From 82ccdb8e6b5c727060856178b2ef552f6d0d87c7 Mon Sep 17 00:00:00 2001 From: Alberto Ricart Date: Tue, 28 May 2019 15:14:57 -0500 Subject: [PATCH 1/8] Added accounts, clarified jwt authentication. --- SUMMARY.md | 3 +- nats_server/auth_intro.md | 3 +- nats_server/installation.md | 60 ++++++++++++++++++++++++++++++++----- nats_server/jwt_auth.md | 13 ++------ nats_server/nkey_auth.md | 2 +- nats_tools/nsc/streams.md | 2 +- 6 files changed, 60 insertions(+), 23 deletions(-) diff --git a/SUMMARY.md b/SUMMARY.md index 3949c59..88f8d6a 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -81,7 +81,8 @@ * [Username/Password](nats_server/username_password.md) * [TLS Authentication](nats_server/tls_mutual_auth.md) * [NKeys](nats_server/nkey_auth.md) - * [Accounts](nats_server/jwt_auth.md) + * [Accounts](nats_server/accounts.md) + * [JWTs](nats_server/jwt_auth.md) * [Authentication Timeout](nats_server/auth_timeout.md) * [Authorization](nats_server/authorization.md) * [Clustering](nats_server/clustering.md) diff --git a/nats_server/auth_intro.md b/nats_server/auth_intro.md index ff02447..48734a7 100644 --- a/nats_server/auth_intro.md +++ b/nats_server/auth_intro.md @@ -6,7 +6,8 @@ The NATS server provides various ways of authenticating clients: - [Username/Password credentials](username_password.md) - [TLS Certificate](tls_mutual_auth.md) - [NKEY with Challenge](nkey_auth.md) -- [JWTs with Challenge](jwt_auth.md) +- [Accounts](accounts.md) +- [JWTs](jwt_auth.md) Authentication deals with allowing a NATS client to connect to the server. Except for JWT authentication, authentication and authorization are configured in the `authorization` section of the configuration. diff --git a/nats_server/installation.md b/nats_server/installation.md index fed9753..96e67d5 100644 --- a/nats_server/installation.md +++ b/nats_server/installation.md @@ -1,6 +1,46 @@ ## NATS Server Installation -NATS philosophy is simplicity. Installation is just decompressing a zip file and copying the binary to an appropriate directory; you can also use your favorite package manager. +NATS philosophy is simplicity. Installation is just decompressing a zip file and copying the binary to an appropriate directory; you can also use your favorite package manager. Here's a list of different ways you can install or run NATS: + +- [Docker](#installing-via-docker) +- [Kubernetes](#installing-on-kubernetes-with-nats-operator) +- [Package Manager](#installing-via-a-package-manager) +- [Release Zip](#downloading-a-release-build) +- [Development Build](installing-from-the-source) + + +### Installing via Docker + +With docker you can install the server easily without scattering binaries and other artifacts on your system. Only pre-requisite is to [install docker](https://docs.docker.com/install). + +``` +> docker pull nats:latest +latest: Pulling from library/nats +Digest: sha256:0c98cdfc4332c0de539a064bfab502a24aae18ef7475ddcc7081331502327354 +Status: Image is up to date for nats:latest +docker.io/library/nats:latest +``` + +To run nats on docker: + +``` +> docker run -p 4222:4222 -ti nats:latest +[1] 2019/05/24 15:42:58.228063 [INF] Starting nats-server version #.#.# +[1] 2019/05/24 15:42:58.228115 [INF] Git commit [#######] +[1] 2019/05/24 15:42:58.228201 [INF] Starting http monitor on 0.0.0.0:8222 +[1] 2019/05/24 15:42:58.228740 [INF] Listening for client connections on 0.0.0.0:4222 +[1] 2019/05/24 15:42:58.228765 [INF] Server is ready +[1] 2019/05/24 15:42:58.229003 [INF] Listening for route connections on 0.0.0.0:6222 +``` + +More information on [containerized NATS is available here](/nats_docker/README.md). + + +### Installing on Kubernetes with NATS Operator + +Installation via the NATS operator is beyond this tutorial. You can read about the [NATS +operator](https://github.com/nats-io/nats-operator) here. + ### Installing via a Package Manager @@ -14,12 +54,18 @@ On Mac OS: > brew install nats-server ``` -Via Docker: +To test your installation (provided the executable is visible to your shell): + ``` -> docker pull nats-server:latest +> nats-server +[41634] 2019/05/13 09:42:11.745919 [INF] Starting nats-server version 2.0.0 +[41634] 2019/05/13 09:42:11.746240 [INF] Listening for client connections on 0.0.0.0:4222 +... +[41634] 2019/05/13 09:42:11.746249 [INF] Server id is NBNYNR4ZNTH4N2UQKSAAKBAFLDV3PZO4OUYONSUIQASTQT7BT4ZF6WX7 +[41634] 2019/05/13 09:42:11.746252 [INF] Server is ready ``` -### Installing A Release Build +### Downloading A Release Build You can find the latest release of nats-server [here](https://github.com/nats-io/nats-server/releases/latest). @@ -49,10 +95,7 @@ If you have go installed, installing the binary is easy: This mechanism will install a build of [master](https://github.com/nats-io/nats-server), which almost certainly will not be a released version. If you are a developer and want to play with the latest, this is the easiest way of obtaining it. - -## Testing Your Installation - -To test your installation (provided the executable is visible to your shell): +To test your installation (provided the $GOPATH/bin is set): ``` > nats-server @@ -63,3 +106,4 @@ To test your installation (provided the executable is visible to your shell): [41634] 2019/05/13 09:42:11.746252 [INF] Server is ready ``` + diff --git a/nats_server/jwt_auth.md b/nats_server/jwt_auth.md index e09da83..23db162 100644 --- a/nats_server/jwt_auth.md +++ b/nats_server/jwt_auth.md @@ -1,18 +1,9 @@ ## Accounts -_Accounts_ expand on the [NKEY](nkey_auth.md) authentication foundation and recasts client authentication and authorization from a server configuration to a distributed and delegated authentication