[servicecomb-service-center] branch master updated: upgrade etcd client v3 (#649)

[tianxiaoliang]

This is an automated email from the ASF dual-hosted git repository.

tianxiaoliang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/servicecomb-service-center.git


The following commit(s) were added to refs/heads/master by this push:
     new bd88a19  upgrade etcd client v3 (#649)
bd88a19 is described below

commit bd88a191b2177631c0c51202462718727e9b5748
Author: Shawn <xiaoliang.t...@gmail.com>
AuthorDate: Sat Jun 27 18:18:12 2020 +0800

    upgrade etcd client v3 (#649)
---
 .travis.yml                                        |   2 -
 docs/conf.py                                       |  90 ++++++------
 docs/user-guides.rst                               |   1 +
 docs/user-guides/rbac.md                           |  53 +++++++
 examples/etcd_data_struct.yaml                     |  17 +++
 go.mod                                             |  28 ++--
 integration/schema_test.go                         |   2 +-
 pkg/client/sc/apis.go                              |   2 +-
 pkg/client/sc/instance.go                          |   2 +-
 pkg/client/sc/microservice.go                      |   2 +-
 pkg/client/sc/schema.go                            |   2 +-
 pkg/client/sc/watch.go                             |   2 +-
 server/main.go => pkg/model/account.go             |  12 +-
 scctl/pkg/plugin/health/cmd.go                     |   2 +-
 scripts/ut_test_in_docker.sh                       |   3 -
 server/admin/service.go                            |   2 +-
 server/admin/service_test.go                       |   2 +-
 server/broker/controller.go                        |   4 +-
 server/broker/service.go                           |   2 +-
 server/broker/util.go                              |  20 +--
 server/core/config.go                              |   8 ++
 server/core/key_generator.go                       |  14 +-
 server/core/key_generator_test.go                  |   7 +
 server/core/proto/batch_find.go                    |   2 +-
 server/core/proto/common.go                        |   2 +-
 server/govern/controller_v4.go                     |   2 +-
 server/govern/service.go                           |   2 +-
 server/handler/auth/auth.go                        |  66 +++++++--
 server/handler/context/v4.go                       |   6 +-
 server/plugin/export.go                            |   2 +-
 .../pkg/discovery/servicecenter/aggregate.go       |   2 +-
 .../plugin/pkg/discovery/servicecenter/indexer.go  |   2 +-
 server/plugin/pkg/quota/buildin/common.go          |   2 +-
 server/plugin/pkg/quota/quota.go                   |   2 +-
 server/plugin/pkg/registry/etcd/common.go          |   2 +-
 server/plugin/pkg/tls/buildin/tls.go               |   4 +-
 server/rest/controller/rest_util.go                |  21 +--
 server/rest/controller/v3/main_controller.go       |   2 +-
 server/rest/controller/v4/auth_resource.go         |  75 ++++++++++
 server/rest/controller/v4/dependency_controller.go |   2 +-
 server/rest/controller/v4/instance_controller.go   |   2 +-
 server/rest/controller/v4/main_controller.go       |   2 +-
 .../rest/controller/v4/microservice_controller.go  |   2 +-
 server/rest/controller/v4/query_rule_controller.go |   2 +-
 server/rest/controller/v4/schema_controller.go     |   2 +-
 server/rest/controller/v4/tag_controller.go        |   2 +-
 server/rest/controller/v4/v4.go                    |   4 +
 server/{error => scerror}/error.go                 |   2 +-
 server/{error => scerror}/error_test.go            |   2 +-
 server/server.go                                   |  13 +-
 .../pkg/security => service/cipher}/cipher.go      |  12 +-
 server/service/dependency.go                       |   2 +-
 server/service/dependency_test.go                  |   2 +-
 server/service/instance.go                         |   2 +-
 server/service/instance_test.go                    |   2 +-
 server/service/kv/store.go                         |  72 ++++++++++
 .../service_test.go => service/kv/store_test.go}   |  50 ++++---
 server/service/microservice.go                     |   2 +-
 server/service/microservice_test.go                |   2 +-
 server/service/rbac/authr_plugin.go                |  95 ++++++++++++
 server/service/rbac/dao/account_dao.go             |  88 ++++++++++++
 .../rbac/dao/account_dao_test.go}                  |  39 ++---
 .../v4.go => service/rbac/dao/secret_dao.go}       |  60 ++++----
 .../v4.go => service/rbac/dao/secret_dao_test.go}  |  30 ++--
 server/service/rbac/rbac.go                        | 160 +++++++++++++++++++++
 server/service/rbac/rbca_test.go                   |  87 +++++++++++
 server/service/rule.go                             |   2 +-
 server/service/rule_test.go                        |   2 +-
 server/service/schema.go                           |   2 +-
 server/service/schema_test.go                      |   2 +-
 server/service/tag.go                              |   2 +-
 server/service/tag_test.go                         |   2 +-
 server/service/util/dependency_util.go             |   2 +-
 server/service/util/heartbeat_util.go              |   2 +-
 server/service/util/instance_util.go               |   2 +-
 server/service/util/instance_util_test.go          |   2 +-
 server/service/util/rule_util.go                   |   2 +-
 server/service/util/tag_util.go                    |   2 +-
 server/task/clear_service_test.go                  |   2 +-
 79 files changed, 971 insertions(+), 268 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index 8be649c..54480fd 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -26,8 +26,6 @@ install: true
 
 jobs:
   include:
-    - stage: Building Service Center
-      script: bash -x scripts/build/local.sh
     - stage: Unit Testing
       script: bash -x scripts/ut_test_in_docker.sh && 
$HOME/gopath/bin/goveralls -coverprofile=coverage.txt -service=travis-ci
     - stage: Integration Testing
diff --git a/docs/conf.py b/docs/conf.py
index 38b6e93..a64db03 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -1,11 +1,29 @@
 # -*- coding: utf-8 -*-
+
+'''
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+'''
+
 #
 # Configuration file for the Sphinx documentation builder.
 #
 # This file does only contain a selection of the most common options. For a
 # full list see the documentation:
-# http://www.sphinx-doc.org/en/master/config
-
+# http://www.sphinx-doc.org/en/stable/config
+import sphinx_rtd_theme
 # -- Path setup --------------------------------------------------------------
 
 # If extensions (or modules to document with autodoc) are in another directory,
@@ -16,7 +34,6 @@
 # import sys
 # sys.path.insert(0, os.path.abspath('.'))
 
-import sphinx_rtd_theme
 
 # -- Project information -----------------------------------------------------
 
@@ -35,9 +52,8 @@ release = u''
 # If your documentation needs a minimal Sphinx version, state it here.
 #
 # needs_sphinx = '1.0'
-
 from recommonmark.parser import CommonMarkParser
-from recommonmark.transform import AutoStructify
+
 source_parsers = {
     '.md': CommonMarkParser,
 }
@@ -46,15 +62,6 @@ source_parsers = {
 # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
 # ones.
 extensions = [
-    'sphinx.ext.autodoc',
-    'sphinx.ext.doctest',
-    'sphinx.ext.intersphinx',
-    'sphinx.ext.todo',
-    'sphinx.ext.coverage',
-    'sphinx.ext.mathjax',
-    'sphinx.ext.ifconfig',
-    'sphinx.ext.viewcode',
-    'sphinx.ext.githubpages',
 ]
 
 # Add any paths that contain templates here, relative to this directory.
@@ -78,11 +85,11 @@ language = None
 
 # List of patterns, relative to source directory, that match files and
 # directories to ignore when looking for source files.
-# This pattern also affects html_static_path and html_extra_path.
+# This pattern also affects html_static_path and html_extra_path .
 exclude_patterns = [u'_build', 'Thumbs.db', '.DS_Store']
 
 # The name of the Pygments (syntax highlighting) style to use.
-pygments_style = None
+pygments_style = 'sphinx'
 
 
 # -- Options for HTML output -------------------------------------------------
@@ -90,7 +97,6 @@ pygments_style = None
 # The theme to use for HTML and HTML Help pages.  See the documentation for
 # a list of builtin themes.
 #
-
 html_theme = 'sphinx_rtd_theme'
 html_static_path = ['_static']
 html_theme_path = [sphinx_rtd_theme.get_html_theme_path()]
@@ -100,6 +106,18 @@ html_theme_options = {
     'display_version': False,
 }
 
+
+# Theme options are theme-specific and customize the look and feel of a theme
+# further.  For a list of options available for each theme, see the
+# documentation.
+#
+# html_theme_options = {}
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+html_static_path = ['_static']
+
 # Custom sidebar templates, must be a dictionary that maps document names
 # to template names.
 #
@@ -114,7 +132,7 @@ html_theme_options = {
 # -- Options for HTMLHelp output ---------------------------------------------
 
 # Output file base name for HTML help builder.
-htmlhelp_basename = 'servicecomb-service-centerdoc'
+htmlhelp_basename = 'servicecomb-kiedoc'
 
 
 # -- Options for LaTeX output ------------------------------------------------
@@ -141,7 +159,7 @@ latex_elements = {
 # (source start file, target name, title,
 #  author, documentclass [howto, manual, or own class]).
 latex_documents = [
-    (master_doc, 'servicecomb-service-center.tex', 
u'servicecomb-service-center Documentation',
+    (master_doc, 'servicecomb-kie.tex', u'servicecomb-kie Documentation',
      u'The Apache Software Foundation', 'manual'),
 ]
 
@@ -151,7 +169,7 @@ latex_documents = [
 # One entry per manual page. List of tuples
 # (source start file, name, description, authors, manual section).
 man_pages = [
-    (master_doc, 'servicecomb-service-center', u'servicecomb-service-center 
Documentation',
+    (master_doc, 'servicecomb-kie', u'servicecomb-kie Documentation',
      [author], 1)
 ]
 
@@ -162,33 +180,7 @@ man_pages = [
 # (source start file, target name, title, author,
 #  dir menu entry, description, category)
 texinfo_documents = [
-    (master_doc, 'servicecomb-service-center', u'servicecomb-service-center 
Documentation',
-     author, 'servicecomb-service-center', 'One line description of project.',
+    (master_doc, 'servicecomb-kie', u'servicecomb-kie Documentation',
+     author, 'servicecomb-kie', 'One line description of project.',
      'Miscellaneous'),
-]
-
-
-# -- Options for Epub output -------------------------------------------------
-
-# Bibliographic Dublin Core info.
-epub_title = project
-
-# The unique identifier of the text. This can be a ISBN number
-# or the project homepage.
-#
-# epub_identifier = ''
-
-# A unique identification for the text.
-#
-# epub_uid = ''
-
-# A list of files that should not be packed into the epub file.
-epub_exclude_files = ['search.html']
-
-def setup(app):
-    app.add_config_value('recommonmark_config', {
-        #'url_resolver': lambda url: github_doc_root + url,
-        'auto_toc_tree_section': 'Contents',
-        'enable_eval_rst': True,
-    }, True)
-    app.add_transform(AutoStructify)
\ No newline at end of file
+]
\ No newline at end of file
diff --git a/docs/user-guides.rst b/docs/user-guides.rst
index fcee1f8..32cef85 100644
--- a/docs/user-guides.rst
+++ b/docs/user-guides.rst
@@ -9,3 +9,4 @@ User Guides
    user-guides/security-tls.md
    user-guides/sc-cluster.rst
    user-guides/integration-grafana.md
+   user-guides/rbac.md
diff --git a/docs/user-guides/rbac.md b/docs/user-guides/rbac.md
new file mode 100644
index 0000000..aee26af
--- /dev/null
+++ b/docs/user-guides/rbac.md
@@ -0,0 +1,53 @@
+# RBAC
+alpha feature. now the feature is very simple in early stage. only has root 
account authentication
+
+you can choose to enable RBAC feature, after enable RBAC, all request to 
service center must be authenticated
+
+### Configuration file
+follow steps to enable this feature.
+
+1.get rsa key pairs
+```sh
+openssl genrsa -out private.key 4096
+openssl rsa -in private.key -pubout -out public.key
+```
+
+2.edit app.conf
+```ini
+rbac_enabled = true
+rbac_rsa_pub_key_file = ./public.key
+```
+
+before you start server, you need to set env to set your root account.  
+can revoke private.key after each cluster restart,can not revoke root name and 
password
+```sh
+export SC_INIT_ROOT_USERNAME=root  
+export SC_INIT_ROOT_PASSWORD=rootpwd
+export SC_INIT_PRIVATE_KEY=`cat private.key`
+```
+at the first time service center cluster init, it will use this env to setup 
rbac module.
+
+To securely distribute your root account and private key, 
+you can use kubernetes 
[secret](https://kubernetes.io/zh/docs/tasks/inject-data-application/distribute-credentials-secure/)
+### Generate a token 
+```shell script
+curl -X POST \
+  http://127.0.0.1:30100/v4/token \
+  -d '{"name":"root",
+"password":"rootpwd"}'
+```
+will return a token, token will expired after 30m
+```json
+{"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1OTI4MzIxODUsInVzZXIiOiJyb290In0.G65mgb4eQ9hmCAuftVeVogN9lT_jNg7iIOF_EAyAhBU"}
+```
+
+### Authentication
+in each request you must add token to  http header
+Authorization: Bear {token}
+
+for example:
+```shell script
+curl -X GET \
+  
'http://127.0.0.1:30100/v4/default/registry/microservices/{service-id}/instances'
 \
+  -H 'Authorization: Bear 
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1OTI4OTQ1NTEsInVzZXIiOiJyb290In0.FfLOSvVmHT9qCZSe_6iPf4gNjbXLwCrkXxKHsdJoQ8w'
 
