Skip to content

feature: support ssl communication for raft nodes #6926

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
slievrly merged 6 commits into from
Nov 28, 2024
Merged

feature: support ssl communication for raft nodes #6926

slievrly merged 6 commits into from
Nov 28, 2024
+82 −0

Conversation

@Muluo-cyan
Copy link
Contributor

@Muluo-cyan Muluo-cyan commented Oct 15, 2024
edited
Loading

  • I have registered the PR changes.

Ⅰ. Describe what this PR did

Raft集群节点之间的通信现在支持开启ssl
The communication between nodes in the Raft cluster now supports SSL.

Ⅱ. Does this pull request fix one issue?

Ⅲ. Why don't you add test cases (unit test/integration test)?

Ⅳ. Describe how to verify it

server的application.yml中添加如下配置开启ssl支持。
Add the following configuration to the application.yml file on the server to enable SSL support.
server:
raft:
ssl:
enabled: true //是否开启ssl支持
keystore.type: pkcs12 //keystore类型
kmf.algorithm: SunX509 //kmf算法
server:
keystore: bolt.pfx //raft节点rpc服务端keystore文件路径
keystore.password: sfbolt //keystore密码
client:
keystore: cbolt.pfx //raft节点rpc客户端keystore文件路径
keystore.password: sfbolt //keystore密码
其中服务端 SSL keystore 文件 bolt.pfx 和客户端 SSL keystore 文件 cbolt.pfx 按照以下步骤生成:
The server-side SSL keystore file bolt.pfx and the client-side SSL keystore file cbolt.pfx can be generated using the following steps:

1.首先生成 keystore 并且导出其认证文件。
First, generate the keystore and export its certificate.

keytool -genkey -alias securebolt -keysize 2048 -validity 365 -keyalg RSA -dname "CN=localhost" -keypass sfbolt -storepass sfbolt -keystore bolt.pfx -deststoretype pkcs12
keytool -export -alias securebolt -keystore bolt.pfx -storepass sfbolt -file bolt.cer

2.接着生成客户端 keystore并且导出其认证文件。
Next, generate the client keystore and export its certificate.

keytool -genkey -alias smcc -keysize 2048 -validity 365 -keyalg RSA -dname "CN=localhost" -keypass sfbolt -storepass sfbolt -keystore cbolt.pfx -deststoretype pkcs12
keytool -export -alias smcc -keystore cbolt.pfx -storepass sfbolt -file cbolt.cer

3.最后导入服务端认证文件到客户端 keystore, 导入客户端认证文件到服务端 keystore。
Finally, import the server certificate into the client keystore and the client certificate into the server keystore.

keytool -import -trustcacerts -alias securebolt -file bolt.cer -storepass sfbolt -keystore cbolt.pfx
keytool -import -trustcacerts -alias smcc -file cbolt.cer -storepass sfbolt -keystore bolt.pfx

然后启动seata集群,可以看到raft集群已经开启ssl支持,没有证书的节点与其他节点的通信会被拒绝
Then, start the Seata cluster. You should see that the Raft cluster has SSL support enabled, and any node without the certificate will have its communication with other nodes rejected.

Ⅴ. Special notes for reviews

@xingfudeshi xingfudeshi added the first-time contributor first-time contributor label Oct 24, 2024
@codecov
Copy link

codecov bot commented Oct 24, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 5.88235% with 16 lines in your changes missing coverage. Please review.

Project coverage is 52.57%. Comparing base (556a734) to head (1ce8872).
Report is 2 commits behind head on 2.x.

Files with missing lines Patch % Lines
...g/apache/seata/server/cluster/raft/RaftServer.java 5.88% 15 Missing and 1 partial ⚠️
Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff              @@
##                2.x    #6926      +/-   ##
============================================
- Coverage     52.60%   52.57%   -0.03%     
- Complexity     6590     6593       +3     
============================================
  Files          1126     1126              
  Lines         40020    40037      +17     
  Branches       4700     4701       +1     
============================================
- Hits          21053    21051       -2     
- Misses        16957    16977      +20     
+ Partials       2010     2009       -1
Files with missing lines Coverage Δ
...ava/org/apache/seata/common/ConfigurationKeys.java 0.00% <ø> (ø)
...g/apache/seata/server/cluster/raft/RaftServer.java 58.18% <5.88%> (-23.40%) ⬇️

... and 7 files with indirect coverage changes

funky-eyes
funky-eyes approved these changes Nov 4, 2024
View reviewed changes
Copy link
Contributor

@funky-eyes funky-eyes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@xingfudeshi
Copy link
Member

xingfudeshi commented Nov 5, 2024

@Muluo-cyan Please register this PR in change logs[1].

[1]https://github.com/apache/incubator-seata/tree/2.x/changes

slievrly
slievrly reviewed Nov 5, 2024
View reviewed changes
Copy link
Member

@slievrly slievrly left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Muluo-cyan can you add some configuration docs on seata website?

@funky-eyes funky-eyes added this to the 2.3.0 milestone Nov 17, 2024
@slievrly slievrly merged commit 7975aa5 into apache:2.x Nov 28, 2024
7 checks passed
YvCeung pushed a commit to YvCeung/incubator-seata that referenced this pull request Dec 25, 2025
@Muluo-cyan
feature: support ssl communication for raft nodes (apache#6926)
80479a6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@slievrly slievrly slievrly left review comments

@funky-eyes funky-eyes funky-eyes approved these changes

Assignees

No one assigned

Labels

first-time contributor first-time contributor module/server server module store: raft

Projects

None yet

Milestone

2.3.0

Development

Successfully merging this pull request may close these issues.

5 participants

@Muluo-cyan @xingfudeshi @slievrly @funky-eyes @lovepoem