and authorization model. +_Accounts_ expand on [Accounts](accounts.md) and [NKeys](nkey_auth.md) authentication foundation to create a decentralized authentication and authorization model. -With other authentication mechanisms, all clients can publish and subscribe to anything unless explicitly configured otherwise. To protect clients and information, you have to carefully carve the subject space and permission clients. - -Each account is *isolated* from other accounts, thus enabling *multi-tenancy* in the server. With accounts, the subject space is not globally shared, greatly simplifying the messaging environment. Instead of devising complicated subject name carving patterns, clients can use short subjects without explicit authorization rules. - -Messaging exchange between different accounts is enabled by _exporting_ streams and services from one account and _importing_ them into another. When an export is sensitive, the export can require a constraint that authorization for its import be provided. Thus it is easy to audit exporters and limit importers. Best of all, each account is in full control of what is exported or imported and from whom. - -> While the name _account_ implies one or more users, it is much simpler and enlightening to think of one account as a messaging container for one application. Users in the account are simply the minimum number of services that must work together to provide some functionality. -> In simpler terms, more accounts with few (even one) clients is a better design topology than a large account with many users with complex authorization configuration. - -Accounts leverage [JSON Web Tokens (JWT)](https://jwt.io/) to describe the various entities supported. When a client connects, servers query for account JWTs and validate a trust chain. Users are not directly tracked by the server, but rather verified as belonging to an account. This enables the managing of users without requiring server configuration updates. +With other authentication mechanisms, configuration for identifying an user or an account is in the server configuration file. JWT authentication leverage [JSON Web Tokens (JWT)](https://jwt.io/) to describe the various entities supported. When a client connects, servers query for account JWTs and validate a trust chain. Users are not directly tracked by the server, but rather verified as belonging to an account. This enables the managing of users without requiring server configuration updates. Effectively, Accounts provide for a distributed configuration paradigm. Previously each user (or client) needed to be known and authorized a priori in the server’s configuration requiring an administrator to modify and update server configurations. Accounts eliminate these chores. diff --git a/nats_server/nkey_auth.md b/nats_server/nkey_auth.md index d4983f1..c55d8d2 100644 --- a/nats_server/nkey_auth.md +++ b/nats_server/nkey_auth.md @@ -2,7 +2,7 @@ NKeys are a new, highly secure public-key signature system based on [Ed25519](https://ed25519.cr.yp.to/). -With NKeys the server can verify identities without ever storing secrets on the server. The authentication system works by requiring a connecting client to provide its public key and digitally sign a challenge with its private key. The server generates a random challenge with every connection request, making it immune to playback attacks. The generated signature is validated against the provided public key, thus proving the identity of the client. If the public key is known to the server, authentication succeeds. +With NKeys the server can verify identities without ever storing or ever seeing private keys. The authentication system works by requiring a connecting client to provide its public key and digitally sign a challenge with its private key. The server generates a random challenge with every connection request, making it immune to playback attacks. The generated signature is validated against the provided public key, thus proving the identity of the client. If the public key is known to the server, authentication succeeds. > NKey is an excellent replacement for token authentication because a connecting client will have to prove it controls the private key for the authorized public key. diff --git a/nats_tools/nsc/streams.md b/nats_tools/nsc/streams.md index 4c3ba74..5825110 100644 --- a/nats_tools/nsc/streams.md +++ b/nats_tools/nsc/streams.md @@ -66,7 +66,7 @@ With the required information, we can add an import to the public stream. Success! - added stream import "a.b.c.>" ``` -> Note we did fancy things here: The remote stream publishes messages as `a.b.c.>`, but we changed the prefix to be something else in the importing account’s subject space. We changed it to `abc.>`. Subscribers in our account can listen to `abc.>` to get the messages. +> Note we did fancy things here: The remote stream publishes messages as `a.b.c.>`, but we changed the prefix to be something else in the importing account’s subject space. We changed it to `abc.>`. Subscribers in our account can listen to `abc.>` to get the messages. The message will be delivered as `abc.a.b.c.