+```
\ No newline at end of file
diff --git a/examples/etcd_data_struct.yaml b/examples/etcd_data_struct.yaml
new file mode 100644
index 0000000..f2f20f4
--- /dev/null
+++ b/examples/etcd_data_struct.yaml
@@ -0,0 +1,17 @@
+/cse-sr/domains/default: |
+/cse-sr/accounts/{account_name}: |
+/cse-sr/inst/files/default/default/{service_id}/{instsance_id}: |
+  
{"instanceId":"b0ffb9feb22a11eaa76a08002706c83e","serviceId":"7062417bf9ebd4c646bb23059003cea42180894a",
+  
"endpoints":["rest://127.0.0.1:30100/"],"hostName":"tian-VirtualBox","status":"UP",
+  
"healthCheck":{"mode":"push","interval":30,"times":3},"timestamp":"1592570701","modTimestamp":"1592570701","version":"0.0.1"}
+/cse-sr/inst/leases/default/default/{service_id}/{instsance_id}: |
+  7587847170149911364
+/cse-sr/ms/alias/default/default/development/default/SERVICECENTER/0.0.1: |
+  {service_id}
+/cse-sr/ms/files/default/default/{service_id}: |
+  
{"serviceId":"7062417bf9ebd4c646bb23059003cea42180894a","appId":"default","serviceName":"SERVICECENTER","version":"0.0.1","level":"BACK",
+  
"schemas":["servicecenter.grpc.api.ServiceCtrl","servicecenter.grpc.api.ServiceInstanceCtrl"],"status":"UP",
+  
"properties":{"allowCrossApp":"true"},"timestamp":"1592570701","alias":"SERVICECENTER","modTimestamp":"1592570701","environment":"development"}
+/cse-sr/ms/indexes/default/default/development/default/SERVICECENTER/0.0.1: |
+  {service_id}
+/cse-sr/projects/default/default:
diff --git a/go.mod b/go.mod
index e711d7a..887c0d7 100644
--- a/go.mod
+++ b/go.mod
@@ -8,21 +8,21 @@ require (
        github.com/Shopify/toxiproxy v2.1.4+incompatible // indirect
        github.com/apache/thrift v0.0.0-20180125231006-3d556248a8b9 // indirect
        github.com/astaxie/beego v1.8.0
-       github.com/cespare/xxhash v1.1.0 // indirect
        github.com/cheggaaa/pb v1.0.25
-       github.com/coocood/freecache v1.0.1 // indirect
        github.com/coreos/bbolt v1.3.3 // indirect
-       github.com/coreos/etcd v3.3.8+incompatible
+       github.com/coreos/etcd v3.3.22+incompatible
        github.com/coreos/go-semver v0.2.0 // indirect
        github.com/coreos/go-systemd v0.0.0-20180828140353-eee3db372b31 // 
indirect
        github.com/coreos/pkg v0.0.0-20180108230652-97fdf19511ea // v4
+       github.com/dgrijalva/jwt-go v3.2.0+incompatible
+       github.com/dustin/go-humanize v1.0.0 // indirect
        github.com/eapache/go-resiliency v1.1.0 // indirect
        github.com/eapache/go-xerial-snappy v0.0.0-20180814174437-776d5712da21 
// indirect
        github.com/eapache/queue v1.1.0 // indirect
        github.com/ghodss/yaml v1.0.0 // indirect
-       github.com/gin-contrib/sse v0.0.0-20190301062529-5545eab6dad3 // 
indirect
-       github.com/gin-gonic/gin v1.3.0 // indirect
-       github.com/go-chassis/go-chassis v1.8.2 // indirect
+       github.com/go-chassis/foundation v0.1.1-0.20191113114104-2b05871e9ec4
+       github.com/go-chassis/go-archaius v1.3.1
+       github.com/go-chassis/go-chassis v0.0.0-20200624080301-8af281f0f75b
        github.com/go-chassis/paas-lager v1.1.1
        github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d
        github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef // 
indirect
@@ -30,6 +30,7 @@ require (
        github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db // indirect
        github.com/googleapis/gnostic v0.2.0 // indirect
        github.com/gorilla/websocket v1.4.0
+       github.com/grpc-ecosystem/go-grpc-middleware v1.2.0 // indirect
        github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
        github.com/grpc-ecosystem/grpc-gateway v1.3.0 // indirect
        github.com/hashicorp/mdns v1.0.1 // indirect
@@ -42,14 +43,13 @@ require (
        github.com/karlseguin/expect v1.0.1 // indirect
        github.com/labstack/echo 
v3.2.2-0.20180316170059-a5d81b8d4a62+incompatible
        github.com/labstack/gommon v0.2.1 // indirect
-       github.com/mattn/go-isatty v0.0.7 // indirect
        github.com/mattn/go-runewidth v0.0.3 // indirect
        github.com/natefinch/lumberjack v0.0.0-20170531160350-a96e63847dc3
        github.com/olekukonko/tablewriter v0.0.0-20180506121414-d4647c9c7a84
        github.com/onsi/ginkgo v1.10.1
        github.com/onsi/gomega v1.7.0
        github.com/opentracing-contrib/go-observer 
v0.0.0-20170622124052-a52f23424492 // indirect
-       github.com/opentracing/opentracing-go v1.0.2
+       github.com/opentracing/opentracing-go v1.1.0
        github.com/openzipkin/zipkin-go-opentracing 
v0.3.3-0.20180123190626-6bb822a7f15f
        github.com/pborman/uuid v1.2.0 // indirect
        github.com/pierrec/lz4 v2.0.5+incompatible // indirect
@@ -60,33 +60,29 @@ require (
        github.com/rcrowley/go-metrics v0.0.0-20180503174638-e2704e165165 // 
indirect
        github.com/rs/cors v0.0.0-20170608165155-8dd4211afb5d // v1.1
        github.com/satori/go.uuid v1.1.0
-       github.com/sirupsen/logrus v1.3.0 // indirect
+       github.com/smartystreets/assertions v0.0.0-20190116191733-b6c0e53d7304 
// indirect
        github.com/soheilhy/cmux v0.1.4 // indirect
        github.com/spf13/cobra v0.0.0-20170624150100-4d647c8944eb
        github.com/spf13/pflag v1.0.5
        github.com/stretchr/testify v1.4.0
        github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5 
// indirect
-       github.com/ugorji/go v1.1.1 // indirect
        github.com/valyala/bytebufferpool v1.0.0 // indirect
        github.com/valyala/fasttemplate v0.0.0-20170224212429-dcecefd839c4 // 
indirect
        github.com/widuu/gojson v0.0.0-20170212122013-7da9d2cd949b
        github.com/wsxiaoys/terminal v0.0.0-20160513160801-0940f3fc43a0 // 
indirect
        github.com/xiang90/probing v0.0.0-20160813154853-07dd2e8dfe18 // 
indirect
        go.etcd.io/bbolt v1.3.4 // indirect
-       go.uber.org/atomic v1.5.0 // indirect
-       go.uber.org/multierr v1.1.0 // indirect
-       go.uber.org/ratelimit v0.1.0 // indirect
-       go.uber.org/zap v1.9.0
+       go.etcd.io/etcd v3.3.22+incompatible
+       go.uber.org/zap v1.10.0
        google.golang.org/grpc v1.19.0
        gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
-       gopkg.in/go-playground/assert.v1 v1.2.1 // indirect
-       gopkg.in/go-playground/validator.v8 v8.18.2 // indirect
        gopkg.in/karlseguin/expect.v1 v1.0.1 // indirect
        gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
        gopkg.in/yaml.v2 v2.2.4
        k8s.io/api v0.17.0
        k8s.io/apimachinery v0.17.0
        k8s.io/client-go v0.17.0
+       k8s.io/utils v0.0.0-20191114200735-6ca3b61696b6 // indirect
 )
 
 go 1.13
diff --git a/integration/schema_test.go b/integration/schema_test.go
index 9acd6c1..70b1f7a 100644
--- a/integration/schema_test.go
+++ b/integration/schema_test.go
@@ -77,7 +77,7 @@ var _ = Describe("MicroService Api schema Test", func() {
                        "schemaId": "second_schemaId",
                }
                schemas := map[string][]map[string]string{
-                       "schemas": []map[string]string{
+                       "schemas": {
                                schema,
                        },
                }
diff --git a/pkg/client/sc/apis.go b/pkg/client/sc/apis.go
index 47bf631..2bfd6dc 100644
--- a/pkg/client/sc/apis.go
+++ b/pkg/client/sc/apis.go
@@ -23,8 +23,8 @@ import (
 
        "github.com/apache/servicecomb-service-center/pkg/util"
        "github.com/apache/servicecomb-service-center/server/admin/model"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        "github.com/apache/servicecomb-service-center/version"
 )
 
diff --git a/pkg/client/sc/instance.go b/pkg/client/sc/instance.go
index 5189b5e..f2d2a6a 100644
--- a/pkg/client/sc/instance.go
+++ b/pkg/client/sc/instance.go
@@ -25,7 +25,7 @@ import (
 
        "github.com/apache/servicecomb-service-center/server/core"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
 )
 
 const (
diff --git a/pkg/client/sc/microservice.go b/pkg/client/sc/microservice.go
index 5913033..f791bc3 100644
--- a/pkg/client/sc/microservice.go
+++ b/pkg/client/sc/microservice.go
@@ -25,7 +25,7 @@ import (
 
        "github.com/apache/servicecomb-service-center/server/core"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
 )
 
 const (
diff --git a/pkg/client/sc/schema.go b/pkg/client/sc/schema.go
index f76c707..f1b9d42 100644
--- a/pkg/client/sc/schema.go
+++ b/pkg/client/sc/schema.go
@@ -27,7 +27,7 @@ import (
 
        "github.com/apache/servicecomb-service-center/server/core"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
 )
 
 const (
diff --git a/pkg/client/sc/watch.go b/pkg/client/sc/watch.go
index 00f53be..3b74fa5 100644
--- a/pkg/client/sc/watch.go
+++ b/pkg/client/sc/watch.go
@@ -23,7 +23,7 @@ import (
 
        "github.com/apache/servicecomb-service-center/server/core"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        "github.com/gorilla/websocket"
 )
 
diff --git a/server/main.go b/pkg/model/account.go
similarity index 81%
rename from server/main.go
rename to pkg/model/account.go
index 67807f6..4211772 100644
--- a/server/main.go
+++ b/pkg/model/account.go
@@ -14,10 +14,14 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package server
 
