This is an automated email from the ASF dual-hosted git repository.
albumenj pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/dubbo-website.git
The following commit(s) were added to refs/heads/master by this push:
new caded9f57f4 Translate part of core-features documents (#2840)
caded9f57f4 is described below
commit caded9f57f4bd6e29a253dfc97597fae26d59edd
Author: namelessssssssssss
<[email protected]>
AuthorDate: Fri Oct 20 15:30:58 2023 +0800
Translate part of core-features documents (#2840)
* Translate protocols.md
* Translate security.md & service-mesh.md
* Translate more.md
---
content/en/overview/core-features/more.md | 71 ++++++++++++++++-
content/en/overview/core-features/security.md | 93 ++++++++++++++++++++++-
content/en/overview/core-features/service-mesh.md | 81 ++++++++++++++++++--
3 files changed, 230 insertions(+), 15 deletions(-)
diff --git a/content/en/overview/core-features/more.md
b/content/en/overview/core-features/more.md
index 8093f4f263e..aff57e63525 100644
--- a/content/en/overview/core-features/more.md
+++ b/content/en/overview/core-features/more.md
@@ -1,7 +1,70 @@
---
+description: Advanced Features Guide
+linkTitle: More Advanced Features
+title: More Advanced Features
type: docs
-title: "更多高级功能"
-linkTitle: "更多高级功能"
-weight: 100
-description: ""
+weight: 11
---
+
+As a microservice framework closely related to application development and
aimed at providing enterprise-level service governance capabilities, Dubbo
offers a variety of advanced features covering service call behavior control,
service diagnostics and tuning, and service governance.
+
+Different language SDKs may have slight variations in feature implementation
and configuration methods. For a specific list of features and usage, refer to
the following documents:
+* [Java](/zh-cn/overview/mannual/java-sdk/advanced-features-and-usage/)
+* [Golang](/zh-cn/overview/mannual/golang-sdk/tutorial/)
+
+## Controlling Service Invocation Behavior
+* Service Versions
+* Service Groups
+* Group Aggregation
+* Asynchronous Invocation
+* Asynchronous Execution
+* Streaming Communication
+* Reactive Programming
+* Generic Invocation
+* Generic Implementation
+* Passing Implicit Parameters in Call Chain
+* RPC Call Context
+* Invocation Event Notifications
+* Server Callbacks to Client
+* Subscribe Only
+* Register Only
+* Runtime Dynamic IP Specification
+* Direct Provider Connection
+* Startup Checks
+* Local Invocation
+* Parameter Validation
+* Local Mocking
+* Local Stubs
+* Echo Tests
+* Invocation Information Logging
+* Delayed Exposure
+* Cluster Fault Tolerance
+* Service Degradation
+
+## Diagnostics and Tuning
+* Port Protocol Multiplexing
+* Thread Pool Isolation
+* Multiple Protocols
+* Multiple Registry Centers
+* Request Latency Sampling
+* Thread Models
+* Service Reference Configuration Object Caching
+* Route State Collection
+* Load Balancing
+* Simplified Registration Information
+* Invocation Result Caching
+* Concurrency Control
+* Connection Control
+* Delayed Connections
+* Sticky Connections
+* Graal VM Support
+* Exporting Thread Stack Trace
+* Kryo and FST Serialization
+* Custom Service Container
+* Graceful Shutdown
+* Custom Host Address Exposure
+* Consistent Hashing
+* Logging Framework Adaptation and Runtime Management
+* Kubernetes Lifecycle Probes
+
+These features are designed to provide more control and flexibility in a
microservices environment. They can help improve system reliability, enhance
performance, and ease the process of deploying, managing, and scaling
applications.
diff --git a/content/en/overview/core-features/security.md
b/content/en/overview/core-features/security.md
index a3a9160b146..deeb6bb2155 100644
--- a/content/en/overview/core-features/security.md
+++ b/content/en/overview/core-features/security.md
@@ -1,11 +1,98 @@
---
type: docs
-title: "认证鉴权"
-linkTitle: "认证鉴权"
+title: "Authentication"
+linkTitle: "Authentication"
weight: 70
-description: ""
+description: |
+ Offers TLS-based transport layer authentication and encrypted communication,
as well as request-based authorization, to help build a Zero Trust distributed
microservices system.
feature:
title: Zero-trust Security
description: >
It supports TLS-based transmission link authentication and encrypted
communication, as well as permission verification based on request identity,
helping to build a zero-trust distributed microservice system.
---
+
+Dubbo provides comprehensive mechanisms to build a secure microservices
communication system, also known as a Zero Trust system. This includes:
+* Preventing man-in-the-middle attacks by offering identity authentication
(Authentication) and TLS-based encrypted communication.
+* Controlling inter-service access authorization (Authorization) with
mechanisms like mTLS and permission checks.