>`. And verifying it: From cf86aca0392c6819ab1c7b6c5062258256f7916b Mon Sep 17 00:00:00 2001 From: Alberto Ricart Date: Tue, 28 May 2019 16:04:40 -0500 Subject: [PATCH 2/8] Added information on prometheus/graphana (needs more from Colin) Added disconnect event from leafnode More clarifications --- leafnodes/README.md | 4 +++- nats_server/authorization.md | 4 ++-- nats_server/cluster_tls.md | 4 +++- nats_server/clustering.md | 41 +++++++++++++++--------------------- nats_server/monitoring.md | 3 +++ nats_tools/README.md | 3 ++- sys_accounts/sys_accounts.md | 1 + 7 files changed, 31 insertions(+), 29 deletions(-) diff --git a/leafnodes/README.md b/leafnodes/README.md index 9f109a4..36d4260 100644 --- a/leafnodes/README.md +++ b/leafnodes/README.md @@ -1,6 +1,8 @@ ## Leaf Nodes -A _Leaf Node_ is a separate authentication domain. Leaf Nodes leverage [Accounts](../nats_server/jwt_auth.md) and JWT to enable a server to connect to another and filter messages as per the leaf node's account User configuration. +A _Leaf Node_ allows an extension to a cluter or supercluster that bridges accounts and security domains. This is useful in IoT and Edge scenarios and when the local server trafic should be low RTT and local unless routed to the super cluster. + +Leaf Nodes leverage [Accounts](../nats_server/jwt_auth.md) and JWT to enable a server to connect to another and filter messages as per the leaf node's account User configuration. This effectively means that the leaf node cluster's with the other server at an Account level: diff --git a/nats_server/authorization.md b/nats_server/authorization.md index bdda5f9..b38fd09 100644 --- a/nats_server/authorization.md +++ b/nats_server/authorization.md @@ -27,7 +27,7 @@ The `permission` map provides additional properties for configuring a `permissio -**Important Note** NATS Authorizations are whitelist only, meaning to not break request/reply patterns you need to add rules as above with Alice and Bob for the `_INBOX.>` pattern. If an unauthorized client publishes or attempts to subscribe to a subject that has not been whitelisted, the action fails and is logged at the server, and an error message is returned to the client. +**Important Note** NATS Authorizations can be _allow lists_, _deny lists_, or both. It is important to not break request/reply patterns. In some cases (as shown below) you need to add rules as above with Alice and Bob for the `_INBOX.>` pattern. If an unauthorized client publishes or attempts to subscribe to a subject that has not been _allow listed_, the action fails and is logged at the server, and an error message is returned to the client. ### Example @@ -70,4 +70,4 @@ authorization { - _other_ has no permissions granted and therefore inherits the default permission set. You set the inherited default permissions by assigning them to the `default_permissions` entry inside of the authorization configuration block. -> Note that in the above example, any client with permissions to subscribe to `_INBOX.>` can receive _all_ responses published. More sensitive installations will want to add or subset the prefix to further limit subjects that a client can subscribe. Alternatively, [_Accounts_](jwt_auth.md) allow complete isolation limiting what members of an account can see. +> Note that in the above example, any client with permissions to subscribe to `_INBOX.>` can receive _all_ responses published. More sensitive installations will want to add or subset the prefix to further limit subjects that a client can subscribe. Alternatively, [_Accounts_](accounts.md) allow complete isolation limiting what members of an account can see. diff --git a/nats_server/cluster_tls.md b/nats_server/cluster_tls.md index 954c17f..1172f7a 100644 --- a/nats_server/cluster_tls.md +++ b/nats_server/cluster_tls.md @@ -2,6 +2,8 @@ When setting up clusters all servers in the cluster, if using TLS, will both verify the connecting endpoints and the server responses. So certificates are checked in both directions. Certificates can be configured only for the server's cluster identity, keeping client and server certificates separate from cluster formation. +TLS Mutual Authentication *is the recommended way* of securing routes. + ``` cluster { listen: 127.0.0.1:4244 @@ -22,4 +24,4 @@ cluster { nats-route://127.0.0.1:4246 ] } -``` \ No newline at end of file +``` diff --git a/nats_server/clustering.md b/nats_server/clustering.md index e385f70..d138621 100644 --- a/nats_server/clustering.md +++ b/nats_server/clustering.md @@ -9,34 +9,27 @@ Note that NATS clustered servers have a forwarding limit of one hop. This means In addition to a port for listening for clients, `nats-server` can listen on a "cluster" URL (the `-cluster` option). Additional `nats-server` servers can then add that URL to their `-routes` argument to join the cluster. These options can also be specified in a config file, but only the command-line version is shown in this overview for simplicity. -### Running with No Cluster +## Running a Simple Cluster + +Here is a simple cluster running on the same machine: ```sh -nats-server -p 4222 -``` ----- +# Server A - the 'seed server' +> nats-server -p 4222 -cluster nats://0.0.0.0:5222 -### Running a Simple Cluster +# Server B +> nats-server -p -1 -cluster nats://0.0.0.0:-1 -routes nats://localhost:5222 +# Check the output of the server for the selected client and route ports. -```sh -# Server A on 10.10.0.1 -nats-server -p 4222 -cluster nats://10.10.0.1:5222 - -# Server B on 10.10.0.2 -nats-server -p 4222 -cluster nats://10.10.0.2:5222 -routes nats://10.10.0.1:5222 +# Server C +> nats-server -p -1 -cluster nats://0.0.0.0:-1 -routes nats://localhost:5222 +# Check the output of the server for the selected client and route ports. ``` ----- +The _seed server_ simply declares its client and clustering port. All other servers delegate to the nats-server to auto-select a port that is not in use for both clients and cluster connections, and route to the seed server. Because the clustering protocol gossips members of the cluster, all servers are able to discover other server servers in the cluster. When a server is