-var server ServiceCenterServer
+package model
 
-func Run() {
-       server.Run()
+type Account struct {
+       Name     string `json:"name,omitempty"`
+       Password string `json:"password,omitempty"`
+}
+
+type Token struct {
+       TokenStr string `json:"token,omitempty"`
 }
diff --git a/scctl/pkg/plugin/health/cmd.go b/scctl/pkg/plugin/health/cmd.go
index 83a029e..125e74a 100644
--- a/scctl/pkg/plugin/health/cmd.go
+++ b/scctl/pkg/plugin/health/cmd.go
@@ -19,7 +19,7 @@ import (
        "context"
        "github.com/apache/servicecomb-service-center/pkg/client/sc"
        "github.com/apache/servicecomb-service-center/scctl/pkg/cmd"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        "github.com/spf13/cobra"
 )
 
diff --git a/scripts/ut_test_in_docker.sh b/scripts/ut_test_in_docker.sh
index 43cc825..3dc640b 100755
--- a/scripts/ut_test_in_docker.sh
+++ b/scripts/ut_test_in_docker.sh
@@ -20,9 +20,6 @@ set +e
 export c_name="etcd"
 docker rm -f $c_name
 set -e
-red=`tput setaf 1`
-green=`tput setaf 2`
-reset=`tput sgr0`
 
 ut_for_dir() {
     local name=$1
diff --git a/server/admin/service.go b/server/admin/service.go
index a7a9632..7d4c02d 100644
--- a/server/admin/service.go
+++ b/server/admin/service.go
@@ -26,9 +26,9 @@ import (
        "github.com/apache/servicecomb-service-center/server/core"
        "github.com/apache/servicecomb-service-center/server/core/backend"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/discovery"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        "github.com/apache/servicecomb-service-center/version"
        "github.com/astaxie/beego"
        "os"
diff --git a/server/admin/service_test.go b/server/admin/service_test.go
index feff0be..b9a3902 100644
--- a/server/admin/service_test.go
+++ b/server/admin/service_test.go
@@ -22,10 +22,10 @@ import (
        "github.com/apache/servicecomb-service-center/server/admin"
        "github.com/apache/servicecomb-service-center/server/admin/model"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        mgr "github.com/apache/servicecomb-service-center/server/plugin"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/discovery/etcd"
        etcd2 
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry/etcd"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        serviceUtil 
"github.com/apache/servicecomb-service-center/server/service/util"
        "github.com/astaxie/beego"
        "github.com/stretchr/testify/assert"
diff --git a/server/broker/controller.go b/server/broker/controller.go
index 055ad2e..3437172 100644
--- a/server/broker/controller.go
+++ b/server/broker/controller.go
@@ -24,8 +24,8 @@ import (
 
        "github.com/apache/servicecomb-service-center/pkg/rest"
        "github.com/apache/servicecomb-service-center/server/broker/brokerpb"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        "github.com/apache/servicecomb-service-center/server/rest/controller"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
 )
 
 const DEFAULT_SCHEME = "http"
@@ -132,7 +132,7 @@ func (*BrokerController) GetPactsOfProvider(w 
http.ResponseWriter, r *http.Reque
        respInternal := resp.Response
        resp.Response = nil
        //controller.WriteResponse(w, respInternal, resp.Pact)
-       controller.WriteJsonBytes(w, respInternal, resp.Pact)
+       controller.WriteJsonIfSuccess(w, respInternal, resp.Pact)
 }
 
 func (*BrokerController) DeletePacts(w http.ResponseWriter, r *http.Request) {
diff --git a/server/broker/service.go b/server/broker/service.go
index 03d0d84..799c1fe 100644
--- a/server/broker/service.go
+++ b/server/broker/service.go
@@ -30,8 +30,8 @@ import (
        "github.com/apache/servicecomb-service-center/server/broker/brokerpb"
        apt "github.com/apache/servicecomb-service-center/server/core"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        serviceUtil 
"github.com/apache/servicecomb-service-center/server/service/util"
 )
 
diff --git a/server/broker/util.go b/server/broker/util.go
index 2c024c3..ba25d45 100644
--- a/server/broker/util.go
+++ b/server/broker/util.go
@@ -19,6 +19,7 @@ package broker
 import (
        "context"
        "encoding/json"
+       "github.com/apache/servicecomb-service-center/server/service/kv"
        "math"
        "net/url"
        "strconv"
@@ -30,8 +31,8 @@ import (
        "github.com/apache/servicecomb-service-center/server/core"
        "github.com/apache/servicecomb-service-center/server/core/backend"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        serviceUtil 
"github.com/apache/servicecomb-service-center/server/service/util"
        "path/filepath"
 )
@@ -257,13 +258,6 @@ func GetData(ctx context.Context, key string) (int, error) 
{
        return id, nil
 }
 
-func StoreData(ctx context.Context, key string, value string) error {
-       _, err := backend.Registry().Do(ctx, registry.PUT,
-               registry.WithStrKey(key),
-               registry.WithValue([]byte(value)))
-       return err
-}
-
 func CreateParticipant(pactLogger *log.Logger, ctx context.Context, 
participantKey string, participant brokerpb.Participant) 
(*brokerpb.PublishPactResponse, error) {
        data, err := json.Marshal(participant)
        if err != nil {
@@ -287,7 +281,7 @@ func CreateParticipant(pactLogger *log.Logger, ctx 
context.Context, participantK
        k := GetBrokerLatestParticipantIDKey()
        v := strconv.Itoa(int(participant.Id))
        PactLogger.Infof("Inserting (%s, %s)", k, v)
-       err = StoreData(ctx, k, v)
+       err = kv.Put(ctx, k, v)
        if err != nil {
                PactLogger.Errorf(nil, "pact publish failed, participant cannot 
be created.")
                return &brokerpb.PublishPactResponse{
@@ -320,7 +314,7 @@ func CreateVersion(pactLogger *log.Logger, ctx 
context.Context, versionKey strin
        k := GetBrokerLatestVersionIDKey()
        v := strconv.Itoa(int(version.Id))
        PactLogger.Infof("Inserting (%s, %s)", k, v)
-       err = StoreData(ctx, k, v)
+       err = kv.Put(ctx, k, v)
        if err != nil {
                PactLogger.Errorf(nil, "pact publish failed, version cannot be 
created.")
                return &brokerpb.PublishPactResponse{
@@ -355,7 +349,7 @@ func CreatePact(pactLogger *log.Logger, ctx context.Context,
        k := GetBrokerLatestPactIDKey()
        v := strconv.Itoa(int(pact.Id))
        PactLogger.Infof("Inserting (%s, %s)", k, v)
-       err = StoreData(ctx, k, v)
+       err = kv.Put(ctx, k, v)
        if err != nil {
                PactLogger.Errorf(nil, "pact publish failed, pact cannot be 
created.")
                return &brokerpb.PublishPactResponse{
@@ -386,7 +380,7 @@ func CreatePactVersion(pactLogger *log.Logger, ctx 
context.Context, pactVersionK
        k := GetBrokerLatestPactVersionIDKey()
        v := strconv.Itoa(int(pactVersion.Id))
        PactLogger.Infof("Inserting (%s, %s)", k, v)
-       err = StoreData(ctx, k, v)
+       err = kv.Put(ctx, k, v)
        if err != nil {
                PactLogger.Errorf(nil, "pact publish failed, pact version 
cannot be created.")
                return &brokerpb.PublishPactResponse{
@@ -419,7 +413,7 @@ func CreateVerification(pactLogger *log.Logger, ctx 
context.Context,
        k := GetBrokerLatestVerificationIDKey()
        v := strconv.Itoa(int(verification.Id))
        PactLogger.Infof("Inserting (%s, %s)", k, v)
-       err = StoreData(ctx, k, v)
+       err = kv.Put(ctx, k, v)
        if err != nil {
                PactLogger.Errorf(nil, "verification result publish failed, 
verification result cannot be created.")
                return &brokerpb.PublishVerificationResponse{
diff --git a/server/core/config.go b/server/core/config.go
index fa720a1..da32d0f 100644
--- a/server/core/config.go
+++ b/server/core/config.go
@@ -17,6 +17,7 @@
 package core
 
 import (
+       "github.com/go-chassis/go-archaius"
        "os"
        "runtime"
        "time"
@@ -41,11 +42,17 @@ const (
 
        maxServiceClearInterval = 24 * time.Hour       //1 day
        maxServiceTTL           = 24 * 365 * time.Hour //1 year
+
 )
 
 var ServerInfo = pb.NewServerInformation()
 
 func Configure() {
+       err := archaius.Init(archaius.WithMemorySource(), 
archaius.WithENVSource())
+       if err != nil {
+               log.Fatal("can not init archaius", err)
+       }
+
        setCPUs()
 
        *ServerInfo = newInfo()
@@ -55,6 +62,7 @@ func Configure() {
        initLogger()
 
        version.Ver().Log()
+
 }
 
 func newInfo() pb.ServerInformation {
diff --git a/server/core/key_generator.go b/server/core/key_generator.go
index 420ee17..e86ad98 100644
--- a/server/core/key_generator.go
+++ b/server/core/key_generator.go
@@ -313,7 +313,19 @@ func GenerateDomainKey(domain string) string {
                domain,
        }, SPLIT)
 }
-
+func GenerateAccountKey(name string) string {
+       return util.StringJoin([]string{
+               GetRootKey(),
+               "accounts",
+               name,
+       }, SPLIT)
+}
+func GenerateRBACSecretKey() string {
+       return util.StringJoin([]string{
+               GetRootKey(),
+               "rbac/secret",
+       }, SPLIT)
+}
 func GetServerInfoKey() string {
        return util.StringJoin([]string{
                GetRootKey(),
diff --git a/server/core/key_generator_test.go 
b/server/core/key_generator_test.go
index fc2802d..8450606 100644
--- a/server/core/key_generator_test.go
+++ b/server/core/key_generator_test.go
@@ -17,9 +17,16 @@ package core
 
 import (
        "github.com/apache/servicecomb-service-center/server/core/proto"
+       "github.com/stretchr/testify/assert"
        "testing"
 )
 
+func TestGenerateAccountKey(t *testing.T) {
+       assert.Equal(t, "/cse-sr/accounts/admin", GenerateAccountKey("admin"))
+}
+func TestGenerateAccountSecretKey(t *testing.T) {
+       assert.Equal(t, "/cse-sr/rbac/secret", GenerateRBACSecretKey())
+}
 func TestGenerateDependencyRuleKey(t *testing.T) {
        // consumer
        k := GenerateConsumerDependencyRuleKey("a", nil)
diff --git a/server/core/proto/batch_find.go b/server/core/proto/batch_find.go
index fc02021..77a51d8 100644
--- a/server/core/proto/batch_find.go
+++ b/server/core/proto/batch_find.go
@@ -16,7 +16,7 @@
 package proto
 
 import (
-       scerr "github.com/apache/servicecomb-service-center/server/error"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
 )
 
 type FindService struct {
diff --git a/server/core/proto/common.go b/server/core/proto/common.go
index f21dcf5..b3dc0a2 100644
--- a/server/core/proto/common.go
+++ b/server/core/proto/common.go
@@ -16,7 +16,7 @@
 package proto
 
 import (
-       scerr "github.com/apache/servicecomb-service-center/server/error"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
 )
 
 const (
diff --git a/server/govern/controller_v4.go b/server/govern/controller_v4.go
index 758ea7a..90125fe 100644
--- a/server/govern/controller_v4.go
+++ b/server/govern/controller_v4.go
@@ -24,8 +24,8 @@ import (
        "github.com/apache/servicecomb-service-center/pkg/util"
        "github.com/apache/servicecomb-service-center/server/core"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        "github.com/apache/servicecomb-service-center/server/rest/controller"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        "strings"
 )
 
diff --git a/server/govern/service.go b/server/govern/service.go
index b03abc8..bd20134 100644
--- a/server/govern/service.go
+++ b/server/govern/service.go
@@ -24,8 +24,8 @@ import (
        apt "github.com/apache/servicecomb-service-center/server/core"
        "github.com/apache/servicecomb-service-center/server/core/backend"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        "github.com/apache/servicecomb-service-center/server/service"
        serviceUtil 
"github.com/apache/servicecomb-service-center/server/service/util"
 )
diff --git a/server/handler/auth/auth.go b/server/handler/auth/auth.go
index bdc165b..9fbd5b3 100644
--- a/server/handler/auth/auth.go
+++ b/server/handler/auth/auth.go
@@ -20,31 +20,71 @@ import (
        "github.com/apache/servicecomb-service-center/pkg/chain"
        "github.com/apache/servicecomb-service-center/pkg/log"
        "github.com/apache/servicecomb-service-center/pkg/rest"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
-       "github.com/apache/servicecomb-service-center/server/plugin"
        "github.com/apache/servicecomb-service-center/server/rest/controller"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
+       "github.com/apache/servicecomb-service-center/server/service/rbac"
+       "github.com/go-chassis/go-chassis/security/authr"
+       "github.com/go-chassis/go-chassis/server/restful"
        "net/http"
+       "strings"
 )
 
