From 64765dce1e60f87610ecdc78c34b73d70ed92dbc Mon Sep 17 00:00:00 2001 From: slievrly Date: Fri, 29 Nov 2024 10:59:21 +0800 Subject: [PATCH] optimize: optimize Raft SSL configuration items --- changes/en-us/2.x.md | 5 ++- changes/zh-cn/2.x.md | 4 ++ .../seata/common/ConfigurationKeys.java | 4 +- .../apache/seata/common/DefaultValues.java | 5 +++ mock-server/pom.xml | 7 +--- .../seata/server/cluster/raft/RaftServer.java | 41 ++++++++++++------- .../resources/application.raft.example.yml | 17 ++++++++ 7 files changed, 59 insertions(+), 24 deletions(-) diff --git a/changes/en-us/2.x.md b/changes/en-us/2.x.md index dcfe966e122..51b2b1e17ec 100644 --- a/changes/en-us/2.x.md +++ b/changes/en-us/2.x.md @@ -9,6 +9,7 @@ Add changes here for all PR submitted to the 2.x branch. - [[#6864](https://github.com/apache/incubator-seata/pull/6864)] support shentong database - [[#6974](https://github.com/apache/incubator-seata/pull/6974)] support fastjson2 undolog parser - [[#6992](https://github.com/apache/incubator-seata/pull/6992)] support grpc serializer +- [[#6926](https://github.com/apache/incubator-seata/pull/6926)] support ssl communication for raft nodes ### bugfix: @@ -53,6 +54,7 @@ Add changes here for all PR submitted to the 2.x branch. - [[#6996](https://github.com/apache/incubator-seata/pull/6996)] optimize lock release logic in AT transaction mode - [[#7023](https://github.com/apache/incubator-seata/pull/7023)] optimize fail fast, when all server not available - [[#7027](https://github.com/apache/incubator-seata/pull/7027)] raft mode maintains the reload logic consistent with the file +- [[#6891](https://github.com/apache/incubator-seata/pull/6891)] add StateType Enum ### refactor: - [[#7017](https://github.com/apache/incubator-seata/pull/7017)] remove dependency on seata-server module @@ -83,7 +85,8 @@ Thanks to these contributors for their code commits. Please report an unintended - [whaon](https://github.com/whaon) - [YvCeung](https://github.com/YvCeung) - [jsbxyyx](https://github.com/jsbxyyx) - +- [Muluo-cyan](https://github.com/Muluo-cyan) +- [MaoMaoandSnail](https://github.com/MaoMaoandSnail) Also, we receive many valuable issues, questions and advices from our community. Thanks for you all. diff --git a/changes/zh-cn/2.x.md b/changes/zh-cn/2.x.md index 32ff3cc5941..c880eeb998d 100644 --- a/changes/zh-cn/2.x.md +++ b/changes/zh-cn/2.x.md @@ -10,6 +10,7 @@ - [[#6974](https://github.com/apache/incubator-seata/pull/6974)] 支持UndoLog的fastjson2序列化方式 - [[#6992](https://github.com/apache/incubator-seata/pull/6992)] 支持grpc序列化器 - [[#6995](https://github.com/apache/incubator-seata/pull/6995)] 升级过时的 npmjs 依赖 +- [[#6926](https://github.com/apache/incubator-seata/pull/6926)] 支持Raft节点间的SSL通信 ### bugfix: - [[#6899](https://github.com/apache/incubator-seata/pull/6899)] 修复file.conf打包后的读取 @@ -56,6 +57,7 @@ - [[#6996](https://github.com/apache/incubator-seata/pull/6996)] 优化 AT 事务模式锁释放逻辑 - [[#7023](https://github.com/apache/incubator-seata/pull/7023)] 优化快速失败 - [[#7027](https://github.com/apache/incubator-seata/pull/7027)] raft模式下reload行为与file保持一致 +- [[#6891](https://github.com/apache/incubator-seata/pull/6891)] 增加 StateType 类型 ### refactor: - [[#7017](https://github.com/apache/incubator-seata/pull/7017)] 移除 seata-server 模块的依赖 @@ -88,6 +90,8 @@ - [whaon](https://github.com/whaon) - [YvCeung](https://github.com/YvCeung) - [jsbxyyx](https://github.com/jsbxyyx) +- [Muluo-cyan](https://github.com/Muluo-cyan) +- [MaoMaoandSnail](https://github.com/MaoMaoandSnail) 同时,我们收到了社区反馈的很多有价值的issue和建议,非常感谢大家。 