discovered, the discovering server will automatically attempt to connect to it in order to form a _full mesh_. Typically only one instance of the server will run per machine, so you can reuse the client port (4222) and the cluster port (5222), and simply the route to the host/port of the seed server. -```sh -# Server A on 10.10.0.1 -nats-server -p 4222 -cluster nats://10.10.0.1:5222 -routes nats://10.10.0.2:5222 -# Server B on 10.10.0.2 -nats-server -p 4222 -cluster nats://10.10.0.2:5222 -routes nats://10.10.0.1:5222 -``` - -Clients connecting to any server in the cluster will remain connected to the cluster even if the server it originally connected to is taken down, as long as at least a single server remains. +Similarly, clients connecting to any server in the cluster will discover other servers in cluster. If connection to the server is interrupted, the client will attempt to connect to all other known servers. ## Command Line Options @@ -56,7 +49,7 @@ Clustering can also be configured using the server [config file](cluster_config. The following example demonstrates how to run a cluster of 3 servers on the same host. We will start with the seed server and use the `-D` command line parameter to produce debug information. ```sh -nats-server -p 4222 -cluster nats://localhost:4248 -D +nats-server -p 4222 -cluster nats://localhost:5222 -D ``` Alternatively, you could use a configuration file, let's call it `seed.conf`, with a content similar to this: @@ -68,7 +61,7 @@ listen: 127.0.0.1:4222 http: 8222 cluster { - listen: 127.0.0.1:4248 + listen: 127.0.0.1:5222 } ``` @@ -182,9 +175,9 @@ nats-pub -s "nats://192.168.59.105:7222" hello world [#1] Received on [hello] : 'world' -# GNATSD on Node C logs: +# nats-server on Node C logs: [1] 2015/06/23 05:20:31.100032 [TRC] 192.168.59.103:7244 - rid:2 - <<- [MSG hello RSID:8:2 5] -# GNATSD on Node A logs: +# nats-server on Node A logs: [1] 2015/06/23 05:20:31.100600 [TRC] 10.0.2.2:51007 - cid:8 - <<- [MSG hello 2 5] ``` diff --git a/nats_server/monitoring.md b/nats_server/monitoring.md index aa44318..a229cd8 100644 --- a/nats_server/monitoring.md +++ b/nats_server/monitoring.md @@ -180,3 +180,6 @@ $.getJSON('http://localhost:8222/connz?callback=?', function(data) { ``` +## Monitoring Tools + +In addition to writing custom monitoring tools, you can nats-server into Prometheus. The [Prometheus NATS Exporter](https://github.com/nats-io/prometheus-nats-exporter) allows you to configure the metrics you want to observe and store in Prometheous. There's a sample [Graphana](https://graphana.com) dashboard that you can use to visualize the server metrics. \ No newline at end of file diff --git a/nats_tools/README.md b/nats_tools/README.md index bcffe24..b0f7534 100644 --- a/nats_tools/README.md +++ b/nats_tools/README.md @@ -7,4 +7,5 @@ The NATS Ecosystem has many tools to support server configuration, enhance monit - [nsc](nats_tools/nsc/README.md) - Configure Operators, Accounts and Users - [nats account server](nats_tools/nas/README.md) - Serve Account JWTs - [nats top](nats_tools/nats_top/README.md) - Monitor NATS Server -- [nats-bench](nats_tools/natsbench.md) - Benchmark NATS Server \ No newline at end of file +- [nats-bench](nats_tools/natsbench.md) - Benchmark NATS Server +- [prometheus-nats-exporter](https://github.com/nats-io/prometheus-nats-exporter) - Export NATS server metrics to [Prometheous](https://prometheus.io/) and a [Graphana](https://graphana.com) dashboard. \ No newline at end of file diff --git a/sys_accounts/sys_accounts.md b/sys_accounts/sys_accounts.md index d182135..192cd76 100644 --- a/sys_accounts/sys_accounts.md +++ b/sys_accounts/sys_accounts.md @@ -17,6 +17,7 @@ Server initiated events: - `$SYS.SERVER.ACCOUNT..CONNS` (connections for an account changed) - `$SYS.SERVER..CLIENT.AUTH.ERR` (authentication error) - `$SYS.ACCOUNT..LEAFNODE.CONNECT` (leaf node connnects) +- `$SYS.ACCOUNT..LEAFNODE.DISCONNECT` (leaf node disconnects) - `$SYS.SERVER..STATSZ` (stats summary) In addition other tools with system account privileges, can initiate requests: From d1da1914f9c9a2a7f651be4462b61059e51d7b65 Mon Sep 17 00:00:00 2001 From: Ginger Collison Date: Wed, 29 May 2019 08:23:30 -0500 Subject: [PATCH 3/8] Update installation.md --- nats_server/installation.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/nats_server/installation.md b/nats_server/installation.md index 96e67d5..12a38d5 100644 --- a/nats_server/installation.md +++ b/nats_server/installation.md @@ -11,7 +11,7 @@ NATS philosophy is simplicity. Installation is just decompressing a zip file and ### Installing via Docker -With docker you can install the server easily without scattering binaries and other artifacts on your system. Only pre-requisite is to [install docker](https://docs.docker.com/install). +With docker you can install the server easily without scattering binaries and other artifacts on your system. The only pre-requisite is to [install docker](https://docs.docker.com/install). ``` > docker pull nats:latest @@ -21,7 +21,7 @@ Status: Image is up to date for nats:latest docker.io/library/nats:latest ``` -To run nats on docker: +To run NATS on Docker: ``` > docker run -p 4222:4222 -ti nats:latest @@ -38,8 +38,8 @@ More information on [containerized NATS is available here](/nats_docker/README.m ### Installing on Kubernetes with NATS Operator -Installation via the NATS operator is beyond this tutorial. You can read about the [NATS -operator](https://github.com/nats-io/nats-operator) here. +Installation via the NATS Operator is beyond this tutorial. You can read about the [NATS +Operator](https://github.com/nats-io/nats-operator) here. ### Installing