-type AuthRequest struct {
+type Handler struct {
 }
 
-func (h *AuthRequest) Handle(i *chain.Invocation) {
-       r := i.Context().Value(rest.CTX_REQUEST).(*http.Request)
-       err := plugin.Plugins().Auth().Identify(r)
-       if err == nil {
+func (h *Handler) Handle(i *chain.Invocation) {
+       if !rbac.Enabled() {
                i.Next()
                return
        }
-
-       log.Errorf(err, "authenticate request failed, %s %s", r.Method, 
r.RequestURI)
-
        w := i.Context().Value(rest.CTX_RESPONSE).(http.ResponseWriter)
-       controller.WriteError(w, scerr.ErrUnauthorized, err.Error())
+       req, ok := i.Context().Value(rest.CTX_REQUEST).(*http.Request)
+       if !ok {
+               controller.WriteError(w, scerr.ErrUnauthorized, "internal 
error")
+               i.Fail(nil)
+               return
+       }
+       if !mustAuth(req) {
+               i.Next()
+               return
+       }
 
+       v := req.Header.Get(restful.HeaderAuth)
+       if v == "" {
+               controller.WriteError(w, scerr.ErrUnauthorized, "should provide 
token in header")
+               i.Fail(nil)
+               return
+       }
+       s := strings.Split(v, " ")
+       if len(s) != 2 {
+               controller.WriteError(w, scerr.ErrUnauthorized, "invalid auth 
header")
+               i.Fail(nil)
+               return
+       }
+       to := s[1]
+       //TODO rbac
+       _, err := authr.Authenticate(i.Context(), to)
+       if err == nil {
+               log.Info("user access")
+               i.Next()
+               return
+       }
+       log.Errorf(err, "authenticate request failed, %s %s", req.Method, 
req.RequestURI)
+       controller.WriteError(w, scerr.ErrUnauthorized, err.Error())
        i.Fail(nil)
 }
-
+func mustAuth(req *http.Request) bool {
+       if strings.Contains(req.URL.Path, "/v4/token") {
+               return false
+       }
+       if strings.Contains(req.URL.Path, "/health") {
+               return false
+       }
+       if strings.Contains(req.URL.Path, "/version") {
+               return false
+       }
+       return true
+}
 func RegisterHandlers() {
-       chain.RegisterHandler(rest.ServerChainName, &AuthRequest{})
+       chain.RegisterHandler(rest.ServerChainName, &Handler{})
 }
diff --git a/server/handler/context/v4.go b/server/handler/context/v4.go
index 22c3b9b..a74c9e0 100644
--- a/server/handler/context/v4.go
+++ b/server/handler/context/v4.go
@@ -17,8 +17,6 @@
 package context
 
 import (
-       "errors"
-       "github.com/apache/servicecomb-service-center/pkg/log"
        "github.com/apache/servicecomb-service-center/pkg/util"
        "github.com/apache/servicecomb-service-center/server/core"
        "net/http"
@@ -40,9 +38,7 @@ func (v *v4Context) Do(r *http.Request) error {
        if len(domain) == 0 {
                domain = r.Header.Get("X-Domain-Name")
                if len(domain) == 0 {
-                       err := errors.New("Header does not contain domain.")
-                       log.Errorf(err, "Invalid Request URI %s", r.RequestURI)
-                       return err
+                       domain = "default"
                }
                util.SetRequestContext(r, util.CtxDomain, domain)
        }
diff --git a/server/plugin/export.go b/server/plugin/export.go
index 80e5540..97a4dc9 100644
--- a/server/plugin/export.go
+++ b/server/plugin/export.go
@@ -21,10 +21,10 @@ import (
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/discovery"
        "github.com/apache/servicecomb-service-center/server/plugin/pkg/quota"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry"
-       
"github.com/apache/servicecomb-service-center/server/plugin/pkg/security"
        "github.com/apache/servicecomb-service-center/server/plugin/pkg/tls"
        "github.com/apache/servicecomb-service-center/server/plugin/pkg/tracing"
        "github.com/apache/servicecomb-service-center/server/plugin/pkg/uuid"
+       "github.com/go-chassis/foundation/security"
 )
 
 const (
diff --git a/server/plugin/pkg/discovery/servicecenter/aggregate.go 
b/server/plugin/pkg/discovery/servicecenter/aggregate.go
index f7b5acb..e5c8d52 100644
--- a/server/plugin/pkg/discovery/servicecenter/aggregate.go
+++ b/server/plugin/pkg/discovery/servicecenter/aggregate.go
@@ -23,10 +23,10 @@ import (
        "github.com/apache/servicecomb-service-center/pkg/util"
        "github.com/apache/servicecomb-service-center/server/admin/model"
        "github.com/apache/servicecomb-service-center/server/core"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        mgr "github.com/apache/servicecomb-service-center/server/plugin"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/discovery"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        "strings"
        "sync"
 )
diff --git a/server/plugin/pkg/discovery/servicecenter/indexer.go 
b/server/plugin/pkg/discovery/servicecenter/indexer.go
index 8b96d47..86a4cdd 100644
--- a/server/plugin/pkg/discovery/servicecenter/indexer.go
+++ b/server/plugin/pkg/discovery/servicecenter/indexer.go
@@ -21,9 +21,9 @@ import (
        "github.com/apache/servicecomb-service-center/pkg/util"
        "github.com/apache/servicecomb-service-center/server/core"
        "github.com/apache/servicecomb-service-center/server/core/backend"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/discovery"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
 
        "context"
 )
diff --git a/server/plugin/pkg/quota/buildin/common.go 
b/server/plugin/pkg/quota/buildin/common.go
index 58e6185..dd965ba 100644
--- a/server/plugin/pkg/quota/buildin/common.go
+++ b/server/plugin/pkg/quota/buildin/common.go
@@ -23,11 +23,11 @@ import (
        "github.com/apache/servicecomb-service-center/pkg/log"
        "github.com/apache/servicecomb-service-center/server/core"
        "github.com/apache/servicecomb-service-center/server/core/backend"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        mgr "github.com/apache/servicecomb-service-center/server/plugin"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/discovery"
        "github.com/apache/servicecomb-service-center/server/plugin/pkg/quota"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        serviceUtil 
"github.com/apache/servicecomb-service-center/server/service/util"
 )
 
diff --git a/server/plugin/pkg/quota/quota.go b/server/plugin/pkg/quota/quota.go
index 1f0f41d..caf5442 100644
--- a/server/plugin/pkg/quota/quota.go
+++ b/server/plugin/pkg/quota/quota.go
@@ -19,7 +19,7 @@ package quota
 import (
        "context"
        "github.com/apache/servicecomb-service-center/pkg/util"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        "strconv"
 )
 
diff --git a/server/plugin/pkg/registry/etcd/common.go 
b/server/plugin/pkg/registry/etcd/common.go
index 65f7203..b296c1f 100644
--- a/server/plugin/pkg/registry/etcd/common.go
+++ b/server/plugin/pkg/registry/etcd/common.go
@@ -32,7 +32,7 @@ const (
        keepAliveTime    = 2 * time.Second
        keepAliveTimeout = 5 * time.Second
 
-       // see github.com/coreos/etcd/clientv3/options.go
+       // see go.etcd.io/etcd/clientv3/options.go
        maxSendMsgSize = 10 * 1024 * 1024 // 10MB
        maxRecvMsgSize = math.MaxInt32
 )
diff --git a/server/plugin/pkg/tls/buildin/tls.go 
b/server/plugin/pkg/tls/buildin/tls.go
index 96f75da..82a3c5c 100644
--- a/server/plugin/pkg/tls/buildin/tls.go
+++ b/server/plugin/pkg/tls/buildin/tls.go
@@ -22,7 +22,7 @@ import (
        "github.com/apache/servicecomb-service-center/pkg/tlsutil"
        "github.com/apache/servicecomb-service-center/pkg/util"
        "github.com/apache/servicecomb-service-center/server/core"
-       "github.com/apache/servicecomb-service-center/server/plugin"
+       "github.com/apache/servicecomb-service-center/server/service/cipher"
        "github.com/astaxie/beego"
        "io/ioutil"
        "os"
@@ -53,7 +53,7 @@ func GetPassphase() (decrypt string) {
 
        decrypt = util.BytesToStringWithNoCopy(passphase)
        if len(decrypt) > 0 {
-               tmp, err := plugin.Plugins().Cipher().Decrypt(decrypt)
+               tmp, err := cipher.Decrypt(decrypt)
                if err != nil {
                        log.Errorf(err, "decrypt ssl passphase(%d) failed.", 
len(decrypt))
                } else {
diff --git a/server/rest/controller/rest_util.go 
b/server/rest/controller/rest_util.go
index 333c583..cfd1f02 100644
--- a/server/rest/controller/rest_util.go
+++ b/server/rest/controller/rest_util.go
@@ -23,13 +23,13 @@ import (
        "github.com/apache/servicecomb-service-center/pkg/util"
        "github.com/apache/servicecomb-service-center/server/alarm"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       "github.com/apache/servicecomb-service-center/server/error"
+       "github.com/apache/servicecomb-service-center/server/scerror"
        "net/http"
        "strconv"
 )
 
 func WriteError(w http.ResponseWriter, code int32, detail string) {
-       err := error.NewError(code, detail)
+       err := scerror.NewError(code, detail)
        w.Header().Set(rest.HEADER_RESPONSE_STATUS, 
strconv.Itoa(err.StatusCode()))
        w.Header().Set(rest.HEADER_CONTENT_TYPE, rest.CONTENT_TYPE_JSON)
        w.WriteHeader(err.StatusCode())
@@ -55,7 +55,7 @@ func WriteResponse(w http.ResponseWriter, resp *pb.Response, 
obj interface{}) {
 
        objJson, err := json.Marshal(obj)
        if err != nil {
-               WriteError(w, error.ErrInternal, err.Error())
+               WriteError(w, scerror.ErrInternal, err.Error())
                return
        }
        w.Header().Set(rest.HEADER_RESPONSE_STATUS, strconv.Itoa(http.StatusOK))
@@ -64,13 +64,18 @@ func WriteResponse(w http.ResponseWriter, resp 
*pb.Response, obj interface{}) {
        fmt.Fprintln(w, util.BytesToStringWithNoCopy(objJson))
 }
 
