feat: Implement etcd and kafka auth.

2025-10-25 04:32:10 +08:00 · 2025-05-28 17:38:22 +08:00 · 2025-05-28 17:38:22 +08:00 · da7943cc64
commit da7943cc64
parent 8e61f30e9c
4 changed files with 40 additions and 16 deletions
--- a/.env
+++ b/.env
@ -2,7 +2,7 @@ MONGO_IMAGE=mongo:7.0
 REDIS_IMAGE=redis:7.0.0
 KAFKA_IMAGE=bitnami/kafka:3.5.1
 MINIO_IMAGE=minio/minio:RELEASE.2024-01-11T07-46-16Z
-ETCD_IMAGE=quay.io/coreos/etcd:v3.5.13
+ETCD_IMAGE=bitnami/etcd:3.5.13
 PROMETHEUS_IMAGE=prom/prometheus:v2.45.6
 ALERTMANAGER_IMAGE=prom/alertmanager:v0.27.0
 GRAFANA_IMAGE=grafana/grafana:11.0.1
--- a/config/discovery.yml
+++ b/config/discovery.yml
@ -1,9 +1,9 @@
 enable: etcd
 etcd:
  rootDirectory: openim
-  address: [ localhost:12379 ]
-  username: ''
-  password: ''
+  address: [localhost:12379]
+  username: "openIM"
+  password: "openIM123"

 kubernetes:
  namespace: default
@ -17,4 +17,4 @@ rpcService:
  group: group-rpc-service
  auth: auth-rpc-service
  conversation: conversation-rpc-service
-  third: third-rpc-service
+  third: third-rpc-service
--- a/config/kafka.yml
+++ b/config/kafka.yml
@ -1,13 +1,13 @@
 # Username for authentication
-username: ''
+username: "openIM"
 # Password for authentication
-password: ''
+password: "openIM123"
 # Producer acknowledgment settings
-producerAck: 
+producerAck:
 # Compression type to use (e.g., none, gzip, snappy)
 compressType: none
 # List of Kafka broker addresses
-address: [ localhost:19094 ]
+address: [localhost:19094]
 # Kafka topic for Redis integration
 toRedisTopic: toRedis
 # Kafka topic for MongoDB integration
@ -29,12 +29,12 @@ tls:
  # Enable or disable TLS
  enableTLS: false
  # CA certificate file path
-  caCrt: 
+  caCrt:
  # Client certificate file path
-  clientCrt: 
+  clientCrt:
  # Client key file path
-  clientKey: 
+  clientKey:
  # Client key password
-  clientKeyPwd: 
+  clientKeyPwd:
  # Whether to skip TLS verification (not recommended for production)
  insecureSkipVerify: false
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -75,7 +75,6 @@ services:
      - "12380:2380"
    environment:
      - ETCD_NAME=s1
-      - ETCD_DATA_DIR=/etcd-data
      - ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379
      - ETCD_ADVERTISE_CLIENT_URLS=http://0.0.0.0:2379
      - ETCD_LISTEN_PEER_URLS=http://0.0.0.0:2380
@ -83,8 +82,27 @@ services:
      - ETCD_INITIAL_CLUSTER=s1=http://0.0.0.0:2380
      - ETCD_INITIAL_CLUSTER_TOKEN=tkn
      - ETCD_INITIAL_CLUSTER_STATE=new
+      - ALLOW_NONE_AUTHENTICATION=no
+      - ETCD_ROOT_USER=root
+      - ETCD_ROOT_PASSWORD=openIM123
+      - ETCD_USERNAME=openIM
+      - ETCD_PASSWORD=openIM123
    volumes:
-      - "${DATA_DIR}/components/etcd:/etcd-data"
+      - "${DATA_DIR}/components/etcd:/bitnami/etcd"
+    command: |
+      /bin/bash -c '
+      /opt/bitnami/scripts/etcd/entrypoint.sh /opt/bitnami/scripts/etcd/run.sh &
+
+      sleep 10
+
+      etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_ROOT_USER}:$${ETCD_ROOT_PASSWORD} user add $${ETCD_USERNAME} --new-user-password=$${ETCD_PASSWORD} || true
+      etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_ROOT_USER}:$${ETCD_ROOT_PASSWORD} role add openim-role || true
+      etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_ROOT_USER}:$${ETCD_ROOT_PASSWORD} role grant-permission openim-role --prefix=true readwrite / || true
+      etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_ROOT_USER}:$${ETCD_ROOT_PASSWORD} role grant-permission openim-role --prefix=true readwrite "" || true
+      etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_ROOT_USER}:$${ETCD_ROOT_PASSWORD} user grant-role $${ETCD_USERNAME} openim-role || true
+
+      tail -f /dev/null
+      '
    restart: always
    networks:
      - openim
@ -106,10 +124,16 @@ services:
      KAFKA_CFG_CONTROLLER_QUORUM_VOTERS: 0@kafka:9093
      KAFKA_CFG_LISTENERS: PLAINTEXT://:9092,CONTROLLER://:9093,EXTERNAL://:9094
      KAFKA_CFG_ADVERTISED_LISTENERS: PLAINTEXT://kafka:9092,EXTERNAL://localhost:19094
-      KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP: CONTROLLER:PLAINTEXT,EXTERNAL:PLAINTEXT,PLAINTEXT:PLAINTEXT
+      KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP: CONTROLLER:PLAINTEXT,EXTERNAL:SASL_PLAINTEXT,PLAINTEXT:SASL_PLAINTEXT
      KAFKA_CFG_CONTROLLER_LISTENER_NAMES: CONTROLLER
      KAFKA_NUM_PARTITIONS: 8
      KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE: "true"
+
+      KAFKA_CFG_SASL_ENABLED_MECHANISMS: PLAIN
+      KAFKA_CFG_SASL_MECHANISM_INTER_BROKER_PROTOCOL: PLAIN
+      KAFKA_CLIENT_USERS: admin,openIM
+      KAFKA_CLIENT_PASSWORDS: admin-secret,openIM123
+
    networks:
      - openim