via a Package Manager @@ -69,7 +69,7 @@ To test your installation (provided the executable is visible to your shell): You can find the latest release of nats-server [here](https://github.com/nats-io/nats-server/releases/latest). -Download the zip file matching your systems architecture, and unzip. For this example, assuming version 2.0.0 of the server, and a Linux AMD64: +Download the zip file matching your systems architecture, and unzip. For this example, assuming version 2.0.0 of the server and a Linux AMD64: ``` > curl -L https://github.com/nats-io/nats-server/releases/download/v2.0.0/nats-server-v2.0.0-linux-amd64.zip -o nats-server.zip @@ -87,13 +87,13 @@ Archive: nats-server.zip ### Installing from the source -If you have go installed, installing the binary is easy: +If you have Go installed, installing the binary is easy: ``` > go get github.com/nats-io/nats-server ``` -This mechanism will install a build of [master](https://github.com/nats-io/nats-server), which almost certainly will not be a released version. If you are a developer and want to play with the latest, this is the easiest way of obtaining it. +This mechanism will install a build of [master](https://github.com/nats-io/nats-server), which almost certainly will not be a released version. If you are a developer and want to play with the latest, this is the easiest way. To test your installation (provided the $GOPATH/bin is set): From a45aaab2df2c1831653ed36497d9b009d19125eb Mon Sep 17 00:00:00 2001 From: Ginger Collison Date: Wed, 29 May 2019 08:47:21 -0500 Subject: [PATCH 4/8] Update jwt_auth.md --- nats_server/jwt_auth.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/nats_server/jwt_auth.md b/nats_server/jwt_auth.md index 23db162..601c000 100644 --- a/nats_server/jwt_auth.md +++ b/nats_server/jwt_auth.md @@ -3,9 +3,9 @@ _Accounts_ expand on [Accounts](accounts.md) and [NKeys](nkey_auth.md) authentication foundation to create a decentralized authentication and authorization model. -With other authentication mechanisms, configuration for identifying an user or an account is in the server configuration file. JWT authentication leverage [JSON Web Tokens (JWT)](https://jwt.io/) to describe the various entities supported. When a client connects, servers query for account JWTs and validate a trust chain. Users are not directly tracked by the server, but rather verified as belonging to an account. This enables the managing of users without requiring server configuration updates. +With other authentication mechanisms, configuration for identifying a user or an account is in the server configuration file. JWT authentication leverages [JSON Web Tokens (JWT)](https://jwt.io/) to describe the various entities supported. When a client connects, servers query for account JWTs and validate a trust chain. Users are not directly tracked by the server, but rather verified as belonging to an account. This enables the management of users without requiring server configuration updates. -Effectively, Accounts provide for a distributed configuration paradigm. Previously each user (or client) needed to be known and authorized a priori in the server’s configuration requiring an administrator to modify and update server configurations. Accounts eliminate these chores. +Effectively, accounts provide for a distributed configuration paradigm. Previously each user (or client) needed to be known and authorized a priori in the server’s configuration requiring an administrator to modify and update server configurations. Accounts eliminate these chores. ### JSON Web Tokens @@ -38,7 +38,7 @@ When a _User_ connects to a server, it presents a JWT issued by its _Account_. T ### The Authorization Process -From an authorization point of view, the Account provides information on messaging subjects that are imported from other accounts (including any ancillary related authorization) as well as messaging subjects exported to other accounts. Accounts can also bear limits, such as the maximum number of connections they may have. A user JWT can express restrictions on the messaging subjects that it can publish or subscribe to. +From an authorization point of view, the account provides information on messaging subjects that are imported from other accounts (including any ancillary related authorization) as well as messaging subjects exported to other accounts. Accounts can also bear limits, such as the maximum number of connections they may have. A user JWT can express restrictions on the messaging subjects to which it can publish or subscribe. When a new user is added to an account, the account configuration need not change, as each user can and should have its own user JWT that can be verified by simply resolving its parent account. @@ -50,7 +50,7 @@ One crucial detail to keep in mind is that while in other systems JWTs are used - the public ID of the entity that issued it - capabilities of the entity -Authentication is a public key cryptographic process — a client signs a nonce proving identity while the trust chain and configuration provides the authorization. +Authentication is a public key cryptographic process — a client signs a nonce proving identity while the trust chain and configuration provides the authorization. The server is never aware of private keys but can verify that a signer or issuer indeed matches a specified or known public key. @@ -58,7 +58,7 @@ Lastly, all NATS JWTs (Operators, Accounts, Users and others) are expected to be ### Sharing Between Accounts -While accounts provide isolation, there are many cases where you want to be able to consume messages produced