Shulou(Shulou.com)06/01 Report--

On the premise of realizing grayscale publishing and routing functions, Nepxion Discovery framework combines Nacos and Sentinel to implement another layer of protection measures for traffic, which can better achieve the purpose of enterprise-level traffic security control. Its functions include: encapsulating the reading logic of the remote configuration center and the local rule file, that is, priority to read the remote configuration, if there is no or rule error, then read the local rule file. Dynamic implementation of the remote configuration center for rules hot refresh package NacosDataSource and ApolloDataSource, support Nacos and Apollo two remote configuration center, zero code to achieve Sentinel function. For more remote configuration centers, please refer to the official DataSource of Sentinel and integrate mechanisms that support native flow control rules, degradation rules, authorization rules, system rules and hot parameter flow control rules to support extended LimitApp, and implement combined protection mechanisms through dynamic Http Header, including protection mechanisms based on service name, grayscale group, grayscale version, grayscale area, machine address and port. Any combination of business parameters is supported to implement this function. For example, according to the passed micro-service grayscale version number + user name, it is combined to circuit breaker to support the rule writing of Actuator, Swagger and Rest on the micro-service side. The batch rule writing support switch of Actuator, Swagger and Rest based on the micro-service name on the console side turns off the above functions spring.application.strategy.sentinel.enabled=true. The default is closed [Nacos] the new generation of middleware developed by Alibaba middleware department integrates the service registration discovery center and the configuration center. It is a service infrastructure for building modern service-centric application architectures (such as micro-service paradigm, cloud native paradigm), supporting the discovery, configuration and management of almost all mainstream types of "services", and more agile and easy to build, deliver and manage micro-service platform [Sentinel] A new generation developed by Alibaba's middleware department takes traffic as the entry point. Flow guards of distributed systems that protect the stability of services from multiple dimensions, such as flow control, fuse degradation, system load protection, and so on. It carries on Alibaba's core scenarios of promoting traffic on November 11 in the past 10 years, such as second kill (that is, burst traffic control within the range of system capacity), message peak cutting and valley filling, cluster flow control, real-time fuse downstream unavailable applications and other environment construction and dependence introduction server based on the original dependence of the Discovery framework. Then introduce the following dependency com.nepxion discovery-plugin-strategy-starter-service-sentinel ${discovery.version} com.nepxion discovery-plugin-strategy-sentinel-starter-nacos ${discovery.version} native Sentinel annotations refer to the following code to add @ SentinelResource annotations to the interface methods, where value is sentinel-resource BlockHandler and fallback are the methods that need to be executed to defend against their effects @ RestController@ConditionalOnProperty (name = DiscoveryConstant.SPRING_APPLICATION_NAME, havingValue = "discovery-guide-service-b") public class BFeignImpl extends AbstractFeignImpl implements BFeign {private static final Logger LOG = LoggerFactory.getLogger (BFeignImpl.class) @ Override @ SentinelResource (value = "sentinel-resource", blockHandler = "handleBlock", fallback = "handleFallback") public String invoke (@ PathVariable (value = "value") String value) {value = doInvoke (value); LOG.info ("call path: {}", value); return value } public String handleBlock (String value, BlockException e) {return value + "- > B server sentinel block, cause=" + e.getClass (). GetName () + ", rule=" + e.getRule () + ", limitApp=" + e.getRuleLimitApp ();} public String handleFallback (String value) {return value + "- > B server sentinel fallback" }} the Key format of native Sentinel rule Sentinel subscribed in the configuration center is as follows: 1. Key format of Nacos: Group is the [group name] configured in metadata, and Data Id is [service name]-[rule type] 2. Key format of Apollo: [group name]-[service name]-[rule type] Sentinel rule usage, please refer to Sentinel official document flow control rule add service discovery-guide-service-b rule, Group is discovery-guide-group Data Id is discovery-guide-service-b-sentinel-flow The rules are as follows: [{"resource": "sentinel-resource", "limitApp": "default", "grade": 1, "count": 1, "strategy": 0, "refResource": null, "controlBehavior": 0, "warmUpPeriodSec": 10, "maxQueueingTimeMs": 500, "clusterMode": false "clusterConfig": null}] as shown in the figure