-func WriteJsonBytes(w http.ResponseWriter, resp *pb.Response, json []byte) {
+func WriteJsonIfSuccess(w http.ResponseWriter, resp *pb.Response, json []byte) 
{
        if resp.GetCode() == pb.Response_SUCCESS {
-               w.Header().Set(rest.HEADER_RESPONSE_STATUS, 
strconv.Itoa(http.StatusOK))
-               w.Header().Set(rest.HEADER_CONTENT_TYPE, rest.CONTENT_TYPE_JSON)
-               w.WriteHeader(http.StatusOK)
-               w.Write(json)
+               WriteJson(w, json)
                return
        }
        WriteError(w, resp.GetCode(), resp.GetMessage())
 }
+
+//WriteJson simply write json
+func WriteJson(w http.ResponseWriter, json []byte) {
+       w.Header().Set(rest.HEADER_RESPONSE_STATUS, strconv.Itoa(http.StatusOK))
+       w.Header().Set(rest.HEADER_CONTENT_TYPE, rest.CONTENT_TYPE_JSON)
+       w.WriteHeader(http.StatusOK)
+       w.Write(json)
+}
diff --git a/server/rest/controller/v3/main_controller.go 
b/server/rest/controller/v3/main_controller.go
index 2e26abc..7590d70 100644
--- a/server/rest/controller/v3/main_controller.go
+++ b/server/rest/controller/v3/main_controller.go
@@ -54,5 +54,5 @@ func (this *MainService) URLPatterns() []rest.Route {
 }
 
 func (this *MainService) GetVersion(w http.ResponseWriter, r *http.Request) {
-       controller.WriteJsonBytes(w, versionResp, versionJsonCache)
+       controller.WriteJsonIfSuccess(w, versionResp, versionJsonCache)
 }
diff --git a/server/rest/controller/v4/auth_resource.go 
b/server/rest/controller/v4/auth_resource.go
new file mode 100644
index 0000000..5839e1f
--- /dev/null
+++ b/server/rest/controller/v4/auth_resource.go
@@ -0,0 +1,75 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package v4
+
+import (
+       "context"
+       "encoding/json"
+       "github.com/apache/servicecomb-service-center/pkg/log"
+       "github.com/apache/servicecomb-service-center/pkg/model"
+       "github.com/apache/servicecomb-service-center/pkg/rest"
+       "github.com/apache/servicecomb-service-center/server/rest/controller"
+       "github.com/apache/servicecomb-service-center/server/scerror"
+       "github.com/apache/servicecomb-service-center/server/service/rbac"
+       "github.com/go-chassis/go-chassis/security/authr"
+       "io/ioutil"
+       "net/http"
+)
+
+type AuthResource struct {
+}
+
+//URLPatterns define htp pattern
+func (r *AuthResource) URLPatterns() []rest.Route {
+       return []rest.Route{
+               {http.MethodPost, "/v4/token", r.Login},
+       }
+}
+
+func (r *AuthResource) Login(w http.ResponseWriter, req *http.Request) {
+       body, err := ioutil.ReadAll(req.Body)
+       if err != nil {
+               log.Error("read body err", err)
+               controller.WriteError(w, scerror.ErrInternal, err.Error())
+               return
+       }
+       a := &model.Account{}
+       if err = json.Unmarshal(body, a); err != nil {
+               log.Error("json err", err)
+               controller.WriteError(w, scerror.ErrInvalidParams, err.Error())
+               return
+       }
+       t, err := authr.Login(context.TODO(), a.Name, a.Password)
+       if err != nil {
+               if err == rbac.ErrUnauthorized {
+                       log.Error("not authorized", err)
+                       controller.WriteError(w, scerror.ErrUnauthorized, 
err.Error())
+                       return
+               }
+               log.Error("can not sign token", err)
+               controller.WriteError(w, scerror.ErrInternal, err.Error())
+               return
+       }
+       to := &model.Token{TokenStr: t}
+       b, err := json.Marshal(to)
+       if err != nil {
+               log.Error("json err", err)
+               controller.WriteError(w, scerror.ErrInvalidParams, err.Error())
+               return
+       }
+       controller.WriteJson(w, b)
+}
diff --git a/server/rest/controller/v4/dependency_controller.go 
b/server/rest/controller/v4/dependency_controller.go
index 408c308..42fc6e1 100644
--- a/server/rest/controller/v4/dependency_controller.go
+++ b/server/rest/controller/v4/dependency_controller.go
@@ -23,8 +23,8 @@ import (
        "github.com/apache/servicecomb-service-center/pkg/util"
        "github.com/apache/servicecomb-service-center/server/core"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        "github.com/apache/servicecomb-service-center/server/rest/controller"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        "io/ioutil"
        "net/http"
 )
diff --git a/server/rest/controller/v4/instance_controller.go 
b/server/rest/controller/v4/instance_controller.go
index df79bef..b37a68b 100644
--- a/server/rest/controller/v4/instance_controller.go
+++ b/server/rest/controller/v4/instance_controller.go
@@ -24,8 +24,8 @@ import (
        "github.com/apache/servicecomb-service-center/pkg/util"
        "github.com/apache/servicecomb-service-center/server/core"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        "github.com/apache/servicecomb-service-center/server/rest/controller"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        serviceUtil 
"github.com/apache/servicecomb-service-center/server/service/util"
        "io/ioutil"
        "net/http"
diff --git a/server/rest/controller/v4/main_controller.go 
b/server/rest/controller/v4/main_controller.go
index 8fc85f3..3bb106a 100644
--- a/server/rest/controller/v4/main_controller.go
+++ b/server/rest/controller/v4/main_controller.go
@@ -69,5 +69,5 @@ func (this *MainService) GetVersion(w http.ResponseWriter, r 
*http.Request) {
                versionJsonCache, _ = json.Marshal(result)
                versionResp = pb.CreateResponse(pb.Response_SUCCESS, "get 
version successfully")
        })
-       controller.WriteJsonBytes(w, versionResp, versionJsonCache)
+       controller.WriteJsonIfSuccess(w, versionResp, versionJsonCache)
 }
diff --git a/server/rest/controller/v4/microservice_controller.go 
b/server/rest/controller/v4/microservice_controller.go
index ff8a43c..bfd3e16 100644
--- a/server/rest/controller/v4/microservice_controller.go
+++ b/server/rest/controller/v4/microservice_controller.go
@@ -23,8 +23,8 @@ import (
        "github.com/apache/servicecomb-service-center/pkg/util"
        "github.com/apache/servicecomb-service-center/server/core"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        "github.com/apache/servicecomb-service-center/server/rest/controller"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        "io/ioutil"
        "net/http"
 )
diff --git a/server/rest/controller/v4/query_rule_controller.go 
b/server/rest/controller/v4/query_rule_controller.go
index 71b8753..661795b 100644
--- a/server/rest/controller/v4/query_rule_controller.go
+++ b/server/rest/controller/v4/query_rule_controller.go
@@ -23,8 +23,8 @@ import (
        "github.com/apache/servicecomb-service-center/pkg/util"
        "github.com/apache/servicecomb-service-center/server/core"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        "github.com/apache/servicecomb-service-center/server/rest/controller"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        "io/ioutil"
        "net/http"
        "strings"
diff --git a/server/rest/controller/v4/schema_controller.go 
b/server/rest/controller/v4/schema_controller.go
index e38615c..fd99bef 100644
--- a/server/rest/controller/v4/schema_controller.go
+++ b/server/rest/controller/v4/schema_controller.go
@@ -23,8 +23,8 @@ import (
        "github.com/apache/servicecomb-service-center/pkg/util"
        "github.com/apache/servicecomb-service-center/server/core"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        "github.com/apache/servicecomb-service-center/server/rest/controller"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        "io/ioutil"
        "net/http"
        "strings"
diff --git a/server/rest/controller/v4/tag_controller.go 
b/server/rest/controller/v4/tag_controller.go
index 47edf52..dbaf78b 100644
--- a/server/rest/controller/v4/tag_controller.go
+++ b/server/rest/controller/v4/tag_controller.go
@@ -23,8 +23,8 @@ import (
        "github.com/apache/servicecomb-service-center/pkg/util"
        "github.com/apache/servicecomb-service-center/server/core"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        "github.com/apache/servicecomb-service-center/server/rest/controller"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        "io/ioutil"
        "net/http"
        "strings"
diff --git a/server/rest/controller/v4/v4.go b/server/rest/controller/v4/v4.go
index 98fb00c..f65ef49 100644
--- a/server/rest/controller/v4/v4.go
+++ b/server/rest/controller/v4/v4.go
@@ -18,6 +18,7 @@ package v4
 
 import (
        roa "github.com/apache/servicecomb-service-center/pkg/rest"
+       "github.com/apache/servicecomb-service-center/server/service/rbac"
 )
 
 func init() {
@@ -25,6 +26,9 @@ func init() {
 }
 
 func initRouter() {
+       if rbac.Enabled() {
+               roa.RegisterServant(&AuthResource{})
+       }
        roa.RegisterServant(&MainService{})
        roa.RegisterServant(&MicroServiceService{})
        roa.RegisterServant(&SchemaService{})
diff --git a/server/error/error.go b/server/scerror/error.go
similarity index 99%
rename from server/error/error.go
rename to server/scerror/error.go
index 0d1a4f7..46f97af 100644
--- a/server/error/error.go
+++ b/server/scerror/error.go
@@ -14,7 +14,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package error
+package scerror
 
 import (
        "encoding/json"
diff --git a/server/error/error_test.go b/server/scerror/error_test.go
similarity index 99%
rename from server/error/error_test.go
rename to server/scerror/error_test.go
index 1b61ff8..ed399e2 100644
--- a/server/error/error_test.go
+++ b/server/scerror/error_test.go
@@ -14,7 +14,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package error
+package scerror
 
 import (
        "net/http"
diff --git a/server/server.go b/server/server.go
index d4aa24c..5ffe033 100644
--- a/server/server.go
+++ b/server/server.go
@@ -16,7 +16,10 @@
  */
 package server
 
-import _ "github.com/apache/servicecomb-service-center/server/service/event"
+import (
+       _ "github.com/apache/servicecomb-service-center/server/service/event"
+       "github.com/apache/servicecomb-service-center/server/service/rbac"
+)
 import (
        "fmt"
        "os"
@@ -39,6 +42,12 @@ import (
 
 const buildin = "buildin"
 
+var server ServiceCenterServer
+
+func Run() {
+       server.Run()
+}
+
 type ServiceCenterServer struct {
        apiService    *APIServer
        notifyService *nf.NotifyService
@@ -176,7 +185,7 @@ func (s *ServiceCenterServer) startServices() {
 
        // load server plugins
        plugin.LoadPlugins()
-
+       rbac.Init()
        // check version
        if core.ServerInfo.Config.SelfRegister {
                s.loadOrUpgradeServerVersion()
diff --git a/server/plugin/pkg/security/cipher.go 
b/server/service/cipher/cipher.go
similarity index 75%
rename from server/plugin/pkg/security/cipher.go
rename to server/service/cipher/cipher.go
index 7357c10..edf7f3d 100644
--- a/server/plugin/pkg/security/cipher.go
+++ b/server/service/cipher/cipher.go
@@ -14,10 +14,14 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package security
 
-type Cipher interface {
-       Encrypt(src string) (string, error)
+package cipher
 