+
+This document will guide you through leveraging Dubbo's security features to
build a Zero Trust system for your microservices, focusing on authentication,
transparent encryption, authorization, and auditing. Since Zero Trust is a
comprehensive approach, you may need another infrastructure, such as
certificate management and security policy control.
+
+> **Note**: The scope of this document does not include certificate generation
and distribution. We assume you already have an infrastructure in place for
certificate management. Hence, we will focus on Dubbo's authentication and
authorization mechanisms and processes. If you lack such infrastructure, we
recommend using a service mesh architecture like Istio for certificate
management and security policies.
+
+## Architecture
+
+A complete Zero Trust system comprises multiple components:
+
+* A Root Certificate Authority (CA) to manage keys and certificates.
+* A security policy management and distribution center to send real-time
policies to data plane components:
+ * Authentication policies
+ * Authorization policies
+ * Secure Naming Information
+* Data plane components (Dubbo) responsible for identification, encryption,
and policy enforcement.
+* A suite of tools and ecosystems to complete security audits and data link
monitoring.
+
+In a service mesh deployment like Istio, the control plane typically handles
security policies and certificates, interacting with infrastructure like the
Kubernetes API Server to distribute configuration data to Dubbo or other data
plane components.
+
+Here is a comprehensive architecture diagram for Dubbo Zero Trust:
+
+
+
+## Authentication
+
+Dubbo provides two modes of authentication:
+
+* **Channel Authentication**: Dubbo supports TLS-based HTTP/2 and TCP
communication. You can enable TLS through Channel Authentication API or control
plane policies for server identity authentication and data link encryption.
Additionally, you can enable mTLS for client-server mutual authentication. This
is a service-to-service mode of authentication.
+* **Request Authentication**: Dubbo offers APIs to attach user identity
credentials (like JWT tokens) in the request context. Dubbo automatically
recognizes these identity tokens for permission checks. You can also customize
these tokens, like OAuth2 access tokens. This is an end-user mode of
authentication, representing the identity of the user logged into the system.
+
+### Architecture
+
+In Istio mode, Dubbo's authentication mechanism automatically interfaces with
the Istio control plane through xDS. Certificates and authentication policies
generated by the Istio control plane are automatically sent to the Dubbo data
plane, which applies them to all subsequent data communications.
+
+
+
+#### Dubbo mTLS Flow
+
+In Istio deployments, you can enable or disable Channel Authentication's
mutual authentication through control plane policies. The workflow for mutual
authentication is as follows:
+
+1. Istio sends authentication policies to enable mutual authentication.
+2. The Dubbo client initiates a mutual TLS handshake with the server,
performing a secure naming check to validate the server's identity.
+3. A mutual mTLS link is established between the client and server for
encrypted communication.
+4. The Dubbo server recognizes the client's identity and checks whether it has
the permission to access the corresponding resource.
+
+### Authentication Policies
+For specific rules supported by Istio, Dubbo fully supports Istio-defined
authentication policies.
+
+[Read
More](https://istio.io/latest/docs/concepts/security/#authentication-policies)
+
+## Authorization
+
+Dubbo has abstracted an authorization extension mechanism but currently only
supports the Istio system. Thus, its authorization capabilities are equivalent
to those described in the official Istio documentation.
+
+[Read More](https://istio.io/latest/docs/concepts/security/#authorization)
+
+### Architecture
+
+Dubbo receives user-configured authorization policies from the Istio control
plane through xDS. When a request reaches a Dubbo instance, the built-in
authorization engine matches the request parameters and user identity against
the policy. If the match is successful, access is granted; otherwise, it's
denied.
+
+
+
+### Authorization Policies
+For specific rules supported by Istio, Dubbo fully supports Istio-defined
authorization policies.
+
+[Read
More](https://istio.io/latest/docs/concepts/security/#authorization-policies)
+
+## Dubbo Authentication API
+
+Dubbo defines an authentication API. For general use cases, developers can
enable TLS/mTLS through this API. However, in an Istio control plane
deployment, Dubbo automatically recognizes the certificates and authentication
policies sent by Istio, so no special configuration is needed on the Dubbo side.
+
+Whether or not you use the Istio control plane, JWT tokens for Request
Authentication still need to be specified programmatically in Dubbo.
+
+For language-specific API definitions, please refer to the respective SDK
documentation:
+* [Java](/)
+* [Go](/)
+* [Rust](/)
+* [Node.js](/)
+
+## Sample Tasks
+
+Please visit the following [Dubbo Task Examples](/) for hands-on practice with
security policies.
diff --git a/content/en/overview/core-features/service-mesh.md
b/content/en/overview/core-features/service-mesh.md
index 685f2cec8ef..21e50930b19 100644
--- a/content/en/overview/core-features/service-mesh.md
+++ b/content/en/overview/core-features/service-mesh.md
@@ -1,11 +1,76 @@
---
-type: docs
-title: "服务网格"
-linkTitle: "服务网格"
-weight: 80
-description: ""
+description: Service Mesh
feature:
- title: Service Mesh
- description: >
- Flexible data plane (Proxy & Proxyless) deployment support, seamless
access to the Istio control plane governance system.
