From da7943cc649642c0a284f74a50f233d433ec933c Mon Sep 17 00:00:00 2001
From: Monet Lee <monet_lee@163.com>
Date: Wed, 28 May 2025 17:38:22 +0800
Subject: [PATCH] feat: Implement etcd and kafka auth.

---
 .env                 |  2 +-
 config/discovery.yml |  8 ++++----
 config/kafka.yml     | 16 ++++++++--------
 docker-compose.yml   | 30 +++++++++++++++++++++++++++---
 4 files changed, 40 insertions(+), 16 deletions(-)

diff --git a/.env b/.env
index 0ab998037..2d4dfd4c7 100644
--- a/.env
+++ b/.env
@@ -2,7 +2,7 @@ MONGO_IMAGE=mongo:7.0
 REDIS_IMAGE=redis:7.0.0
 KAFKA_IMAGE=bitnami/kafka:3.5.1
 MINIO_IMAGE=minio/minio:RELEASE.2024-01-11T07-46-16Z
-ETCD_IMAGE=quay.io/coreos/etcd:v3.5.13
+ETCD_IMAGE=bitnami/etcd:3.5.13
 PROMETHEUS_IMAGE=prom/prometheus:v2.45.6
 ALERTMANAGER_IMAGE=prom/alertmanager:v0.27.0
 GRAFANA_IMAGE=grafana/grafana:11.0.1
diff --git a/config/discovery.yml b/config/discovery.yml
index e8d733e9f..f44162022 100644
--- a/config/discovery.yml
+++ b/config/discovery.yml
@@ -1,9 +1,9 @@
 enable: etcd
 etcd:
   rootDirectory: openim
-  address: [ localhost:12379 ]
-  username: ''
-  password: ''
+  address: [localhost:12379]
+  username: "openIM"
+  password: "openIM123"
 
 kubernetes:
   namespace: default
@@ -17,4 +17,4 @@ rpcService:
   group: group-rpc-service
   auth: auth-rpc-service
   conversation: conversation-rpc-service
-  third: third-rpc-service
\ No newline at end of file
+  third: third-rpc-service
diff --git a/config/kafka.yml b/config/kafka.yml
index fd06ae2bb..54d4f065a 100644
--- a/config/kafka.yml
+++ b/config/kafka.yml
@@ -1,13 +1,13 @@
 # Username for authentication
-username: ''
+username: "openIM"
 # Password for authentication
-password: ''
+password: "openIM123"
 # Producer acknowledgment settings
-producerAck: 
+producerAck:
 # Compression type to use (e.g., none, gzip, snappy)
 compressType: none
 # List of Kafka broker addresses
-address: [ localhost:19094 ]
+address: [localhost:19094]
 # Kafka topic for Redis integration
 toRedisTopic: toRedis
 # Kafka topic for MongoDB integration
@@ -29,12 +29,12 @@ tls:
   # Enable or disable TLS
   enableTLS: false
   # CA certificate file path
-  caCrt: 
+  caCrt:
   # Client certificate file path
-  clientCrt: 
+  clientCrt:
   # Client key file path
-  clientKey: 
+  clientKey:
   # Client key password
-  clientKeyPwd: 
+  clientKeyPwd:
   # Whether to skip TLS verification (not recommended for production)
   insecureSkipVerify: false
diff --git a/docker-compose.yml b/docker-compose.yml
index 65b4e6625..c433c6cf4 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -75,7 +75,6 @@ services:
       - "12380:2380"
     environment:
       - ETCD_NAME=s1
-      - ETCD_DATA_DIR=/etcd-data
       - ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379
       - ETCD_ADVERTISE_CLIENT_URLS=http://0.0.0.0:2379
       - ETCD_LISTEN_PEER_URLS=http://0.0.0.0:2380
@@ -83,8 +82,27 @@ services:
       - ETCD_INITIAL_CLUSTER=s1=http://0.0.0.0:2380
       - ETCD_INITIAL_CLUSTER_TOKEN=tkn
       - ETCD_INITIAL_CLUSTER_STATE=new
+      - ALLOW_NONE_AUTHENTICATION=no
+      - ETCD_ROOT_USER=root
+      - ETCD_ROOT_PASSWORD=openIM123
+      - ETCD_USERNAME=openIM
+      - ETCD_PASSWORD=openIM123
     volumes:
-      - "${DATA_DIR}/components/etcd:/etcd-data"
+      - "${DATA_DIR}/components/etcd:/bitnami/etcd"
+    command: |
+      /bin/bash -c '
+      /opt/bitnami/scripts/etcd/entrypoint.sh /opt/bitnami/scripts/etcd/run.sh &
+
+      sleep 10
+
+      etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_ROOT_USER}:$${ETCD_ROOT_PASSWORD} user add $${ETCD_USERNAME} --new-user-password=$${ETCD_PASSWORD} || true
+      etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_ROOT_USER}:$${ETCD_ROOT_PASSWORD} role add openim-role || true
+      etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_ROOT_USER}:$${ETCD_ROOT_PASSWORD} role grant-permission openim-role --prefix=true readwrite / || true
+      etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_ROOT_USER}:$${ETCD_ROOT_PASSWORD} role grant-permission openim-role --prefix=true readwrite "" || true
+      etcdctl --endpoints=http://127.0.0.1:2379 --user=$${ETCD_ROOT_USER}:$${ETCD_ROOT_PASSWORD} user grant-role $${ETCD_USERNAME} openim-role || true
+
+      tail -f /dev/null
+      '
     restart: always
     networks:
       - openim
@@ -106,10 +124,16 @@ services:
       KAFKA_CFG_CONTROLLER_QUORUM_VOTERS: 0@kafka:9093
       KAFKA_CFG_LISTENERS: PLAINTEXT://:9092,CONTROLLER://:9093,EXTERNAL://:9094
       KAFKA_CFG_ADVERTISED_LISTENERS: PLAINTEXT://kafka:9092,EXTERNAL://localhost:19094
-      KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP: CONTROLLER:PLAINTEXT,EXTERNAL:PLAINTEXT,PLAINTEXT:PLAINTEXT
+      KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP: CONTROLLER:PLAINTEXT,EXTERNAL:SASL_PLAINTEXT,PLAINTEXT:SASL_PLAINTEXT
       KAFKA_CFG_CONTROLLER_LISTENER_NAMES: CONTROLLER
       KAFKA_NUM_PARTITIONS: 8
       KAFKA_CFG_AUTO_CREATE_TOPICS_ENABLE: "true"
+
+      KAFKA_CFG_SASL_ENABLED_MECHANISMS: PLAIN
+      KAFKA_CFG_SASL_MECHANISM_INTER_BROKER_PROTOCOL: PLAIN
+      KAFKA_CLIENT_USERS: admin,openIM
+      KAFKA_CLIENT_PASSWORDS: admin-secret,openIM123
+
     networks:
       - openim