by one account in another. There are two kinds of shares that an account can _export_: +While accounts provide isolation, there are many cases where you want to be able to consume messages produced by one account in another. There are two kinds of shares an account can _export_: - Streams - Services @@ -71,7 +71,7 @@ Streams and Services can be public; Public exports can be imported by any accoun An importing account can remap the subject where a stream subscriber will receive messages or where a service requestor can make requests. This enables the importing account to simplify their subject space. -Exports and imports from an account are explicit, and they are visible in the account's JWT. For private exports, the import will embed an authorization token or a URL storing the token. Imports and exports make it easy to audit where data is coming or going. +Exports and imports from an account are explicit, and they are visible in the account's JWT. For private exports, the import will embed an authorization token or a URL storing the token. Imports and exports make it easy to audit where data is coming from or going to. ### Configuration @@ -81,4 +81,4 @@ Entity JWT configuration is done using the [`nsc` tool](/nats_tools/nsc/README.m - [Configuring an Account Server](/nats_tools/nsc/nsc.md#account-server-configuration) - [Setting up the NATS server to resolve Accounts](/nats_tools/nsc/nsc.md#nats-server-configuration) -After that, `nsc` is used to create and edit accounts and users. \ No newline at end of file +After that, `nsc` is used to create and edit accounts and users. From 7b524b06c0a458c2dae9ca5bb9a26df364611271 Mon Sep 17 00:00:00 2001 From: Ginger Collison Date: Wed, 29 May 2019 09:02:21 -0500 Subject: [PATCH 5/8] Update README.md --- leafnodes/README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/leafnodes/README.md b/leafnodes/README.md index 36d4260..ab9292c 100644 --- a/leafnodes/README.md +++ b/leafnodes/README.md @@ -1,17 +1,17 @@ ## Leaf Nodes -A _Leaf Node_ allows an extension to a cluter or supercluster that bridges accounts and security domains. This is useful in IoT and Edge scenarios and when the local server trafic should be low RTT and local unless routed to the super cluster. +A _Leaf Node_ allows an extension to a cluter or supercluster that bridges accounts and security domains. This is useful in IoT and edge scenarios and when the local server traffic should be low RTT and local unless routed to the super cluster. -Leaf Nodes leverage [Accounts](../nats_server/jwt_auth.md) and JWT to enable a server to connect to another and filter messages as per the leaf node's account User configuration. +Leaf Nodes leverage [accounts](../nats_server/jwt_auth.md) and JWTs to enable a server to connect to another and filter messages as per the leaf node's account user configuration. -This effectively means that the leaf node cluster's with the other server at an Account level: +This effectively means that the leaf node clusters with the other server at an account level: - Leaf nodes clients authenticate locally (or just connect if authentication is not required) -- Traffic between the leaf node and the cluster assume the restrictions of the User configuration used to create the leaf connection. +- Traffic between the leaf node and the cluster assumes the restrictions of the user configuration used to create the leaf connection. - Subjects that the user is allowed to publish are exported to the cluster. - Subjects the user is allowed to subscribe to, are imported into the leaf node. -> Leaf Nodes are an important component as a way to bridge traffic between local nats-servers you control and servers that are managed by a third-party. The Synadia's [NATS Global Service (NGS)](https://www.synadia.com/) allows accounts to use leaf nodes, but gain accessibility to the global network to inexpensively connect geographically distributed servers or small clusters. +> Leaf Nodes are an important component as a way to bridge traffic between local nNATS Servers you control and servers that are managed by a third-party. Synadia's [NATS Global Service (NGS)](https://www.synadia.com/) allows accounts to use leaf nodes, but gain accessibility to the global network to inexpensively connect geographically distributed servers or small clusters. [LeafNode Configuration Options](leafnode_conf.md) @@ -201,7 +201,7 @@ Both subscribers will receive the message as expected. As you can see: -- Messages to and from the leaf node to the server are limitted by the user associated with the leaf node connection. +- Messages to and from the leaf node to the server are limited by the user associated with the leaf node connection. - Messages within the leaf node are as per the server's authentication and authorization configuration From bce45065d875f6db725e1743d2ba384b427367c0 Mon Sep 17 00:00:00 2001 From: Ginger Collison Date: Wed, 29 May 2019 09:09:22 -0500 Subject: [PATCH 6/8] Update clustering.md --- nats_server/clustering.