CLIENT_KEYSTORE_PASSWORD;
+import static org.apache.seata.common.ConfigurationKeys.SERVER_RAFT_SSL_CLIENT_KEYSTORE_PATH;
 import static org.apache.seata.common.ConfigurationKeys.SERVER_RAFT_SSL_ENABLED;
 import static org.apache.seata.common.ConfigurationKeys.SERVER_RAFT_SSL_KEYSTORE_TYPE;
 import static org.apache.seata.common.ConfigurationKeys.SERVER_RAFT_SSL_KMF_ALGORITHM;
-import static org.apache.seata.common.ConfigurationKeys.SERVER_RAFT_SSL_SERVER_KEYSTORE;
 import static org.apache.seata.common.ConfigurationKeys.SERVER_RAFT_SSL_SERVER_KEYSTORE_PASSWORD;
+import static org.apache.seata.common.ConfigurationKeys.SERVER_RAFT_SSL_SERVER_KEYSTORE_PATH;
+import static org.apache.seata.common.DefaultValues.DEFAULT_RAFT_SSL_ENABLED;
 
 /**
  */
@@ -89,7 +91,7 @@ public void start() throws IOException {
         this.node = this.raftGroupService.start(false);
         RouteTable.getInstance().updateConfiguration(groupId, node.getOptions().getInitialConf());
         // Enable SSL authentication for the Raft group if SSL is enabled.
-        boolean sslEnabled = ConfigurationFactory.getInstance().getBoolean(SERVER_RAFT_SSL_ENABLED, false);
+        boolean sslEnabled = ConfigurationFactory.getInstance().getBoolean(SERVER_RAFT_SSL_ENABLED, DEFAULT_RAFT_SSL_ENABLED);
         if (sslEnabled) {
             enableSSL();
         }
@@ -133,21 +135,30 @@ public void destroy() {
     }
 
     private void enableSSL() {
-        System.setProperty("bolt.server.ssl.enable", "true");
-        System.setProperty("bolt.server.ssl.clientAuth", "true");
-        System.setProperty("bolt.client.ssl.enable", "true");
+        setSystemProperty("bolt.server.ssl.enable", "true");
+        setSystemProperty("bolt.server.ssl.clientAuth", "true");
+        setSystemProperty("bolt.client.ssl.enable", "true");
 
         Configuration instance = ConfigurationFactory.getInstance();
-        System.setProperty("bolt.server.ssl.keystore", instance.getConfig(SERVER_RAFT_SSL_SERVER_KEYSTORE));
-        System.setProperty("bolt.server.ssl.keystore.password", instance.getConfig(SERVER_RAFT_SSL_SERVER_KEYSTORE_PASSWORD));
-        System.setProperty("bolt.server.ssl.keystore.type", instance.getConfig(SERVER_RAFT_SSL_KEYSTORE_TYPE));
-        System.setProperty("bolt.server.ssl.kmf.algorithm", instance.getConfig(SERVER_RAFT_SSL_KMF_ALGORITHM));
-        System.setProperty("bolt.client.ssl.keystore", instance.getConfig(SERVER_RAFT_SSL_CLIENT_KEYSTORE));
-        System.setProperty("bolt.client.ssl.keystore.password", instance.getConfig(SERVER_RAFT_SSL_CLIENT_KEYSTORE_PASSWORD));
-        System.setProperty("bolt.client.ssl.keystore.type", instance.getConfig(SERVER_RAFT_SSL_KEYSTORE_TYPE));
-        System.setProperty("bolt.client.ssl.tmf.algorithm", instance.getConfig(SERVER_RAFT_SSL_KMF_ALGORITHM));
+        setSystemProperty("bolt.server.ssl.keystore", instance.getConfig(SERVER_RAFT_SSL_SERVER_KEYSTORE_PATH));
+        setSystemProperty("bolt.server.ssl.keystore.password",
+            instance.getConfig(SERVER_RAFT_SSL_SERVER_KEYSTORE_PASSWORD));
+        setSystemProperty("bolt.server.ssl.keystore.type", instance.getConfig(SERVER_RAFT_SSL_KEYSTORE_TYPE));
+        setSystemProperty("bolt.server.ssl.kmf.algorithm", instance.getConfig(SERVER_RAFT_SSL_KMF_ALGORITHM));
+        setSystemProperty("bolt.client.ssl.keystore", instance.getConfig(SERVER_RAFT_SSL_CLIENT_KEYSTORE_PATH));
+        setSystemProperty("bolt.client.ssl.keystore.password",
+            instance.getConfig(SERVER_RAFT_SSL_CLIENT_KEYSTORE_PASSWORD));
+        setSystemProperty("bolt.client.ssl.keystore.type", instance.getConfig(SERVER_RAFT_SSL_KEYSTORE_TYPE));
+        setSystemProperty("bolt.client.ssl.tmf.algorithm", instance.getConfig(SERVER_RAFT_SSL_KMF_ALGORITHM));
 
         logger.info("Enable ssl communication between raft nodes");
     }
 
+    private void setSystemProperty(String property, String value) {
+        if (value == null || value.isEmpty()) {
+            throw new IllegalArgumentException("Configuration value for " + property + " cannot be null or empty");
+        }
+        System.setProperty(property, value);
+    }
+
 }

server/src/main/resources/application.raft.example.yml

@@ -91,6 +91,23 @@ seata:
       serialization: jackson
       compressor: none
       sync: true # sync log&snapshot to disk
+      # raft nodes ssl config
+      ssl:
+        enabled: false
+        client:
+          keystore:
+            path: ssl/cbolt.pfx
+            password: seata
+            type: pkcs12
+        server:
+          keystore:
+            path: ssl/bolt.pfx
+            password: seata
+            type: pkcs12
+        kmf:
+          algorithm: SunX509
+        tmf:
+          algorithm: SunX509
     service-port: 8091 #If not configured, the default is '${server.port} + 1000'
     max-commit-retry-timeout: -1
     max-rollback-retry-timeout: -1