By default, authentication is disabled on Microservices Engine (MSE) Nacos instances. Any client with network access can read and write configuration and service data without restrictions. Enable authentication to control who can access the MSE console and which applications can connect programmatically.
MSE Nacos authentication operates at two levels:
Console authentication -- Controls which RAM users can access the MSE Nacos console and what operations they can perform. Uses RAM policies to define permissions.
Client authentication -- Controls which applications can connect to Nacos through the SDK. Combines a RAM policy, a credentials provider, and an instance-level authentication switch.
| If you are... | Set up... |
|---|---|
| An admin managing who can access the MSE console | Console authentication |
| A developer whose application connects to Nacos through the SDK | Client authentication |
| Both | Both types |
Authorization granularity levels
Both console authentication and client authentication support fine-grained authorization. Select a granularity level based on how narrowly you want to control access. For each level, you assign either Read/Write or Read-Only permissions.
| Granularity | Scope | Available for |
|---|---|---|
| Instance | All configurations and services across the entire instance | Console authentication only |
| Namespace | All configurations and services in a specific namespace | Console and client authentication |
| Group | All configurations and services in a specific group within a namespace | Console and client authentication |
| Service | A specific registered service in a namespace | Console and client authentication |
| Configuration | A specific configuration item (data ID) in a namespace | Console and client authentication |
When you authorize at the group, service, or configuration level, be aware of the following behaviors:
Group level -- If multiple groups in the same namespace share a service name or data ID, authorizing one group grants the same permissions to all groups that share that service name or data ID.
Service level -- If the same service name exists in multiple groups, the authorization list displays only one entry. Granting permissions applies to that service across all associated groups.
Configuration level -- If the same data ID exists in multiple groups, the authorization list displays only one entry. Granting permissions applies to that data ID across all associated groups.
Prerequisites
Before you begin, make sure that you have:
(Optional) A RAM user or a RAM role to grant permissions to
Create and attach a console authentication policy
Console authentication uses RAM policies to control access to the MSE Nacos console. After you create and attach a policy, the RAM user can only perform the operations defined in that policy.
Log on to the MSE console, and select a region in the top navigation bar.
In the left-side navigation pane, choose Microservices Registry > Instances.
On the Instances page, click the name of your instance.
In the left-side navigation pane, choose Security Protection > Authentication, and then click the Console Authentication tab.
Select an authorization granularity from the Authorization Granularity drop-down list, and then select the permissions to grant. For details on each granularity level, see Authorization granularity levels. To specify a group, service, or configuration, use one of the following tabs:
Manual Input or Name Match -- For group-level authorization
List Selection or Name Match -- For service-level and configuration-level authorization
Click Copy and Create Authorization Policy (Manually Switch to Code Editor). On the Create Policy page, click the JSON tab, paste the copied policy, and then click OK. Enter a policy name in the Create Policy dialog box, and then click OK.
NoteUse a descriptive policy name that reflects its scope (for example,
mse-nacos-prod-namespace-readonly) to simplify policy management.Attach the policy to a RAM user. For more information, see Grant permissions to a RAM user.
Set up client authentication
Client authentication prevents unauthorized applications from connecting to your Nacos instance. Setting it up requires three steps: define a RAM policy, configure access credentials, and enable the authentication switch on the instance.
Log on to the MSE console, and select a region in the top navigation bar.
In the left-side navigation pane, choose Microservices Registry > Instances.
On the Instances page, click the name of your instance.
In the left-side navigation pane, choose Security Protection > Authentication, and then click the Client Authentication tab.
Complete the following three steps in the setup wizard:
Step 1: Policy Settings
Select a granularity from the Authorization Granularity drop-down list, select an authorization type from the Authorization Type drop-down list, and then click Copy and Create Authorization Policy (Manually Switch to Code Editor).
On the Create Policy page, click the JSON tab, paste the copied policy, and then click OK. Enter a policy name, and then click OK.
Attach the policy to a RAM user or RAM role. For more information, see Grant permissions to a RAM user or Grant permissions to a RAM role.
NoteWe recommend that you create a RAM user for console access to control the scope of permissions.
Click Next step.
Step 2: Access Credential Settings
Select a method to initialize the credentials provider based on your scenario, and then click Next step.
Step 3: Current Authentication Status
Click Enable Authentication.
On the Parameter Settings page, click Edit in the Effective Parameters After Restart section.
Set the Value to Yes for one or both of the following parameters:
Parameter What it controls Supported versions ConfigAuthEnabled Authentication for the configuration center. When enabled, clients must present valid credentials to read or write configurations. Basic Edition: 1.2.1 or later. Professional and Developer Edition: all versions. NamingAuthEnabled Authentication for the service registry. When enabled, clients must present valid credentials to access registry services. Professional and Developer Edition: 2.0.4 or later. Click Save and Restart Instance.
ImportantEnabling authentication requires an instance restart. Plan this operation during a maintenance window. After the restart, only clients with valid credentials can connect. Update all client credentials before you enable authentication to avoid connection failures.
Production deployment considerations
When you enable authentication on a running instance, keep the following in mind:
Update credentials before enabling authentication -- Distribute valid credentials to all connected clients first. After the instance restarts with authentication enabled, any client without valid credentials cannot connect.
Use least-privilege policies -- Start with namespace-level permissions, then narrow to group-level or service-level permissions as you identify exact access requirements.
Create dedicated RAM users per service -- Avoid sharing a single set of credentials across multiple services. Separate RAM users or roles make it easier to rotate credentials and audit access.
Schedule the restart during a maintenance window -- Enabling either ConfigAuthEnabled or NamingAuthEnabled requires an instance restart.
What to do next
After you enable authentication:
Verify connectivity -- Confirm that your applications can still connect to the Nacos instance with the configured credentials.
Configure client credentials -- For detailed instructions on initializing credentials providers in your application code, see Access authentication by Nacos.
Refine access policies -- If you used namespace-level permissions initially, narrow the scope to group-level or service-level permissions for production environments.
Manage RAM users and roles -- Create separate RAM users or roles for different teams or services to enforce the principle of least privilege.