Merge branch 'develop' of https://github.com/alibaba/nacos into dev-1

* 'develop' of https://github.com/alibaba/nacos:
  For checkstyle
  fix: fix Jraft WriteRequest type problem.
  Add server identity to replace user-agent white list. (alibaba#4683)

auth/src/main/java/com/alibaba/nacos/auth/common/AuthConfigs.java

@@ -62,6 +62,15 @@ public class AuthConfigs {
     @Value("${nacos.core.auth.system.type:}")
     private String nacosAuthSystemType;
 
+    @Value("${nacos.core.auth.server.identity.key:}")
+    private String serverIdentityKey;
+
+    @Value(("${nacos.core.auth.server.identity.value:}"))
+    private String serverIdentityValue;
+
+    @Value(("${nacos.core.auth.enable.userAgentAuthWhite:true}"))
+    private boolean enableUserAgentAuthWhite;
+
     public byte[] getSecretKeyBytes() {
         if (secretKeyBytes == null) {
             secretKeyBytes = Decoders.BASE64.decode(secretKey);
@@ -77,6 +86,18 @@ public String getNacosAuthSystemType() {
         return nacosAuthSystemType;
     }
 
+    public String getServerIdentityKey() {
+        return serverIdentityKey;
+    }
+
+    public String getServerIdentityValue() {
+        return serverIdentityValue;
+    }
+
+    public boolean isEnableUserAgentAuthWhite() {
+        return enableUserAgentAuthWhite;
+    }
+
     /**
      * auth function is open.
      *

auth/src/main/java/com/alibaba/nacos/auth/util/AuthHeaderUtil.java

@@ -0,0 +1,43 @@
+/*
+ * Copyright 1999-2020 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.nacos.auth.util;
+
+import com.alibaba.nacos.auth.common.AuthConfigs;
+import com.alibaba.nacos.common.http.param.Header;
+import com.alibaba.nacos.common.utils.StringUtils;
+import com.alibaba.nacos.sys.utils.ApplicationUtils;
+
+/**
+ * Auth header util.
+ *
+ * @author xiweng.yy
+ */
+public class AuthHeaderUtil {
+
+    /**
+     * Add identity info to Http header.
+     *
+     * @param header http header
+     */
+    public static void addIdentityToHeader(Header header) {
+        AuthConfigs authConfigs = ApplicationUtils.getBean(AuthConfigs.class);
+        if (StringUtils.isNotBlank(authConfigs.getServerIdentityKey())) {
+            header.addParam(authConfigs.getServerIdentityKey(), authConfigs.getServerIdentityValue());
+        }
+    }
+
+}

config/src/main/java/com/alibaba/nacos/config/server/service/notify/AsyncNotifyService.java

@@ -16,6 +16,7 @@
 
 package com.alibaba.nacos.config.server.service.notify;
 
+import com.alibaba.nacos.auth.util.AuthHeaderUtil;
 import com.alibaba.nacos.common.http.Callback;
 import com.alibaba.nacos.common.http.client.NacosAsyncRestTemplate;
 import com.alibaba.nacos.common.http.param.Header;
@@ -138,6 +139,7 @@ private void executeAsyncInvoke() {
                         if (task.isBeta) {
                             header.addParam("isBeta", "true");
                         }
+                        AuthHeaderUtil.addIdentityToHeader(header);
                         restTemplate.get(task.url, header, Query.EMPTY, String.class, new AsyncNotifyCallBack(task));
                     }
                 }

config/src/main/java/com/alibaba/nacos/config/server/service/repository/embedded/DistributedDatabaseOperateImpl.java

@@ -205,7 +205,7 @@ public Class<? extends Event> subscribeType() {
         NotifyCenter.registerToPublisher(ConfigDumpEvent.class, NotifyCenter.ringBufferSize);
         NotifyCenter.registerSubscriber(new DumpConfigHandler());
 
-        this.protocol.addLogProcessors(Collections.singletonList(this));
+        this.protocol.addRequestProcessors(Collections.singletonList(this));
         LogUtil.DEFAULT_LOG.info("use DistributedTransactionServicesImpl");
     }
 