The downgrade rule adds the rules of service discovery-guide-service-b, with Group as discovery-guide-group,Data Id and discovery-guide-service-b-sentinel-degrade as follows: [{"resource": "sentinel-resource", "limitApp": "default", "count": 2, "timeWindow": 10, "grade": 0, "passCount": 0}] as shown in the figure

Authorization rules add rules for service discovery-guide-service-b. Group is discovery-guide-group,Data Id and discovery-guide-service-b-sentinel-authority. The rules are as follows: [{"resource": "sentinel-resource", "limitApp": "discovery-guide-service-a", "strategy": 0}] as shown in the figure

System rules add rules for service discovery-guide-service-b, Group is discovery-guide-group,Data Id and discovery-guide-service-b-sentinel-system The rules are as follows: [{"resource": null, "limitApp": null, "highestSystemLoad":-1.0," highestCpuUsage ":-1.0," qps": 200.0, "avgRt":-1, "maxThread":-1}] as shown in the figure

Hot parameter flow control rules add rules for service discovery-guide-service-b, Group is discovery-guide-group,Data Id and discovery-guide-service-b-sentinel-param-flow The rules are as follows: [{"resource": "sentinel-resource", "limitApp": "default", "grade": 1, "paramIdx": 0, "count": 1, "controlBehavior": 0, "maxQueueingTimeMs": 0, "burstCount": 0, "durationInSec": 1, "paramFlowItemList": [] "clusterMode": false}] as shown in the figure

