public key authentication
Public key authentication is a simple and efficient authentication mechanism between microservices provided by ServiceComb. Its security is based on the trust between microservices and service centers, namely microservices and service centers. The authentication mechanism must be enabled first. Its basic process is as follows:
- When the microservice starts, generate a secret key pair and register the public key to the service center.
- The consumer signs the message with his or her private key before accessing the provider.
- The provider obtains the consumer public key from the service center and verifies the signed message.
Public key authentication needs to be enabled for both consumers and providers.
servicecomb: handler: chain: Consumer: default: auth-consumer Provider: default: auth-provider
Add dependencies in pom.xml:
<dependency> <groupId>org.apache.servicecomb</groupId> <artifactId>handler-publickey-auth</artifactId> </dependency>
Configuring black and white list
Based on the public key authentication mechanism, ServiceComb provides a black and white list function. Through the black and white list, you can control which other services are allowed to be accessed by the microservice. Currently supported by configuring service attributes, the configuration items are as follows:
servicecomb: publicKey: accessControl: black: list01: category: property ## property, fixed value propertyName: serviceName ## property name # property value matches expression. # only supports prefix match and postfix match and exactly match. #, e.g., hacker*, *hacker, hacker rule: hacker white: list02: category: property propertyName: serviceName rule: cust*
The above rules are configured with blacklists, which do not allow microservice names to be accessed by hackers; whitelists allow access to services with microservice names named cust.
ServiceComb provides [trust-sample] (https://github.com/apache/incubator-servicecomb-java-chassis/tree/master/samples/trust-sample) to demonstrate the black and white list feature.