@@ -390,7 +390,7 @@ public CompletableFuture<RestResult<String>> dataImport(File file) {
                     if (submit) {
                         List<ModifyRequest> requests = batchUpdate.stream().map(ModifyRequest::new)
                                 .collect(Collectors.toList());
-                        CompletableFuture<Response> future = protocol.submitAsync(WriteRequest.newBuilder().setGroup(group())
+                        CompletableFuture<Response> future = protocol.writeAsync(WriteRequest.newBuilder().setGroup(group())
                                 .setData(ByteString.copyFrom(serializer.serialize(requests)))
                                 .putExtendInfo(DATA_IMPORT_KEY, Boolean.TRUE.toString()).build());
                         futures.add(future);
@@ -432,14 +432,14 @@ public Boolean update(List<ModifyRequest> sqlContext, BiConsumer<Boolean, Throwa
                     .putAllExtendInfo(EmbeddedStorageContextUtils.getCurrentExtendInfo())
                     .setType(sqlContext.getClass().getCanonicalName()).build();
             if (Objects.isNull(consumer)) {
-                Response response = this.protocol.submit(request);
+                Response response = this.protocol.write(request);
                 if (response.getSuccess()) {
                     return true;
                 }
                 LogUtil.DEFAULT_LOG.error("execute sql modify operation failed : {}", response.getErrMsg());
                 return false;
             } else {
-                this.protocol.submitAsync(request).whenComplete((BiConsumer<Response, Throwable>) (response, ex) -> {
+                this.protocol.writeAsync(request).whenComplete((BiConsumer<Response, Throwable>) (response, ex) -> {
                     String errMsg = Objects.isNull(ex) ? response.getErrMsg() : ExceptionUtil.getCause(ex).getMessage();
                     consumer.accept(response.getSuccess(),
                             StringUtils.isBlank(errMsg) ? null : new NJdbcException(errMsg));

consistency/src/main/java/com/alibaba/nacos/consistency/ConsistencyProtocol.java

@@ -48,11 +48,11 @@ public interface ConsistencyProtocol<T extends Config, P extends RequestProcesso
     void init(T config);
 
     /**
-     * Add a log handler.
+     * Add a request handler.
      *
      * @param processors {@link RequestProcessor}
      */
-    void addLogProcessors(Collection<P> processors);
+    void addRequestProcessors(Collection<P> processors);
 
     /**
      * Copy of metadata information for this consensus protocol.
@@ -87,7 +87,7 @@ public interface ConsistencyProtocol<T extends Config, P extends RequestProcesso
      * @return submit operation result {@link Response}
      * @throws Exception {@link Exception}
      */
-    Response submit(WriteRequest request) throws Exception;
+    Response write(WriteRequest request) throws Exception;
 
     /**
      * Data submission operation, returning submission results asynchronously.
@@ -97,7 +97,7 @@ public interface ConsistencyProtocol<T extends Config, P extends RequestProcesso
      * @return {@link CompletableFuture} submit result
      * @throws Exception when submit throw Exception
      */
-    CompletableFuture<Response> submitAsync(WriteRequest request);
+    CompletableFuture<Response> writeAsync(WriteRequest request);
 
     /**
      * New member list .

core/src/main/java/com/alibaba/nacos/core/auth/AuthFilter.java

@@ -24,9 +24,9 @@
 import com.alibaba.nacos.auth.parser.ResourceParser;
 import com.alibaba.nacos.common.utils.ExceptionUtil;
 import com.alibaba.nacos.core.code.ControllerMethodsCache;
-import com.alibaba.nacos.sys.env.Constants;
 import com.alibaba.nacos.core.utils.Loggers;
 import com.alibaba.nacos.core.utils.WebUtils;
+import com.alibaba.nacos.sys.env.Constants;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 
@@ -73,10 +73,25 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
         HttpServletRequest req = (HttpServletRequest) request;
         HttpServletResponse resp = (HttpServletResponse) response;
 
-        String userAgent = WebUtils.getUserAgent(req);
-
-        if (StringUtils.startsWith(userAgent, Constants.NACOS_SERVER_HEADER)) {
-            chain.doFilter(request, response);
+        if (authConfigs.isEnableUserAgentAuthWhite()) {
+            String userAgent = WebUtils.getUserAgent(req);
+            if (StringUtils.startsWith(userAgent, Constants.NACOS_SERVER_HEADER)) {
+                chain.doFilter(request, response);
+                return;
+            }
+        } else if (StringUtils.isNotBlank(authConfigs.getServerIdentityKey()) && StringUtils
+                .isNotBlank(authConfigs.getServerIdentityValue())) {
+            String serverIdentity = req.getHeader(authConfigs.getServerIdentityKey());
+            if (authConfigs.getServerIdentityValue().equals(serverIdentity)) {
+                chain.doFilter(request, response);
+                return;
+            }
+            Loggers.AUTH.warn("Invalid server identity value for {} from {}", authConfigs.getServerIdentityKey(),
+                    req.getRemoteHost());
+        } else {
+            resp.sendError(HttpServletResponse.SC_FORBIDDEN,
+                    "Invalid server identity key or value, Please make sure set `nacos.core.auth.server.identity.key`"
+                            + " and `nacos.core.auth.server.identity.value`, or open `nacos.core.auth.enable.userAgentAuthWhite`");
             return;
         }
 

core/src/main/java/com/alibaba/nacos/core/distributed/raft/JRaftProtocol.java

@@ -159,7 +159,7 @@ public Class<? extends Event> subscribeType() {
     }
 
     @Override
-    public void addLogProcessors(Collection<RequestProcessor4CP> processors) {
+    public void addRequestProcessors(Collection<RequestProcessor4CP> processors) {
         raftServer.createMultiRaftGroup(processors);
     }
 