+ description: |
+ Flexible data plane (Proxy & Proxyless) deployment options, seamlessly
integrating with the Istio control plane governance ecosystem.
+ title: Service Mesh
+linkTitle: Service Mesh
+title: Service Mesh
+type: docs
+weight: 9
+working-in-progress: true
---
+
+Dubbo Mesh is Dubbo's comprehensive microservices solution in a cloud-native
context. It helps developers integrate Dubbo services with standard Kubernetes
Native Service systems, enabling seamless connectivity with leading service
mesh products like Istio.
+
+Below is the deployment architecture diagram for Dubbo Mesh.
+
+
+
+* Control Plane: Istio serves as the unified control plane, providing
cluster-wide capabilities like Kubernetes adaptation, service discovery,
certificate management, observability, and traffic management.
+* Data Plane: Dubbo application instances act as data plane components and
support two deployment modes:
+ * Proxy Mode: Dubbo and Envoy are deployed in the same pod, and all
traffic to and from Dubbo is intercepted and managed by Envoy.
+ * Proxyless Mode: Dubbo instances are deployed independently,
communicating directly with each other and interacting directly with the
control plane via the xDS protocol.
+
+For general content on service mesh architecture and why you might want to
integrate with the Istio control plane, please refer to the [Istio official
website](https://istio.io/). This document will focus on the Dubbo Mesh
solution itself.
+
+## Dubbo Mesh
+
+### Proxy Mesh
+In Proxy mode, Dubbo is deployed alongside a sidecar like Envoy.
+
+
+
+The architecture diagram above depicts Dubbo Proxy Mesh deployment:
+* Dubbo and Envoy are deployed in the same pod, with Istio managing traffic
and governance.
+* Dubbo provides programming APIs and RPC communication capabilities for
business applications, while other capabilities like address discovery, load
balancing, and routing are delegated to Envoy, which intercepts all incoming
and outgoing traffic.
+* The control plane distributes configurations to Envoy via the xDS protocol,
as indicated by the dashed lines in the diagram.
+
+In Proxy mode, using Dubbo3 communication layers like Triple, gRPC, and REST
that are based on HTTP can result in better gateway penetration and performance.
+
+### Proxyless Mesh
+In Proxyless mode, there are no proxy components like Envoy. Dubbo's processes
are deployed independently and communicate directly. Istio's control plane
interacts with Dubbo processes for governance via the xDS protocol.
+
+
+
+In Proxyless mode, Dubbo deployment is basically the same as before, but the
Dubbo3 SDKs directly implement xDS protocol parsing.
+
+#### Why Proxyless Mesh?
+
+While Proxy mode offers many advantages, such as smooth upgrades,
multi-language support, and minimal business intrusion, it also introduces some
challenges:
+* Sidecar communication adds extra performance overhead, especially noticeable
in complex network topologies.
+* The presence of a sidecar complicates application lifecycle management.
+* Not all environments can accommodate Sidecar deployment and request
interception.
+
+In Proxyless mode, Dubbo processes continue to communicate directly:
+* There is no additional Proxy-related overhead, making it more suitable for
performance-sensitive applications.
+* It simplifies legacy system migration.
+* The architecture is simple and easy to manage.
+* It is suitable for almost all deployment environments.
+
+## Sample Tasks
+After acquiring sufficient theoretical knowledge, we recommend that you visit
the following [examples](/en/overview/tasks/mesh) for hands-on practice.
+
+## Visualization
+We recommend using [Dubbo Admin](/zh-cn/overview/tasks/deploy) as the
visualization console for your Dubbo cluster. It is compatible with all
Kubernetes, Mesh, and non-Mesh architecture deployments.
+
+Additionally, you can use [Istio's official recommended visualization
tools](https://istio.io/latest/docs/tasks/observability/kiali/) to manage your
Dubbo Mesh cluster.
+
+## Integration with Non-Istio Control Planes
+Dubbo Mesh itself is not tied to any control plane product implementation. You
can use Istio, Linkerd, Kuma, or any control plane product that supports the
xDS protocol. The same applies to Sidecars.
+
+If you have already experienced the [Dubbo Mesh based on Istio](/) sample
tasks and find that Istio meets your governance needs for Dubbo Mesh, then
adopting Istio as your control plane is the preferred solution.
+
+If you find that Dubbo's capabilities are limited in Istio mode and need those
capabilities, you may consider integrating Dubbo's control plane to replace
Istio for better native Dubbo support and performance. For details, please
refer to [Dubbo Mesh Sample Tasks based on Custom Dubbo Control Plane](/).
+
+> In short, this is a customized version of the control plane released by the
Dubbo community based on Istio. For installation and capability differences of
Dubbo's control plane, please refer to the sample task link above.
