Authentication

更新时间:
复制 MD 格式

By default, authentication is disabled on Microservices Engine (MSE) Nacos instances. Any client with network access can read and write configuration and service data without restrictions. Enable authentication to control who can access the MSE console and which applications can connect programmatically.

MSE Nacos authentication operates at two levels:

  • Console authentication -- Controls which RAM users can access the MSE Nacos console and what operations they can perform. Uses RAM policies to define permissions.

  • Client authentication -- Controls which applications can connect to Nacos through the SDK. Combines a RAM policy, a credentials provider, and an instance-level authentication switch.

If you are...Set up...
An admin managing who can access the MSE consoleConsole authentication
A developer whose application connects to Nacos through the SDKClient authentication
BothBoth types

Authorization granularity levels

Both console authentication and client authentication support fine-grained authorization. Select a granularity level based on how narrowly you want to control access. For each level, you assign either Read/Write or Read-Only permissions.

GranularityScopeAvailable for
InstanceAll configurations and services across the entire instanceConsole authentication only
NamespaceAll configurations and services in a specific namespaceConsole and client authentication
GroupAll configurations and services in a specific group within a namespaceConsole and client authentication
ServiceA specific registered service in a namespaceConsole and client authentication
ConfigurationA specific configuration item (data ID) in a namespaceConsole and client authentication
Important

When you authorize at the group, service, or configuration level, be aware of the following behaviors:

  • Group level -- If multiple groups in the same namespace share a service name or data ID, authorizing one group grants the same permissions to all groups that share that service name or data ID.

  • Service level -- If the same service name exists in multiple groups, the authorization list displays only one entry. Granting permissions applies to that service across all associated groups.

  • Configuration level -- If the same data ID exists in multiple groups, the authorization list displays only one entry. Granting permissions applies to that data ID across all associated groups.

Prerequisites

Before you begin, make sure that you have:

Create and attach a console authentication policy

Console authentication uses RAM policies to control access to the MSE Nacos console. After you create and attach a policy, the RAM user can only perform the operations defined in that policy.

  1. Log on to the MSE console, and select a region in the top navigation bar.

  2. In the left-side navigation pane, choose Microservices Registry > Instances.

  3. On the Instances page, click the name of your instance.

  4. In the left-side navigation pane, choose Security Protection > Authentication, and then click the Console Authentication tab.

  5. Select an authorization granularity from the Authorization Granularity drop-down list, and then select the permissions to grant. For details on each granularity level, see Authorization granularity levels. To specify a group, service, or configuration, use one of the following tabs:

    • Manual Input or Name Match -- For group-level authorization

    • List Selection or Name Match -- For service-level and configuration-level authorization

  6. Click Copy and Create Authorization Policy (Manually Switch to Code Editor). On the Create Policy page, click the JSON tab, paste the copied policy, and then click OK. Enter a policy name in the Create Policy dialog box, and then click OK.

    Note

    Use a descriptive policy name that reflects its scope (for example, mse-nacos-prod-namespace-readonly) to simplify policy management.

  7. Attach the policy to a RAM user. For more information, see Grant permissions to a RAM user.

Set up client authentication

Client authentication prevents unauthorized applications from connecting to your Nacos instance. Setting it up requires three steps: define a RAM policy, configure access credentials, and enable the authentication switch on the instance.

  1. Log on to the MSE console, and select a region in the top navigation bar.

  2. In the left-side navigation pane, choose Microservices Registry > Instances.

  3. On the Instances page, click the name of your instance.

  4. In the left-side navigation pane, choose Security Protection > Authentication, and then click the Client Authentication tab.

  5. Complete the following three steps in the setup wizard:

    Step 1: Policy Settings

    1. Select a granularity from the Authorization Granularity drop-down list, select an authorization type from the Authorization Type drop-down list, and then click Copy and Create Authorization Policy (Manually Switch to Code Editor).

    2. On the Create Policy page, click the JSON tab, paste the copied policy, and then click OK. Enter a policy name, and then click OK.

    3. Attach the policy to a RAM user or RAM role. For more information, see Grant permissions to a RAM user or Grant permissions to a RAM role.

      Note

      We recommend that you create a RAM user for console access to control the scope of permissions.

    4. Click Next step.

    Step 2: Access Credential Settings

    Select a method to initialize the credentials provider based on your scenario, and then click Next step.

    Step 3: Current Authentication Status

    1. Click Enable Authentication.

    2. On the Parameter Settings page, click Edit in the Effective Parameters After Restart section.

    3. Set the Value to Yes for one or both of the following parameters:

      ParameterWhat it controlsSupported versions
      ConfigAuthEnabledAuthentication for the configuration center. When enabled, clients must present valid credentials to read or write configurations.Basic Edition: 1.2.1 or later. Professional and Developer Edition: all versions.
      NamingAuthEnabledAuthentication for the service registry. When enabled, clients must present valid credentials to access registry services.Professional and Developer Edition: 2.0.4 or later.
    4. Click Save and Restart Instance.

    Important

    Enabling authentication requires an instance restart. Plan this operation during a maintenance window. After the restart, only clients with valid credentials can connect. Update all client credentials before you enable authentication to avoid connection failures.

Production deployment considerations

When you enable authentication on a running instance, keep the following in mind:

  • Update credentials before enabling authentication -- Distribute valid credentials to all connected clients first. After the instance restarts with authentication enabled, any client without valid credentials cannot connect.

  • Use least-privilege policies -- Start with namespace-level permissions, then narrow to group-level or service-level permissions as you identify exact access requirements.

  • Create dedicated RAM users per service -- Avoid sharing a single set of credentials across multiple services. Separate RAM users or roles make it easier to rotate credentials and audit access.

  • Schedule the restart during a maintenance window -- Enabling either ConfigAuthEnabled or NamingAuthEnabled requires an instance restart.

What to do next

After you enable authentication:

  • Verify connectivity -- Confirm that your applications can still connect to the Nacos instance with the configured credentials.

  • Configure client credentials -- For detailed instructions on initializing credentials providers in your application code, see Access authentication by Nacos.

  • Refine access policies -- If you used namespace-level permissions initially, narrow the scope to group-level or service-level permissions for production environments.

  • Manage RAM users and roles -- Create separate RAM users or roles for different teams or services to enforce the principle of least privilege.