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nats_server/clustering.md b/nats_server/clustering.md index d138621..4210390 100644 --- a/nats_server/clustering.md +++ b/nats_server/clustering.md @@ -29,7 +29,7 @@ Here is a simple cluster running on the same machine: The _seed server_ simply declares its client and clustering port. All other servers delegate to the nats-server to auto-select a port that is not in use for both clients and cluster connections, and route to the seed server. Because the clustering protocol gossips members of the cluster, all servers are able to discover other server servers in the cluster. When a server is discovered, the discovering server will automatically attempt to connect to it in order to form a _full mesh_. Typically only one instance of the server will run per machine, so you can reuse the client port (4222) and the cluster port (5222), and simply the route to the host/port of the seed server. -Similarly, clients connecting to any server in the cluster will discover other servers in cluster. If connection to the server is interrupted, the client will attempt to connect to all other known servers. +Similarly, clients connecting to any server in the cluster will discover other servers in the cluster. If the connection to the server is interrupted, the client will attempt to connect to all other known servers. ## Command Line Options @@ -38,7 +38,7 @@ The following cluster options are supported: --routes [rurl-1, rurl-2] Routes to solicit and connect --cluster nats://host:port Cluster URL for solicited routes -When a NATS server routes to a specified URL, it will advertise its own cluster URL to all other servers in the route route effectively creating a routing mesh to all other servers. +When a NATS server routes to a specified URL, it will advertise its own cluster URL to all other servers in the route effectively creating a routing mesh to all other servers. **Note:** when using the `-routes` option, you must also specify a `-cluster` option. @@ -80,7 +80,7 @@ This will produce an output similar to: [75653] 2016/04/26 15:14:47.340825 [INF] server is ready ``` -It is also possible to specify the hostname and port independently. At least the port is required. If you leave the hostname off it will bind to all the interfaces ('0.0.0.0'). +It is also possible to specify the hostname and port independently. At the minimum, the port is required. If you leave the hostname off it will bind to all the interfaces ('0.0.0.0'). ```ascii cluster { From ab563e17f9dd5f0a9857f3a0ac11889ac7e20d08 Mon Sep 17 00:00:00 2001 From: Alberto Ricart Date: Wed, 29 May 2019 09:17:03 -0500 Subject: [PATCH 7/8] added missing file addressed github review. --- nats_server/accounts.md | 176 ++++++++++++++++++++++++++++++++++++++++ nats_server/jwt_auth.md | 2 +- 2 files changed, 177 insertions(+), 1 deletion(-) create mode 100644 nats_server/accounts.md diff --git a/nats_server/accounts.md b/nats_server/accounts.md new file mode 100644 index 0000000..3abad28 --- /dev/null +++ b/nats_server/accounts.md @@ -0,0 +1,176 @@ +## Accounts + +_Accounts_ expand on the authentication foundation. With traditional authentication (except for JWT authentication), all clients can publish and subscribe to anything unless explicitly configured otherwise. To protect clients and information, you have to carve the subject space and permission clients carefully. + +_Accounts_ allows grouping of clients, *isolating* them from clients in other accounts, thus enabling *multi-tenancy* in the server. With accounts, the subject space is not globally shared, greatly simplifying the messaging environment. Instead of devising complicated subject name carving patterns, clients can use short subjects without explicit authorization rules. + +Accounts configuration is done in `accounts` map. The contents of an account entry includes: + +| Property | Description | +| :-- | :-- | +| `users` | a list of [user configuration maps](auth_intro.md#user-configuration-map) | +| `exports` | a list of export maps | +| `imports` | a list of import maps | + + +The `accounts` list is a map, where the keys on the map are an account name. + +``` +accounts: { + A: { + users: [ + {user: a, password: a} + ] + }, + B: { + users: [ + {user: b, password: b} + ] + }, +} +``` + +> In the most straightforward configuration above you have an account named `A` which has a single user identified by the username `a` and the password `a`, and an account named `B` with a user identified by the username `b` and the password `b`. + +> These two accounts are isolated from each other. Messages published by users in `A` are not visible to users in `B`. + +> The user configuration map is the same as any other NATS [user configuration map](auth_intro.md#user-configuration-map). You can use: + +- username/password +- nkeys +- and add permissions + +> While the name _account_ implies one or more users, it is much simpler and enlightening to think of one account as a messaging container for one application. Users in the account are simply the minimum number of services that must work together to provide some functionality. +> In simpler terms, more accounts with few (even one) clients is a better design topology than a large account with many users with complex authorization configuration. + +## Exporting and Importing + +Messaging exchange between different accounts is enabled by _exporting_ streams and services from one account and _importing_ them into another. Each account controls what is exported and imported. + +The `exports` configuration list enable you to define the services and streams that others can import. Services and streams are expressed as an [Export configuration map](#export-configuration-map). + +### Streams + +Streams are messages you application publishes. Importing applications won't be able to make requests from your applications but will be able to consume messages you generate. + +### Services + +Services are messages your application can consume and act on, enabling other accounts to make requests that are fulfilled by your account. + + + +## Export Configuration Map + +The export configuration map binds a subject for use as a `service` or `stream` and optionally defines specific accounts that can import the stream or service. Here are the supported configuration properties: + +| Property | Description | +| :-- | :-- | +| `stream` | A subject or subject with wildcards that the account will publish. (exclusive of `service`) | +| `service` | A subject or subject with wildcards that the account will subscribe to. (exclusive of `stream`) | +| `accounts` | A list of account names that can import the stream or service. If not specified, the service or stream is public and any account can import it. | + +Here are some example exports: +``` +accounts: { + A: { + users: [ + {user: a, password: a} + ] + exports: [ + {stream: puba.