After a service is provided, you can use the service authentication feature to authenticate service invokers.
Precautions
When you publish a containerized application, the application name must match the
spring.application.nameconfigured in the application's registration code.Ensure that your SOFABoot version is 3.3.3 or later. For more information about SOFABoot versions, see Version Guide.
When you use service authentication, add the following configuration to the
application.propertiesfile:com.alipay.sofa.rpc.dynamic.alias=drmFor more information about the
application.propertiesfile, see Application-level configuration extensions.
Add an authentication rule
Log on to the SOFAStack console.
In the navigation pane on the left, choose Middleware > Microservice Platform > Microservices > Service Governance, and then click the Service Authentication tab.
Click Add Authentication Rule and configure the following parameters:
Parameter
Description
Authentication granularity
The granularity of authentication. Valid values:
Application-level: Adds an authentication rule for an application.
Service-level: Adds an authentication rule for one or more services within an application.
Rule name
The name of the authentication rule.
The name can contain only Chinese characters, letters, digits, and underscores (_).
Type
The type of authentication. Valid values:
Whitelist: Allows requests that match the conditions.
Blacklist: Denies requests that match the conditions.
Application
Select the application to be authenticated.
Service
Select or enter one or more services within the application. This parameter is configured only when you set Authentication granularity to Service-level.
Running mode
The running mode of the service authentication rule. Valid values:
Block Mode: When the authentication rule is triggered, the request is denied.
Observer Mode: When the authentication rule is triggered, it only prints logs and does not deny the request.
Matching conditions
The conditions for matching traffic. Traffic that meets these conditions is authenticated.
You can configure multiple matching rules. The rules are combined with an AND operator. The parameters are as follows:
Field: You can select system fields and custom fields.
Field name: The value varies based on the field type.
System field: You can select Caller application name, Caller IP, Provider application name, or Provider method name.
Custom field: Set the field name as needed.
Logic: Includes Equals, Does not equal, Belongs to, Does not belong to, and Regex.
Field value: Enter the value for the selected field.
Click Submit, and then click OK.
In the list of authentication rules, change the status of the rule you just created to On.
You can enable the whitelist or blacklist depending on the setting type.
Enable the whitelist switch for Whitelist rules and the blacklist switch for Blacklist rules. Otherwise, the authentication rule will not take effect.
Edit an authentication rule
You can edit any created authentication rule. The changes take effect in real time after you submit them.
On the Service Authentication tab, click the plus sign (+) to the left of the target service.
Click Edit to the right of the target authentication rule.
After you edit the authentication rule as needed, click Submit.
Delete an authentication rule
You can delete any created authentication rule. The deletion takes effect in real time. Proceed with caution.
On the Service Authentication tab, click the plus sign (+) to the left of the target service.
Change the status of the target authentication rule to Off.
Click Delete to the right of the target authentication rule. Then, click OK.
View service authentication logs
Service authentication logs are written to the /home/admin/logs/rpc/common-default.log file.