Protection mechanism based on grayscale routing and Sentinel-LimitApp extension. This method is effective for the above five rules. Here, authorization rules are expatiated. In authorization rules, limitApp, if there are more than one, can be separated by ",". Strategy ": 0 means whitelist, and" strategy ": 1 means that the blacklist changes the configuration item Sentinel Request Origin Key to the Header name of the service name based on the protection mechanism of the service name, and modifies the limitApp in the authorization rules to the corresponding service name. The configuration item of the protection mechanism based on the service name can be implemented. This configuration item defaults to n-d-service-id. You can add service discovery-guide-service-b rules without configuring spring.application.strategy.service.sentinel.request.origin.key=n-d-service-id. Group is discovery-guide-group,Data Id and discovery-guide-service-b-sentinel-authority. The rules are as follows Indicates that all discovery-guide-service-a services are allowed to access discovery-guide-service-b services [{"resource": "sentinel-resource", "limitApp": "discovery-guide-service-a", "strategy": 0}] based on the protection mechanism of grayscale group, modify the configuration item Sentinel Request Origin Key to the Header name of grayscale group, and modify limitApp to the corresponding group name in authorization rules. The protection mechanism based on group name can be implemented. The configuration item spring.application.strategy.service.sentinel.request.origin.key=n-d-service-group adds the rules for service discovery-guide-service-b. Group is discovery-guide-group,Data Id and discovery-guide-service-b-sentinel-authority. The rules are as follows Indicates that all services belonging to the my-group group are allowed to access the service discovery-guide-service-b [{"resource": "sentinel-resource", "limitApp": "my-group", "strategy": 0}] based on the protection mechanism of the grayscale version, modify the Header name of the configuration item Sentinel Request Origin Key to the grayscale version, and modify the limitApp in the authorization rules to the corresponding version You can implement the version-based protection mechanism configuration item spring.application.strategy.service.sentinel.request.origin.key=n-d-service-version to add rules for service discovery-guide-service-b. Group is discovery-guide-group,Data Id and discovery-guide-service-b-sentinel-authority. The rules are as follows Indicates that all services with version 1.0 are allowed to access the service discovery-guide-service-b [{"resource": "sentinel-resource", "limitApp": "1.0", "strategy": 0}] modify the configuration item Sentinel Request Origin Key to the Header name of the grayscale region based on the protection mechanism of the gray area, and modify the limitApp to the corresponding region in the authorization rule You can implement the zone-based protection mechanism configuration item spring.application.strategy.service.sentinel.request.origin.key=n-d-service-region to add the rules of service discovery-guide-service-b. Group is discovery-guide-group,Data Id and discovery-guide-service-b-sentinel-authority. The rules are as follows All services that indicate that the area is dev are allowed to access the service discovery-guide-service-b [{"resource": "sentinel-resource", "limitApp": "dev", "strategy": 0}] modify the configuration item Sentinel Request Origin Key to the Header name of the grayscale region based on the protection mechanism of the machine address and port, and modify the limitApp to the corresponding region value in the authorization rules. Can implement the protection mechanism based on machine address and port configuration item spring.application.strategy.service.sentinel.request.origin.key=n-d-service-address adds the rules of service discovery-guide-service-b, Group is discovery-guide-group,Data Id and discovery-guide-service-b-sentinel-authority, and the rules are as follows Services with addresses and ports of 192.168.0.88 sentinel-resource 8081 and 192.168.0.88 limitApp 8082 are allowed to access the service discovery-guide-service-b [{"resource": "sentinel-resource", "limitApp": "192.168.0.88 Switzerland 8081192.168.0.88" "strategy": 0}] combined protection mechanism for custom business parameters through adaptation class / / version number + user name Realize combined fuse public class MyServiceSentinelRequestOriginAdapter extends DefaultServiceSentinelRequestOriginAdapter {@ Override public String parseOrigin (HttpServletRequest request) {String version = request.getHeader (DiscoveryConstant.N_D_SERVICE_VERSION) String user = request.getHeader ("user"); return version + "&" + user;} @ Bean in the configuration class to create @ Beanpublic ServiceSentinelRequestOriginAdapter ServiceSentinelRequestOriginAdapter () {return new MyServiceSentinelRequestOriginAdapter () } add the rule for the service discovery-guide-service-b. Group is discovery-guide-group,Data Id and discovery-guide-service-b-sentinel-authority. The rule content is as follows, indicating the user=zhangsan of the passed Http Header with version 1.0. All services satisfying these two conditions are allowed to access the service discovery-guide-service-b [{"resource": "sentinel-resource", "limitApp": "1.0&zhangsan", "strategy": 0}] when the user=zhangsan in the passed Http Header is in full-link call After the API gateway load balancer discovery-guide-service-a service arrives at version 1.0, the discovery-guide-service-b service is called successfully as shown in the figure.

When the user=lisi in the passed Http Header does not meet the condition, the final call is rejected on the discovery-guide-service-b server as shown in the figure

When the user=zhangsan in the passed Http Header satisfies one of the conditions, when the full-link call is made, the API gateway load balancer discovery-guide-service-a service calls the discovery-guide-service-b service after version 1.1, which does not meet the version=1.0 condition, and the final call is rejected on the discovery-guide-service-b server as shown in the figure.

Sentinel rule push based on Swagger is divided into Sentinel rule push based on single service instance and multiple service instances based on service name. Sentinel rule push based on single service instance can directly access the Swagger home page of the service instance as shown in the figure.

For Sentinel rule push based on multiple service instances corresponding to the service name, you need to enable the discovery-console service and visit its Swagger home page as shown in the figure.

The author: Ren Haojun, more than 10 years of open source experience, founder of the Github ID:@HaojunRen,Nepxion open source community, Nacos Group Member,Spring Cloud Alibaba & Nacos & Sentinel Committer, once worked in the platform Architecture Department of Ping an Bank, responsible for the research and development of the basic service framework of the bank PaaS system. Wang Weihua, more than 10 years of Java development, Github ID:@vipweihua, research on micro-service architecture for many years, currently more focused on micro-service gateways, current-limiting circuit breakers, grayscale routing, etc., now works in the platform Architecture Department of Ping an Bank, engaged in the research and development of basic service framework of bank PaaS system.

The original link to this article is the original content of Yunqi community and may not be reproduced without permission.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.