diff --git a/common/src/main/java/org/apache/seata/common/ConfigurationKeys.java b/common/src/main/java/org/apache/seata/common/ConfigurationKeys.java index 7d73373fee1..840e0298004 100644 --- a/common/src/main/java/org/apache/seata/common/ConfigurationKeys.java +++ b/common/src/main/java/org/apache/seata/common/ConfigurationKeys.java @@ -947,12 +947,12 @@ public interface ConfigurationKeys { /** * The constant SERVER_RAFT_SSL_SERVER_KEYSTORE. */ - String SERVER_RAFT_SSL_SERVER_KEYSTORE = SERVER_RAFT_SSL_SERVER + "keystore"; + String SERVER_RAFT_SSL_SERVER_KEYSTORE_PATH = SERVER_RAFT_SSL_SERVER + "keystore.path"; /** * The constant SERVER_RAFT_SSL_CLIENT_KEYSTORE. */ - String SERVER_RAFT_SSL_CLIENT_KEYSTORE = SERVER_RAFT_SSL_CLIENT + "keystore"; + String SERVER_RAFT_SSL_CLIENT_KEYSTORE_PATH = SERVER_RAFT_SSL_CLIENT + "keystore.path"; /** * The constant SERVER_RAFT_SSL_SERVER_KEYSTORE_PASSWORD. diff --git a/common/src/main/java/org/apache/seata/common/DefaultValues.java b/common/src/main/java/org/apache/seata/common/DefaultValues.java index 68d06a76ff8..85ed496430d 100644 --- a/common/src/main/java/org/apache/seata/common/DefaultValues.java +++ b/common/src/main/java/org/apache/seata/common/DefaultValues.java @@ -496,4 +496,9 @@ public interface DefaultValues { * The constant DEFAULT_ROCKET_MQ_MSG_TIMEOUT. */ int DEFAULT_ROCKET_MQ_MSG_TIMEOUT = 60 * 1000; + + /** + * The constant DEFAULT_RAFT_SSL_ENABLED. + */ + boolean DEFAULT_RAFT_SSL_ENABLED = false; } diff --git a/mock-server/pom.xml b/mock-server/pom.xml index e74c5fc37a6..d23ba4e4f01 100644 --- a/mock-server/pom.xml +++ b/mock-server/pom.xml @@ -155,7 +155,7 @@ ${project.groupId} - seata-discovery-all + seata-discovery-core ${project.version} @@ -163,11 +163,6 @@ seata-serializer-all ${project.version} - - ${project.groupId} - seata-compressor-all - ${project.version} - diff --git a/server/src/main/java/org/apache/seata/server/cluster/raft/RaftServer.java b/server/src/main/java/org/apache/seata/server/cluster/raft/RaftServer.java index a81ee333dc9..ff3113e4298 100644 --- a/server/src/main/java/org/apache/seata/server/cluster/raft/RaftServer.java +++ b/server/src/main/java/org/apache/seata/server/cluster/raft/RaftServer.java @@ -21,6 +21,7 @@ import java.io.IOException; import java.util.Optional; import java.util.concurrent.TimeUnit; + import com.alipay.sofa.jraft.Node; import com.alipay.sofa.jraft.RaftGroupService; import com.alipay.sofa.jraft.RouteTable; @@ -28,22 +29,23 @@ import com.alipay.sofa.jraft.option.NodeOptions; import com.alipay.sofa.jraft.rpc.RpcServer; import com.codahale.metrics.Slf4jReporter; +import org.apache.commons.io.FileUtils; import org.apache.seata.config.Configuration; import org.apache.seata.config.ConfigurationFactory; import org.apache.seata.core.rpc.Disposable; -import org.apache.commons.io.FileUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import static org.apache.seata.common.ConfigurationKeys.SERVER_RAFT_REPORTER_ENABLED; import static org.apache.seata.common.ConfigurationKeys.SERVER_RAFT_REPORTER_INITIAL_DELAY; -import static org.apache.seata.common.ConfigurationKeys.SERVER_RAFT_SSL_CLIENT_KEYSTORE; import static org.apache.seata.common.ConfigurationKeys.SERVER_RAFT_SSL_CLIENT_KEYSTORE_PASSWORD; +import static org.apache.seata.common.ConfigurationKeys.SERVER_RAFT_SSL_CLIENT_KEYSTORE_PATH; import static org.apache.seata.common.ConfigurationKeys.SERVER_RAFT_SSL_ENABLED; import static org.apache.seata.common.ConfigurationKeys.SERVER_RAFT_SSL_KEYSTORE_TYPE; import static org.apache.seata.common.ConfigurationKeys.SERVER_RAFT_SSL_KMF_ALGORITHM; -import static org.apache.seata.common.ConfigurationKeys.SERVER_RAFT_SSL_SERVER_KEYSTORE; import static org.apache.seata.common.ConfigurationKeys.SERVER_RAFT_SSL_SERVER_KEYSTORE_PASSWORD; +import static org.apache.seata.common.ConfigurationKeys.SERVER_RAFT_SSL_SERVER_KEYSTORE_PATH; +import static org.apache.seata.common.DefaultValues.DEFAULT_RAFT_SSL_ENABLED; /** */ @@ -89,7 +91,7 @@ public void start() throws IOException { this.node = this.raftGroupService.start(false); RouteTable.getInstance().updateConfiguration(groupId, node.getOptions().getInitialConf()); // Enable SSL authentication for the Raft group if SSL is enabled. - boolean sslEnabled = ConfigurationFactory.getInstance().getBoolean(SERVER_RAFT_SSL_ENABLED, false); + boolean sslEnabled = ConfigurationFactory.getInstance().getBoolean(SERVER_RAFT_SSL_ENABLED, DEFAULT_RAFT_SSL_ENABLED); if (sslEnabled) { enableSSL(); } @@ -133,21 +135,30 @@ public void destroy() { } private void enableSSL() { - System.setProperty("bolt.server.ssl.enable", "true"); - System.setProperty("bolt.server.ssl.clientAuth", "true"); - System.setProperty("bolt.client.ssl.enable", "true"); + setSystemProperty("bolt.server.ssl.enable", "true"); + setSystemProperty("bolt.server.ssl.clientAuth", "true"); + setSystemProperty("bolt.client.ssl.enable", "true"); Configuration instance = ConfigurationFactory.getInstance(); - System.setProperty("bolt.server.ssl.keystore", instance.getConfig(SERVER_RAFT_SSL_SERVER_KEYSTORE)); - System.setProperty("bolt.server.ssl.keystore.password", instance.getConfig(SERVER_RAFT_SSL_SERVER_KEYSTORE_PASSWORD)); - System.setProperty("bolt.server.ssl.keystore.type", instance.getConfig(SERVER_RAFT_SSL_KEYSTORE_TYPE)); - System.setProperty("bolt.server.ssl.kmf.algorithm", instance.getConfig(SERVER_RAFT_SSL_KMF_ALGORITHM)); - System.setProperty("bolt.client.ssl.keystore", instance.getConfig(SERVER_RAFT_SSL_CLIENT_KEYSTORE)); - System.setProperty("bolt.client.ssl.keystore.password", instance.getConfig(SERVER_RAFT_SSL_CLIENT_KEYSTORE_PASSWORD)); - System.setProperty("bolt.client.ssl.keystore.type", instance.getConfig(SERVER_RAFT_SSL_KEYSTORE_TYPE)); - System.setProperty("bolt.client.ssl.tmf.algorithm", instance.getConfig(SERVER_RAFT_SSL_KMF_ALGORITHM)); + setSystemProperty("bolt.server.ssl.keystore", instance.getConfig(SERVER_RAFT_SSL_SERVER_KEYSTORE_PATH)); + setSystemProperty("bolt.server.ssl.keystore.password", + instance.getConfig(SERVER_RAFT_SSL_SERVER_KEYSTORE_PASSWORD)); + setSystemProperty("bolt.server.ssl.keystore.type", instance.getConfig(SERVER_RAFT_SSL_KEYSTORE_TYPE)); + setSystemProperty("bolt.server.ssl.kmf.algorithm", instance.getConfig(SERVER_RAFT_SSL_KMF_ALGORITHM)); + setSystemProperty("bolt.client.ssl.keystore", instance.getConfig(SERVER_RAFT_SSL_CLIENT_KEYSTORE_PATH)); + setSystemProperty("bolt.client.ssl.keystore.password", + instance.getConfig(SERVER_RAFT_SSL_CLIENT_KEYSTORE_PASSWORD)); + setSystemProperty("bolt.client.ssl.keystore.type", instance.getConfig(SERVER_RAFT_SSL_KEYSTORE_TYPE)); + setSystemProperty("bolt.client.ssl.tmf.algorithm", instance.getConfig(SERVER_RAFT_SSL_KMF_ALGORITHM)); logger.info("Enable ssl communication between raft nodes"); } + private void setSystemProperty(String property, String value) { + if (value == null || value.isEmpty()) { + throw new IllegalArgumentException("Configuration value for " + property + " cannot be null or empty"); + } + System.setProperty(property, value); + } + } diff --git a/server/src/main/resources/application.raft.example.yml b/server/src/main/resources/application.raft.example.yml index 61c644749a5..241820a1d21 100644 --- a/server/src/main/resources/application.raft.example.yml +++ b/server/src/main/resources/application.raft.example.yml @@ -91,6 +91,23 @@ seata: serialization: jackson compressor: none sync: true # sync log&snapshot to disk + # raft nodes ssl config + ssl: + enabled: false + client: + keystore: + path: ssl/cbolt.pfx + password: seata + type: pkcs12 + server: + keystore: + path: ssl/bolt.pfx + password: seata + type: pkcs12 + kmf: + algorithm: SunX509 + tmf: + algorithm: SunX509 service-port: 8091 #If not configured, the default is '${server.port} + 1000' max-commit-retry-timeout: -1 max-rollback-retry-timeout: -1