-       Decrypt(src string) (string, error)
+import "github.com/apache/servicecomb-service-center/server/plugin"
+
+func Encrypt(src string) (string, error) {
+       return plugin.Plugins().Cipher().Encrypt(src)
+}
+func Decrypt(src string) (string, error) {
+       return plugin.Plugins().Cipher().Decrypt(src)
 }
diff --git a/server/service/dependency.go b/server/service/dependency.go
index 50100e5..f811868 100644
--- a/server/service/dependency.go
+++ b/server/service/dependency.go
@@ -25,8 +25,8 @@ import (
        apt "github.com/apache/servicecomb-service-center/server/core"
        "github.com/apache/servicecomb-service-center/server/core/backend"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        serviceUtil 
"github.com/apache/servicecomb-service-center/server/service/util"
 )
 
diff --git a/server/service/dependency_test.go 
b/server/service/dependency_test.go
index 4e7eaf6..1fa475a 100644
--- a/server/service/dependency_test.go
+++ b/server/service/dependency_test.go
@@ -18,7 +18,7 @@ package service_test
 
 import (
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        "github.com/apache/servicecomb-service-center/server/service/event"
        . "github.com/onsi/ginkgo"
        . "github.com/onsi/gomega"
diff --git a/server/service/instance.go b/server/service/instance.go
index beb14f3..5146cb0 100644
--- a/server/service/instance.go
+++ b/server/service/instance.go
@@ -28,11 +28,11 @@ import (
        apt "github.com/apache/servicecomb-service-center/server/core"
        "github.com/apache/servicecomb-service-center/server/core/backend"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        "github.com/apache/servicecomb-service-center/server/health"
        "github.com/apache/servicecomb-service-center/server/plugin"
        "github.com/apache/servicecomb-service-center/server/plugin/pkg/quota"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        "github.com/apache/servicecomb-service-center/server/service/cache"
        serviceUtil 
"github.com/apache/servicecomb-service-center/server/service/util"
        "math"
diff --git a/server/service/instance_test.go b/server/service/instance_test.go
index 601185e..2498534 100644
--- a/server/service/instance_test.go
+++ b/server/service/instance_test.go
@@ -20,7 +20,7 @@ import (
        "github.com/apache/servicecomb-service-center/pkg/util"
        "github.com/apache/servicecomb-service-center/server/core"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        serviceUtil 
"github.com/apache/servicecomb-service-center/server/service/util"
        . "github.com/onsi/ginkgo"
        . "github.com/onsi/gomega"
diff --git a/server/service/kv/store.go b/server/service/kv/store.go
new file mode 100644
index 0000000..d36c84e
--- /dev/null
+++ b/server/service/kv/store.go
@@ -0,0 +1,72 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//Package kv supplies kv store
+package kv
+
+import (
+       "context"
+       "errors"
+       "github.com/coreos/etcd/mvcc/mvccpb"
+
+       "github.com/apache/servicecomb-service-center/server/core/backend"
+       
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry"
+)
+
+var ErrNotUnique = errors.New("kv result is not unique")
+
+//Put put kv
+func Put(ctx context.Context, key string, value string) error {
+       _, err := backend.Registry().Do(ctx, registry.PUT,
+               registry.WithStrKey(key),
+               registry.WithValue([]byte(value)))
+       return err
+}
+
+//Put put kv
+func PutBytes(ctx context.Context, key string, value []byte) error {
+       _, err := backend.Registry().Do(ctx, registry.PUT,
+               registry.WithStrKey(key),
+               registry.WithValue(value))
+       return err
+}
+
+//Get get one kv
+func Get(ctx context.Context, key string) (*mvccpb.KeyValue, error) {
+       resp, err := backend.Registry().Do(ctx, registry.GET,
+               registry.WithStrKey(key))
+       if err != nil {
+               return nil, err
+       }
+       if resp.Count != 1 {
+               return nil, ErrNotUnique
+       }
+       return resp.Kvs[0], err
+}
+
+//Exist get one kv, if can not get return false
+func Exist(ctx context.Context, key string) (bool, error) {
+       resp, err := backend.Registry().Do(ctx, registry.GET,
+               registry.WithStrKey(key))
+       if err != nil {
+               return false, err
+       }
+       if resp.Count == 0 {
+               return false, nil
+       }
+       return true, nil
+}
diff --git a/server/admin/service_test.go b/server/service/kv/store_test.go
similarity index 55%
copy from server/admin/service_test.go
copy to server/service/kv/store_test.go
index feff0be..02bd2bc 100644
--- a/server/admin/service_test.go
+++ b/server/service/kv/store_test.go
@@ -14,19 +14,16 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package admin_test
+
+package kv_test
 
 import (
        "context"
-       "github.com/apache/servicecomb-service-center/pkg/util"
-       "github.com/apache/servicecomb-service-center/server/admin"
-       "github.com/apache/servicecomb-service-center/server/admin/model"
-       pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        mgr "github.com/apache/servicecomb-service-center/server/plugin"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/discovery/etcd"
        etcd2 
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry/etcd"
-       serviceUtil 
"github.com/apache/servicecomb-service-center/server/service/util"
+       
"github.com/apache/servicecomb-service-center/server/plugin/pkg/tracing/buildin"
+       "github.com/apache/servicecomb-service-center/server/service/kv"
        "github.com/astaxie/beego"
        "github.com/stretchr/testify/assert"
        "testing"
@@ -37,22 +34,29 @@ func init() {
        mgr.RegisterPlugin(mgr.Plugin{mgr.REGISTRY, "etcd", etcd2.NewRegistry})
        mgr.RegisterPlugin(mgr.Plugin{mgr.DISCOVERY, "buildin", 
etcd.NewRepository})
        mgr.RegisterPlugin(mgr.Plugin{mgr.DISCOVERY, "etcd", 
etcd.NewRepository})
+       mgr.RegisterPlugin(mgr.Plugin{mgr.TRACING, "buildin", buildin.New})
+
 }
-func TestAdminService_Dump(t *testing.T) {
-       t.Log("execute 'dump' operation,when get all,should be passed")
-       resp, err := admin.AdminServiceAPI.Dump(getContext(), 
&model.DumpRequest{})
-       assert.NoError(t, err)
-       assert.Equal(t, pb.Response_SUCCESS, resp.Response.Code)
-       t.Log("execute 'dump' operation,when get by domain project,should be 
passed")
-       resp, err = admin.AdminServiceAPI.Dump(
-               util.SetDomainProject(context.Background(), "x", "x"),
-               &model.DumpRequest{})
-       assert.NoError(t, err)
-       assert.Equal(t, scerr.ErrForbidden, resp.Response.Code)
-}
+func TestStoreData(t *testing.T) {
+
+       t.Run("put, get string", func(t *testing.T) {
+               err := kv.Put(context.Background(), "test", "value")
+               assert.NoError(t, err)
+               r, err := kv.Get(context.Background(), "test")
+               assert.NoError(t, err)
+               assert.Equal(t, "value", string(r.Value))
+       })
+       t.Run("should exist", func(t *testing.T) {
+               b, err := kv.Exist(context.Background(), "test")
+               assert.NoError(t, err)
+               assert.True(t, b)
+       })
 
-func getContext() context.Context {
-       return util.SetContext(
-               util.SetDomainProject(context.Background(), "default", 
"default"),
-               serviceUtil.CTX_NOCACHE, "1")
+       t.Run("put, get bytes", func(t *testing.T) {
+               err := kv.PutBytes(context.Background(), "test", 
[]byte(`value`))
+               assert.NoError(t, err)
+               r, err := kv.Get(context.Background(), "test")
+               assert.NoError(t, err)
+               assert.Equal(t, "value", string(r.Value))
+       })
 }
diff --git a/server/service/microservice.go b/server/service/microservice.go
index 45121dc..a100666 100644
--- a/server/service/microservice.go
+++ b/server/service/microservice.go
@@ -30,11 +30,11 @@ import (
        apt "github.com/apache/servicecomb-service-center/server/core"
        "github.com/apache/servicecomb-service-center/server/core/backend"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        "github.com/apache/servicecomb-service-center/server/plugin"
        "github.com/apache/servicecomb-service-center/server/plugin/pkg/quota"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry"
        "github.com/apache/servicecomb-service-center/server/plugin/pkg/uuid"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        serviceUtil 
"github.com/apache/servicecomb-service-center/server/service/util"
 
        "context"
diff --git a/server/service/microservice_test.go 
b/server/service/microservice_test.go
index 420c25c..afe6713 100644
--- a/server/service/microservice_test.go
+++ b/server/service/microservice_test.go
@@ -19,8 +19,8 @@ package service_test
 import (
        "github.com/apache/servicecomb-service-center/server/core"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        "github.com/apache/servicecomb-service-center/server/plugin/pkg/quota"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        . "github.com/onsi/ginkgo"
        . "github.com/onsi/gomega"
        "strconv"
diff --git a/server/service/rbac/authr_plugin.go 
b/server/service/rbac/authr_plugin.go
new file mode 100644
index 0000000..6bba434
--- /dev/null
+++ b/server/service/rbac/authr_plugin.go
@@ -0,0 +1,95 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package rbac
+
+import (
+       "context"
+       "errors"
+       "github.com/apache/servicecomb-service-center/pkg/log"
+       "github.com/apache/servicecomb-service-center/server/service/cipher"
+       "github.com/apache/servicecomb-service-center/server/service/rbac/dao"
+       "github.com/dgrijalva/jwt-go"
+       "github.com/go-chassis/go-chassis/security/authr"
+       "github.com/go-chassis/go-chassis/security/token"
+)
+
+var ErrUnauthorized = errors.New("wrong user name or password")
+
+const (
+       ClaimsUser = "user"
+)
+
+//EmbeddedAuthenticator is sc default auth plugin, RBAC data is persisted in 
etcd
+type EmbeddedAuthenticator struct {
+       secret []byte
+}
+
+func newEmbeddedAuthenticator(opts *authr.Options) (authr.Authenticator, 
error) {
+       return &EmbeddedAuthenticator{}, nil
+}
+
+//Login check db user and password,will verify and return token for valid 
account
+func (a *EmbeddedAuthenticator) Login(ctx context.Context, user string, 
password string) (string, error) {
+       if user == "default" {
+               return "", ErrUnauthorized
+       }
+       account, err := dao.GetAccount(ctx, user)
+       if err != nil {
+               return "", err
+       }
+       account.Password, err = cipher.Decrypt(account.Password)
+       if err != nil {
+               return "", err
+       }
+       if user == account.Name && password == account.Password {
+               secret, err := GetPrivateKey(ctx)
+               if err != nil {
+                       return "", err
+               }
+               tokenStr, err := token.Sign(map[string]interface{}{
+                       ClaimsUser: user, //TODO more claims for RBAC, for 
example role name
+               },
+                       secret,
+                       token.WithExpTime("30m"),
+                       token.WithSigningMethod(token.RS512)) //TODO config for 
each user
+               if err != nil {
+                       log.Errorf(err, "can not sign a token")
+                       return "", err
+               }
+               return tokenStr, nil
+       }
+       return "", ErrUnauthorized
+}
+func (a *EmbeddedAuthenticator) Authenticate(ctx context.Context, tokenStr 
string) (interface{}, error) {
+       claims, err := token.Verify(tokenStr, func(claims interface{}, method 
token.SigningMethod) (interface{}, error) {
+               p, err := jwt.ParseRSAPublicKeyFromPEM([]byte(PublicKey()))
+               if err != nil {
+                       log.Error("can not parse public key", err)
+                       return nil, err
+               }
+               return p, nil
+       })
+       if err != nil {
+               log.Error("verify token failed", err)
+               return nil, err
+       }
+       return claims, nil
+}
+func init() {
+       authr.Install("default", newEmbeddedAuthenticator)
+}
diff --git a/server/service/rbac/dao/account_dao.go 
b/server/service/rbac/dao/account_dao.go
new file mode 100644
index 0000000..07a81f2
--- /dev/null
+++ b/server/service/rbac/dao/account_dao.go
@@ -0,0 +1,88 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+//Package rbac is dao layer API to help service center manage account, policy 
and role info
+package dao
+
+import (
+       "context"
+       "encoding/json"
+       "errors"
+       "fmt"
+       "github.com/apache/servicecomb-service-center/pkg/etcdsync"
+       "github.com/apache/servicecomb-service-center/pkg/log"
+       "github.com/apache/servicecomb-service-center/pkg/model"
+       "github.com/apache/servicecomb-service-center/server/core"
+       "github.com/apache/servicecomb-service-center/server/service/kv"
+)
+
+var ErrDuplicated = errors.New("account is duplicated")
+
+//CreateAccount save 2 kv
+//1. account info
+func CreateAccount(ctx context.Context, a *model.Account) error {
+       lock, err := etcdsync.Lock("/account-creating/"+a.Name, -1, false)
+       if err != nil {
+               return fmt.Errorf("account %s is creating", a.Name)
+       }
+       defer lock.Unlock()
+       key := core.GenerateAccountKey(a.Name)
+       exist, err := kv.Exist(ctx, key)
+       if err != nil {
+               log.Errorf(err, "can not save account info")
+               return err
+       }
+       if exist {
+               return ErrDuplicated
+       }
+
+       value, err := json.Marshal(a)
+       if err != nil {
+               log.Errorf(err, "account info is invalid")
+               return err
+       }
+       err = kv.PutBytes(ctx, key, value)
+       if err != nil {
+               log.Errorf(err, "can not save account info")
+               return err
+       }
+
+       return nil
+}
+
+func GetAccount(ctx context.Context, name string) (*model.Account, error) {
+       key := core.GenerateAccountKey(name)
+       r, err := kv.Get(ctx, key)
+       if err != nil {
+               log.Errorf(err, "can not get account info")
+               return nil, err
+       }
+       a := &model.Account{}
+       err = json.Unmarshal(r.Value, a)
+       if err != nil {
+               log.Errorf(err, "account info is invalid")
+               return nil, err
+       }
+       return a, nil
+}
+func AccountExist(ctx context.Context, name string) (bool, error) {
+       exist, err := kv.Exist(ctx, core.GenerateAccountKey(name))
+       if err != nil {
+               log.Errorf(err, "can not get account info")
+               return false, err
+       }
+       return exist, nil
+}
diff --git a/server/admin/service_test.go 
b/server/service/rbac/dao/account_dao_test.go
similarity index 55%
copy from server/admin/service_test.go
copy to server/service/rbac/dao/account_dao_test.go
index feff0be..d557c69 100644
--- a/server/admin/service_test.go
+++ b/server/service/rbac/dao/account_dao_test.go
@@ -14,19 +14,17 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package admin_test
+
+package dao_test
 
