Enable grayscale authentication

更新时间:
复制 MD 格式

When using MSE Nacos for service discovery and configuration management, enable RAM authentication to enhance instance security. However, abruptly switching to RAM authentication can block unauthenticated clients and disrupt business continuity. Grayscale authentication lets you identify and update non-compliant clients before enforcing authentication, ensuring a seamless transition.

Overview

Grayscale authentication provides a safe, zero-downtime migration path between no authentication and full RAM authentication.

Key benefits

  • No request blocking: During the grayscale period, no client requests are blocked, ensuring your business operations continue without interruption.

  • Identify non-compliant clients: The system automatically logs access attempts from clients with incorrect authentication settings, helping you pinpoint which clients need to be updated.

  • Seamless migration: After you update all clients, you can safely switch to the mandatory authentication mode, guaranteeing a zero-downtime migration.

Prerequisites

  • You have created an MSE Nacos instance.

  • You have enabled RAM authentication-related parameters, such as ConfigAuthEnabled or NamingAuthEnabled.

Procedure

  1. Log on to the MSE Console.

  2. In the left-side navigation pane, choose Microservices Registry > Instances.

  3. Click the name of the target instance to open its details page.

  4. In the left-side navigation pane, click Parameter Settings.

  5. In the parameter list, find the grayAuth parameter and click Edit.

  6. In the parameter verification dialog box that appears, confirm that you want to enable grayscale authentication (grayAuth).

    Note

    Before you enable grayscale authentication, ensure that the ConfigAuthEnabled and NamingAuthEnabled parameters are already enabled. If neither is enabled, the system enables them for you.

  7. Click Activate and restart an instance. The cluster performs a rolling restart to apply the new configuration.

Authentication observability

Note

You must upgrade your instance to the Enterprise Edition to view Authentication Observability data.

After you enable grayscale authentication, you can view authentication observability data in the console, including interception statistics and interception details.

  1. In the left-side navigation pane, choose Security Protection > Authentication.

  2. Click the Observe authentication tab.

  3. View the following information:

    • Current authentication status: Shows whether grayscale authentication is enabled. You can disable it with one click or refresh the status.

    • Interception statistics: Shows interception counts at the service registry level and the configuration center level.

    • Interception trend: Shows a time-series chart of interception counts, which can be broken down by interceptions for the service registry and configuration center.

    • Interception details: Lists the identified problematic clients, including request time, group, service or configuration, source IP, interception type, and interception details.

  4. Based on the information in the interception details, update the authentication configuration of the affected clients.

Results

After you enable grayscale authentication, the system automatically logs all client access attempts that would be blocked due to incorrect authentication settings. You can use these logs to correct each client's configuration. After all clients are updated and no more interceptions are logged, you can disable grayscale authentication and switch to the mandatory RAM authentication mode.

Note

Regularly check the Authentication Observability page to ensure all clients are correctly configured before you disable grayscale authentication.