@@ -175,14 +175,14 @@ public CompletableFuture<Response> aGetData(ReadRequest request) {
     }
 
     @Override
-    public Response submit(WriteRequest request) throws Exception {
-        CompletableFuture<Response> future = submitAsync(request);
+    public Response write(WriteRequest request) throws Exception {
+        CompletableFuture<Response> future = writeAsync(request);
         // Here you wait for 10 seconds, as long as possible, for the request to complete
         return future.get(10_000L, TimeUnit.MILLISECONDS);
     }
 
     @Override
-    public CompletableFuture<Response> submitAsync(WriteRequest request) {
+    public CompletableFuture<Response> writeAsync(WriteRequest request) {
         return raftServer.commit(request.getGroup(), request, new CompletableFuture<>());
     }
 

core/src/main/java/com/alibaba/nacos/core/distributed/raft/processor/NacosGetRequestProcessor.java

@@ -28,6 +28,7 @@
  *
  * @author <a href="mailto:liaochuntao@live.com">liaochuntao</a>
  */
+@Deprecated
 public class NacosGetRequestProcessor extends AbstractProcessor implements RpcProcessor<GetRequest> {
 
     private static final String INTEREST_NAME = GetRequest.class.getName();

core/src/main/java/com/alibaba/nacos/core/distributed/raft/processor/NacosLogProcessor.java

@@ -28,6 +28,7 @@
  *
  * @author <a href="mailto:liaochuntao@live.com">liaochuntao</a>
  */
+@Deprecated
 public class NacosLogProcessor extends AbstractProcessor implements RpcProcessor<Log> {
 
     private static final String INTEREST_NAME = Log.class.getName();

core/src/main/java/com/alibaba/nacos/core/distributed/raft/processor/NacosReadRequestProcessor.java

@@ -18,6 +18,7 @@
 
 import com.alibaba.nacos.consistency.Serializer;
 import com.alibaba.nacos.consistency.entity.ReadRequest;
+import com.alibaba.nacos.core.distributed.raft.JRaftServer;
 import com.alipay.sofa.jraft.rpc.RpcContext;
 import com.alipay.sofa.jraft.rpc.RpcProcessor;
 
@@ -28,17 +29,22 @@
  */
 public class NacosReadRequestProcessor extends AbstractProcessor implements RpcProcessor<ReadRequest> {
 
-    public NacosReadRequestProcessor(Serializer serializer) {
+    private static final String INTEREST_NAME = ReadRequest.class.getName();
+
+    private final JRaftServer server;
+
+    public NacosReadRequestProcessor(JRaftServer server, Serializer serializer) {
         super(serializer);
+        this.server = server;
     }
 
     @Override
     public void handleRequest(RpcContext rpcCtx, ReadRequest request) {
-
+        handleRequest(server, request.getGroup(), rpcCtx, request);
     }
 
     @Override
     public String interest() {
-        return null;
+        return INTEREST_NAME;
     }
 }

core/src/main/java/com/alibaba/nacos/core/distributed/raft/processor/NacosWriteRequestProcessor.java

@@ -18,6 +18,7 @@
 
 import com.alibaba.nacos.consistency.Serializer;
 import com.alibaba.nacos.consistency.entity.WriteRequest;
+import com.alibaba.nacos.core.distributed.raft.JRaftServer;
 import com.alipay.sofa.jraft.rpc.RpcContext;
 import com.alipay.sofa.jraft.rpc.RpcProcessor;
 
@@ -28,17 +29,22 @@
  */
 public class NacosWriteRequestProcessor extends AbstractProcessor implements RpcProcessor<WriteRequest> {
 
-    public NacosWriteRequestProcessor(Serializer serializer) {
+    private static final String INTEREST_NAME = WriteRequest.class.getName();
+
+    private final JRaftServer server;
+
+    public NacosWriteRequestProcessor(JRaftServer server, Serializer serializer) {
         super(serializer);
+        this.server = server;
     }
 