 import (
        "context"
-       "github.com/apache/servicecomb-service-center/pkg/util"
-       "github.com/apache/servicecomb-service-center/server/admin"
-       "github.com/apache/servicecomb-service-center/server/admin/model"
-       pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
+       "github.com/apache/servicecomb-service-center/pkg/model"
        mgr "github.com/apache/servicecomb-service-center/server/plugin"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/discovery/etcd"
        etcd2 
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry/etcd"
-       serviceUtil 
"github.com/apache/servicecomb-service-center/server/service/util"
+       
"github.com/apache/servicecomb-service-center/server/plugin/pkg/tracing/buildin"
+       "github.com/apache/servicecomb-service-center/server/service/rbac/dao"
        "github.com/astaxie/beego"
        "github.com/stretchr/testify/assert"
        "testing"
@@ -37,22 +35,15 @@ func init() {
        mgr.RegisterPlugin(mgr.Plugin{mgr.REGISTRY, "etcd", etcd2.NewRegistry})
        mgr.RegisterPlugin(mgr.Plugin{mgr.DISCOVERY, "buildin", 
etcd.NewRepository})
        mgr.RegisterPlugin(mgr.Plugin{mgr.DISCOVERY, "etcd", 
etcd.NewRepository})
-}
-func TestAdminService_Dump(t *testing.T) {
-       t.Log("execute 'dump' operation,when get all,should be passed")
-       resp, err := admin.AdminServiceAPI.Dump(getContext(), 
&model.DumpRequest{})
-       assert.NoError(t, err)
-       assert.Equal(t, pb.Response_SUCCESS, resp.Response.Code)
-       t.Log("execute 'dump' operation,when get by domain project,should be 
passed")
-       resp, err = admin.AdminServiceAPI.Dump(
-               util.SetDomainProject(context.Background(), "x", "x"),
-               &model.DumpRequest{})
-       assert.NoError(t, err)
-       assert.Equal(t, scerr.ErrForbidden, resp.Response.Code)
-}
+       mgr.RegisterPlugin(mgr.Plugin{mgr.TRACING, "buildin", buildin.New})
 
-func getContext() context.Context {
-       return util.SetContext(
-               util.SetDomainProject(context.Background(), "default", 
"default"),
-               serviceUtil.CTX_NOCACHE, "1")
+}
+func TestAccountDao_CreateAccount(t *testing.T) {
+       _ = dao.CreateAccount(context.Background(), &model.Account{Name: 
"admin", Password: "pwd"})
+       t.Run("get account", func(t *testing.T) {
+               r, err := dao.GetAccount(context.Background(), "admin")
+               assert.NoError(t, err)
+               assert.Equal(t, "admin", r.Name)
+               assert.Equal(t, "pwd", r.Password)
+       })
 }
diff --git a/server/handler/context/v4.go 
b/server/service/rbac/dao/secret_dao.go
similarity index 53%
copy from server/handler/context/v4.go
copy to server/service/rbac/dao/secret_dao.go
index 22c3b9b..b2cd837 100644
--- a/server/handler/context/v4.go
+++ b/server/service/rbac/dao/secret_dao.go
@@ -14,46 +14,40 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package context
+
+package dao
 
 import (
-       "errors"
+       "context"
        "github.com/apache/servicecomb-service-center/pkg/log"
-       "github.com/apache/servicecomb-service-center/pkg/util"
        "github.com/apache/servicecomb-service-center/server/core"
-       "net/http"
-       "strings"
+       "github.com/apache/servicecomb-service-center/server/service/kv"
 )
 
-type v4Context struct {
-}
-
-func (v *v4Context) IsMatch(r *http.Request) bool {
-       return strings.Index(r.RequestURI, "/v4/") == 0
+//OverrideSecret write secret to kv store
+func OverrideSecret(ctx context.Context, sk string) error {
+       key := core.GenerateRBACSecretKey()
+       err := kv.Put(context.Background(), key, sk)
+       if err != nil {
+               log.Errorf(err, "can not override secret")
+               return err
+       }
+       return nil
 }
-
-func (v *v4Context) Do(r *http.Request) error {
-       ctx := r.Context()
-
-       domain, project := util.ParseDomain(ctx), util.ParseProject(ctx)
-
-       if len(domain) == 0 {
-               domain = r.Header.Get("X-Domain-Name")
-               if len(domain) == 0 {
-                       err := errors.New("Header does not contain domain.")
-                       log.Errorf(err, "Invalid Request URI %s", r.RequestURI)
-                       return err
-               }
-               util.SetRequestContext(r, util.CtxDomain, domain)
+func GetSecret(ctx context.Context) ([]byte, error) {
+       key := core.GenerateRBACSecretKey()
+       r, err := kv.Get(ctx, key)
+       if err != nil {
+               log.Errorf(err, "can not get secret")
+               return nil, err
        }
-
-       if len(project) == 0 {
-               project = r.URL.Query().Get(":project")
-               if len(project) == 0 {
-                       project = core.REGISTRY_PROJECT
-               }
-               util.SetRequestContext(r, util.CtxProject, project)
+       return r.Value, nil
+}
+func SecretExist(ctx context.Context) (bool, error) {
+       exist, err := kv.Exist(ctx, core.GenerateRBACSecretKey())
+       if err != nil {
+               log.Errorf(err, "can not get secret info")
+               return false, err
        }
-
-       return nil
+       return exist, nil
 }
diff --git a/server/rest/controller/v4/v4.go 
b/server/service/rbac/dao/secret_dao_test.go
similarity index 63%
copy from server/rest/controller/v4/v4.go
copy to server/service/rbac/dao/secret_dao_test.go
index 98fb00c..8012788 100644
--- a/server/rest/controller/v4/v4.go
+++ b/server/service/rbac/dao/secret_dao_test.go
@@ -14,23 +14,23 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package v4
+
+package dao_test
 
 import (
-       roa "github.com/apache/servicecomb-service-center/pkg/rest"
+       "context"
+       "github.com/apache/servicecomb-service-center/server/service/rbac/dao"
+       "github.com/stretchr/testify/assert"
+       "testing"
 )
 