     @Override
     public void handleRequest(RpcContext rpcCtx, WriteRequest request) {
-
+        handleRequest(server, request.getGroup(), rpcCtx, request);
     }
 
     @Override
     public String interest() {
-        return null;
+        return INTEREST_NAME;
     }
 }

core/src/main/java/com/alibaba/nacos/core/distributed/raft/utils/JRaftUtils.java

@@ -27,6 +27,8 @@
 import com.alibaba.nacos.core.distributed.raft.JRaftServer;
 import com.alibaba.nacos.core.distributed.raft.processor.NacosGetRequestProcessor;
 import com.alibaba.nacos.core.distributed.raft.processor.NacosLogProcessor;
+import com.alibaba.nacos.core.distributed.raft.processor.NacosReadRequestProcessor;
+import com.alibaba.nacos.core.distributed.raft.processor.NacosWriteRequestProcessor;
 import com.alibaba.nacos.sys.utils.ApplicationUtils;
 import com.alibaba.nacos.core.utils.Loggers;
 import com.alibaba.nacos.sys.utils.DiskUtils;
@@ -78,9 +80,14 @@ public static RpcServer initRpcServer(JRaftServer server, PeerId peerId) {
         RaftRpcServerFactory.addRaftRequestProcessors(rpcServer, RaftExecutor.getRaftCoreExecutor(),
                 RaftExecutor.getRaftCliServiceExecutor());
 
+        // Deprecated
         rpcServer.registerProcessor(new NacosLogProcessor(server, SerializeFactory.getDefault()));
+        // Deprecated
         rpcServer.registerProcessor(new NacosGetRequestProcessor(server, SerializeFactory.getDefault()));
 
+        rpcServer.registerProcessor(new NacosWriteRequestProcessor(server, SerializeFactory.getDefault()));
+        rpcServer.registerProcessor(new NacosReadRequestProcessor(server, SerializeFactory.getDefault()));
+
         return rpcServer;
     }
 

distribution/conf/application.properties

@@ -131,6 +131,13 @@ nacos.core.auth.default.token.secret.key=SecretKey012345678901234567890123456789
 ### Turn on/off caching of auth information. By turning on this switch, the update of auth information would have a 15 seconds delay.
 nacos.core.auth.caching.enabled=true
 
+### Since 1.4.1, Turn on/off white auth for user-agent: nacos-server, only for upgrade from old version.
+nacos.core.auth.enable.userAgentAuthWhite=true
+
+### Since 1.4.1, worked when nacos.core.auth.enabled=true and nacos.core.auth.enable.userAgentAuthWhite=false.
+### The two properties is the white list for auth and used by identity the request from other server.
+nacos.core.auth.server.identity.key=
+nacos.core.auth.server.identity.value=
 
 #*************** Istio Related Configurations ***************#
 ### If turn on the MCP server:

naming/src/main/java/com/alibaba/nacos/naming/consistency/persistent/impl/PersistentServiceProcessor.java

@@ -65,7 +65,7 @@ public PersistentServiceProcessor(ProtocolManager protocolManager, ClusterVersio
     @Override
     public void afterConstruct() {
         super.afterConstruct();
-        this.protocol.addLogProcessors(Collections.singletonList(this));
+        this.protocol.addRequestProcessors(Collections.singletonList(this));
         this.protocol.protocolMetaData()
                 .subscribe(Constants.NAMING_PERSISTENT_SERVICE_GROUP, MetadataKey.LEADER_META_DATA,
                         (o, arg) -> hasLeader = StringUtils.isNotBlank(String.valueOf(arg)));
@@ -95,7 +95,7 @@ public void put(String key, Record value) throws NacosException {
         final WriteRequest request = WriteRequest.newBuilder().setData(ByteString.copyFrom(serializer.serialize(req)))
                 .setGroup(Constants.NAMING_PERSISTENT_SERVICE_GROUP).setOperation(Op.Write.desc).build();
         try {
-            protocol.submit(request);
+            protocol.write(request);
         } catch (Exception e) {
             throw new NacosException(ErrorCode.ProtoSubmitError.getCode(), e.getMessage());
         }
@@ -108,7 +108,7 @@ public void remove(String key) throws NacosException {
         final WriteRequest request = WriteRequest.newBuilder().setData(ByteString.copyFrom(serializer.serialize(req)))
                 .setGroup(Constants.NAMING_PERSISTENT_SERVICE_GROUP).setOperation(Op.Delete.desc).build();
         try {
-            protocol.submit(request);
+            protocol.write(request);
         } catch (Exception e) {
             throw new NacosException(ErrorCode.ProtoSubmitError.getCode(), e.getMessage());
         }