-func init() {
-       initRouter()
-}
-
-func initRouter() {
-       roa.RegisterServant(&MainService{})
-       roa.RegisterServant(&MicroServiceService{})
-       roa.RegisterServant(&SchemaService{})
-       roa.RegisterServant(&DependencyService{})
-       roa.RegisterServant(&TagService{})
-       roa.RegisterServant(&RuleService{})
-       roa.RegisterServant(&MicroServiceInstanceService{})
-       roa.RegisterServant(&WatchService{})
+func TestOverrideSecret(t *testing.T) {
+       err := dao.OverrideSecret(context.Background(), "sk")
+       assert.NoError(t, err)
+       s, err := dao.GetSecret(context.Background())
+       assert.NoError(t, err)
+       assert.Equal(t, "sk", string(s))
+       b, err := dao.SecretExist(context.Background())
+       assert.NoError(t, err)
+       assert.True(t, b)
 }
diff --git a/server/service/rbac/rbac.go b/server/service/rbac/rbac.go
new file mode 100644
index 0000000..4840713
--- /dev/null
+++ b/server/service/rbac/rbac.go
@@ -0,0 +1,160 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package rbac
+
+import (
+       "context"
+       "crypto/rsa"
+       "github.com/apache/servicecomb-service-center/pkg/log"
+       "github.com/apache/servicecomb-service-center/pkg/model"
+       "github.com/apache/servicecomb-service-center/server/service/cipher"
+       "github.com/apache/servicecomb-service-center/server/service/rbac/dao"
+       "github.com/astaxie/beego"
+       "github.com/go-chassis/go-archaius"
+       "github.com/go-chassis/go-chassis/security/authr"
+       "github.com/go-chassis/go-chassis/security/secret"
+       "io"
+       "os"
+)
+
+const (
+       InitRoot     = "SC_INIT_ROOT_USERNAME"
+       InitPassword = "SC_INIT_ROOT_PASSWORD"
+       InitPrivate  = "SC_INIT_PRIVATE_KEY"
+)
+
+//Init decide whether enable rbac function and save root account to db
+// if db has root account, abort creating.
+func Init() {
+       if !Enabled() {
+               log.Info("rbac is disabled")
+               return
+       }
+       err := authr.Init()
+       if err != nil {
+               log.Fatal("can not enable auth module", err)
+       }
+       admin := archaius.GetString(InitRoot, "")
+       if admin == "" {
+               log.Fatal("can not enable rbac, root is empty", nil)
+               return
+       }
+       accountExist, err := dao.AccountExist(context.Background(), admin)
+       if err != nil {
+               log.Fatal("can not enable auth module", err)
+       }
+       if !accountExist {
+               initFirstTime(admin)
+       }
+       overrideSecretKey()
+       readPublicKey()
+       log.Info("rbac is enabled")
+}
+
+//readPublicKey read key to memory
+func readPublicKey() {
+       pf := beego.AppConfig.String("rbac_rsa_pub_key_file")
+       // 打开文件
+       fp, err := os.Open(pf)
+       if err != nil {
+               log.Fatal("can not find public key", err)
+               return
+       }
+       defer fp.Close()
+       buf := make([]byte, 1024)
+       for {
+               // 循环读取文件
+               _, err := fp.Read(buf)
+               if err == io.EOF { // io.EOF表示文件末尾
+                       break
+               }
+
+       }
+       archaius.Set("rbac_public_key", string(buf))
+}
+func initFirstTime(admin string) {
+       //handle root account
+       pwd := archaius.GetString(InitPassword, "")
+       if pwd == "" {
+               log.Fatal("can not enable rbac, password is empty", nil)
+       }
+       pwd, err := cipher.Encrypt(pwd)
+       if err != nil {
+               log.Fatal("can not enable rbac, encryption failed", err)
+       }
+       if err := dao.CreateAccount(context.Background(), &model.Account{
+               Name:     admin,
+               Password: pwd,
+       }); err != nil {
+               if err == dao.ErrDuplicated {
+                       log.Info("rbac is enabled")
+                       return
+               }
+               log.Fatal("can not enable rbac, init root account failed", err)
+       }
+       log.Info("root account init success")
+}
+
+//should override key on each start procedure,
+//so that a system such as kubernetes can use secret to distribute a new 
secret to revoke the old one
+func overrideSecretKey() {
+       secret := archaius.GetString(InitPrivate, "")
+       if secret == "" {
+               log.Fatal("can not enable rbac, secret is empty", nil)
+       }
+       if err := dao.OverrideSecret(context.Background(), secret); err != nil {
+               log.Fatal("can not save secret", err)
+       }
+
+}
+func Enabled() bool {
+       return beego.AppConfig.DefaultBool("rbac_enabled", false)
+}
+
+//PublicKey get public key to verify a token
+func PublicKey() string {
+       return archaius.GetString("rbac_public_key", "")
+}
+
+//GetSecretStr return decrypted secret
+func GetSecretStr(ctx context.Context) (string, error) {
+       sk, err := dao.GetSecret(ctx)
+       if err != nil {
+               return "", err
+       }
+       skStr, err := cipher.Decrypt(string(sk))
+       if err != nil {
+               log.Error("can not decrypt:", err)
+               return "", err
+       }
+       return skStr, nil
+}
+
+//GetPrivateKey return rsa key instance
+func GetPrivateKey(ctx context.Context) (*rsa.PrivateKey, error) {
+       sk, err := GetSecretStr(ctx)
+       if err != nil {
+               return nil, err
+       }
+       p, err := secret.ParseRSAPrivateKey(sk)
+       if err != nil {
+               log.Error("can not get key:", err)
+               return nil, err
+       }
+       return p, nil
+}
diff --git a/server/service/rbac/rbca_test.go b/server/service/rbac/rbca_test.go
new file mode 100644
index 0000000..a4db540
--- /dev/null
+++ b/server/service/rbac/rbca_test.go
@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package rbac_test
+
+import (
+       "context"
+       mgr "github.com/apache/servicecomb-service-center/server/plugin"
+       
"github.com/apache/servicecomb-service-center/server/plugin/pkg/discovery/etcd"
+       etcd2 
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry/etcd"
+       
"github.com/apache/servicecomb-service-center/server/plugin/pkg/security/buildin"
+       
"github.com/apache/servicecomb-service-center/server/plugin/pkg/tracing/buildin"
+       "github.com/apache/servicecomb-service-center/server/service/rbac"
+       "github.com/apache/servicecomb-service-center/server/service/rbac/dao"
+       "github.com/astaxie/beego"
+       "github.com/go-chassis/go-archaius"
+       "github.com/go-chassis/go-chassis/security/authr"
+       "github.com/go-chassis/go-chassis/security/secret"
+       "github.com/stretchr/testify/assert"
+       "io/ioutil"
+       "testing"
+)
+
+func init() {
+       beego.AppConfig.Set("registry_plugin", "etcd")
+       beego.AppConfig.Set("rbac_enabled", "true")
+       beego.AppConfig.Set("rbac_rsa_pub_key_file", "./rbac.pub")
+       mgr.RegisterPlugin(mgr.Plugin{mgr.REGISTRY, "etcd", etcd2.NewRegistry})
+       mgr.RegisterPlugin(mgr.Plugin{mgr.DISCOVERY, "buildin", 
etcd.NewRepository})
+       mgr.RegisterPlugin(mgr.Plugin{mgr.DISCOVERY, "etcd", 
etcd.NewRepository})
+       mgr.RegisterPlugin(mgr.Plugin{mgr.CIPHER, "buildin", plain.New})
+       mgr.RegisterPlugin(mgr.Plugin{mgr.TRACING, "buildin", buildin.New})
+}
+
+func TestInitRBAC(t *testing.T) {
+       err := archaius.Init(archaius.WithMemorySource(), 
archaius.WithENVSource())
+       assert.NoError(t, err)
+
+       pri, pub, err := secret.GenRSAKeyPair(4096)
+       assert.NoError(t, err)
+
+       b, err := secret.RSAPrivate2Bytes(pri)
+       assert.NoError(t, err)
+       archaius.Set(rbac.InitPrivate, string(b))
+
+       b, err = secret.RSAPublicKey2Bytes(pub)
+       err = ioutil.WriteFile("./rbac.pub", b, 0600)
+       assert.NoError(t, err)
+
+       archaius.Set(rbac.InitRoot, "root")
+       archaius.Set(rbac.InitPassword, "root")
+
+       rbac.Init()
+       a, err := dao.GetAccount(context.Background(), "root")
+       assert.NoError(t, err)
+       assert.Equal(t, "root", a.Name)
+       s, err := dao.GetSecret(context.Background())
+       assert.NoError(t, err)
+       assert.NotEmpty(t, s)
+
+       t.Run("login and authenticate", func(t *testing.T) {
+               token, err := authr.Login(context.Background(), "root", "root")
+               assert.NoError(t, err)
+               t.Log(token)
+               claims, err := authr.Authenticate(context.Background(), token)
+               assert.NoError(t, err)
+               assert.Equal(t, "root", 
claims.(map[string]interface{})[rbac.ClaimsUser])
+       })
+
+       t.Run("second time init", func(t *testing.T) {
+               rbac.Init()
+       })
+}
diff --git a/server/service/rule.go b/server/service/rule.go
index 9beb7da..f4443b0 100644
--- a/server/service/rule.go
+++ b/server/service/rule.go
@@ -24,10 +24,10 @@ import (
        apt "github.com/apache/servicecomb-service-center/server/core"
        "github.com/apache/servicecomb-service-center/server/core/backend"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        "github.com/apache/servicecomb-service-center/server/plugin"
        "github.com/apache/servicecomb-service-center/server/plugin/pkg/quota"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        serviceUtil 
"github.com/apache/servicecomb-service-center/server/service/util"
        "strconv"
        "time"
diff --git a/server/service/rule_test.go b/server/service/rule_test.go
index 2a6f995..0c8c308 100644
--- a/server/service/rule_test.go
+++ b/server/service/rule_test.go
@@ -18,8 +18,8 @@ package service_test
 
 import (
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        "github.com/apache/servicecomb-service-center/server/plugin/pkg/quota"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        . "github.com/onsi/ginkgo"
        . "github.com/onsi/gomega"
        "strconv"
diff --git a/server/service/schema.go b/server/service/schema.go
index 18e035a..52ef18a 100644
--- a/server/service/schema.go
+++ b/server/service/schema.go
@@ -25,11 +25,11 @@ import (
        apt "github.com/apache/servicecomb-service-center/server/core"
        "github.com/apache/servicecomb-service-center/server/core/backend"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        "github.com/apache/servicecomb-service-center/server/plugin"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/discovery"
        "github.com/apache/servicecomb-service-center/server/plugin/pkg/quota"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        serviceUtil 
"github.com/apache/servicecomb-service-center/server/service/util"
 
        "context"
diff --git a/server/service/schema_test.go b/server/service/schema_test.go
index 8e605ea..0086ed5 100644
--- a/server/service/schema_test.go
+++ b/server/service/schema_test.go
@@ -21,8 +21,8 @@ import (
        "strings"
 
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        "github.com/apache/servicecomb-service-center/server/plugin/pkg/quota"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        "github.com/apache/servicecomb-service-center/server/service"
 
        . "github.com/onsi/ginkgo"
diff --git a/server/service/tag.go b/server/service/tag.go
index 48824cd..95c76d7 100644
--- a/server/service/tag.go
+++ b/server/service/tag.go
@@ -24,10 +24,10 @@ import (
        apt "github.com/apache/servicecomb-service-center/server/core"
        "github.com/apache/servicecomb-service-center/server/core/backend"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        "github.com/apache/servicecomb-service-center/server/plugin"
        "github.com/apache/servicecomb-service-center/server/plugin/pkg/quota"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        serviceUtil 
"github.com/apache/servicecomb-service-center/server/service/util"
 )
 
diff --git a/server/service/tag_test.go b/server/service/tag_test.go
index 8d8e743..ac4d8f7 100644
--- a/server/service/tag_test.go
+++ b/server/service/tag_test.go
@@ -18,8 +18,8 @@ package service_test
 
 import (
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        "github.com/apache/servicecomb-service-center/server/plugin/pkg/quota"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        . "github.com/onsi/ginkgo"
        . "github.com/onsi/gomega"
        "strconv"
diff --git a/server/service/util/dependency_util.go 
b/server/service/util/dependency_util.go
index 92ba3b8..7a4d01b 100644
--- a/server/service/util/dependency_util.go
+++ b/server/service/util/dependency_util.go
@@ -26,8 +26,8 @@ import (
        apt "github.com/apache/servicecomb-service-center/server/core"
        "github.com/apache/servicecomb-service-center/server/core/backend"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        "strings"
 )
 
diff --git a/server/service/util/heartbeat_util.go 
b/server/service/util/heartbeat_util.go
index 89a0845..b6b7697 100644
--- a/server/service/util/heartbeat_util.go
+++ b/server/service/util/heartbeat_util.go
@@ -21,8 +21,8 @@ import (
        "errors"
        apt "github.com/apache/servicecomb-service-center/server/core"
        "github.com/apache/servicecomb-service-center/server/core/backend"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
 )
 
 func HeartbeatUtil(ctx context.Context, domainProject string, serviceId 
string, instanceId string) (leaseID int64, ttl int64, _ *scerr.Error) {
diff --git a/server/service/util/instance_util.go 
b/server/service/util/instance_util.go
index 7953744..d762e66 100644
--- a/server/service/util/instance_util.go
+++ b/server/service/util/instance_util.go
@@ -26,9 +26,9 @@ import (
        apt "github.com/apache/servicecomb-service-center/server/core"
        "github.com/apache/servicecomb-service-center/server/core/backend"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/discovery"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        "strconv"
        "strings"
        "time"
diff --git a/server/service/util/instance_util_test.go 
b/server/service/util/instance_util_test.go
index 656678e..a46f59d 100644
--- a/server/service/util/instance_util_test.go
+++ b/server/service/util/instance_util_test.go
@@ -20,7 +20,7 @@ import (
        "context"
        "github.com/apache/servicecomb-service-center/pkg/util"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        "testing"
 )
 
diff --git a/server/service/util/rule_util.go b/server/service/util/rule_util.go
index eab952b..999c37c 100644
--- a/server/service/util/rule_util.go
+++ b/server/service/util/rule_util.go
@@ -24,8 +24,8 @@ import (
        apt "github.com/apache/servicecomb-service-center/server/core"
        "github.com/apache/servicecomb-service-center/server/core/backend"
        pb "github.com/apache/servicecomb-service-center/server/core/proto"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
        "reflect"
        "regexp"
        "strings"
diff --git a/server/service/util/tag_util.go b/server/service/util/tag_util.go
index 215c8ae..6b8ede7 100644
--- a/server/service/util/tag_util.go
+++ b/server/service/util/tag_util.go
@@ -23,8 +23,8 @@ import (
        "github.com/apache/servicecomb-service-center/pkg/util"
        apt "github.com/apache/servicecomb-service-center/server/core"
        "github.com/apache/servicecomb-service-center/server/core/backend"
-       scerr "github.com/apache/servicecomb-service-center/server/error"
        
"github.com/apache/servicecomb-service-center/server/plugin/pkg/registry"
+       scerr "github.com/apache/servicecomb-service-center/server/scerror"
 )
 
 func AddTagIntoETCD(ctx context.Context, domainProject string, serviceId 
string, dataTags map[string]string) *scerr.Error {
diff --git a/server/task/clear_service_test.go 
b/server/task/clear_service_test.go
index 0408e69..11de7d1 100644
--- a/server/task/clear_service_test.go
+++ b/server/task/clear_service_test.go
@@ -81,7 +81,7 @@ func createService(domain string, project string, name 
string, withInstance bool
        }
        if withInstance {
                svc.Instances = []*pb.MicroServiceInstance{
-                       &pb.MicroServiceInstance{
+                       {
                                Endpoints: []string{"http://127.0.0.1:80"},
                                HostName:  "1",
                        },