>} + {service: pubq.>} + {stream: b.>, accounts: [B]} + {service: q.b, accounts: [B]} + ] + } + ... +} +``` + +Here's what `A` is exporting: + +- a public stream on the wildcard subject `puba.>` +- a public service on the wildcard subject `pubq.>` +- a stream to account `B` on the wildcard subject `a.>` +- a service to account `B` on the subject `q.b` + + +## Source Configuration Map + +The _source configuration map_ describes an export from a remote account by specifying the `account` and `subject` of the export being imported. This map is embedded in the [import configuration map](#import-configuration-map): + +| Property | Description | +| :-- | :-- | +| `account` | Account name owning the export. | +| `subject` | The subject under which the stream or service is made accessible to the importing account | + + +## Import Configuration Map + +An import enables an account to consume streams published by another account or make requests to services implemented by another account. All imports require a corresponding export on the exporting account. Accounts cannot do self-imports. + +| Property | Description | +| :-- | :-- | +| `stream` | Stream import source configuration. (exclusive of `service`) | +| `service` | Service import source configuration (exclusive of `stream`) | +| `prefix` | A local subject prefix mapping for the imported stream.| +| `to` | A local subject mapping for imported service. | + +The `prefix` and `to` options allow you to remap the subject that is used locally to receive stream messages or publish service requests. + + + +``` +accounts: { + A: { + users: [ + {user: a, password: a} + ] + exports: [ + {stream: puba.>} + {service: pubq.>} + {stream: b.>, accounts: [B]} + {service: q.b, accounts: [B]} + ] + }, + B: { + users: [ + {user: b, password: b} + ] + imports: [ + {stream: {account: A, subject: b.>}} + {service: {account: A, subject: q.b}} + ] + } + C: { + users: [ + {user: c, password: c} + ] + imports: [ + {stream: {account: A, subject: puba.>}, prefix: from_a} + {service: {account: A, subject: pubq.C}, to: Q} + ] + } +} +``` + +Account `B` imports: + +- the private stream from `A` that only `B` can receive on `b.>` +- the private service from `A` that only `B` can send requests on `q.b` + +Account `C` imports the public service and stream from `A`, but also: + +- remaps the `puba.>` stream to be locally available under `from_a.puba.>`. The messages will have their original subjects prefixed by `from_a`. +- remaps the `pubq.C` service to be locally available under `Q`. Account `C` only needs to publish to `Q` locally. + +It is important to reiterate that: + +- stream `puba.>` from `A` is visible to all external accounts that imports the stream. +- service `pubq.>` from `A` is available to all external accounts so long as they know the full subject of where to send the request. Typically an account will export a wildcard service but then coordinate with a client account on specific subjects where requests will be answered. On our example, account `C` access the service on `pubq.C` (but has mapped it for simplicity to `Q`). +- stream `b.>` is private, only account `B` can receive messages from the stream. +- service `q.b` is private; only account `B` can send requests to the service. +- When `C` publishes a request to `Q`, local `C` clients will see `Q` messages. However, the server will remap `Q` to `pubq.C` and forward the requests to account `A`. + + + diff --git a/nats_server/jwt_auth.md b/nats_server/jwt_auth.md index 23db162..1d5d2d9 100644 --- a/nats_server/jwt_auth.md +++ b/nats_server/jwt_auth.md @@ -18,7 +18,7 @@ NATS further restricts JWTs by requiring that JWTs be: - Digitally signed _always_ and only using [Ed25519](https://ed25519.cr.yp.to/). - NATS adopts the convention that all _Issuer_ and _Subject_ fields in a JWT claim must be a public [NKEY](nkey_auth.md). -- It also introduces type requirements into claims, enabling the pairing of specific roles matching those supported by [NKeys](https://github.com/nats-io/nkeys). +- _Issuer_ and _Subject_ must match specific roles depending on the claim [NKeys](https://github.com/nats-io/nkeys). #### NKey Roles From 5748f643dfa33e0458fa86099c970f8dd19cd0b5 Mon Sep 17 00:00:00 2001 From: Ginger Collison Date: Wed, 29 May 2019 10:55:48 -0500 Subject: [PATCH 8/8] Update accounts.md --- nats_server/accounts.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nats_server/accounts.md b/nats_server/accounts.md index 3abad28..c6d634f 100644 --- a/nats_server/accounts.md +++ b/nats_server/accounts.md @@ -2,7 +2,7 @@ _Accounts_ expand on the authentication foundation. With traditional authentication (except for JWT authentication), all clients can publish and subscribe to anything unless explicitly configured otherwise. To protect clients and information, you have to carve the subject space and permission clients carefully. -_Accounts_ allows grouping of clients, *isolating* them from clients in other accounts, thus enabling *multi-tenancy* in the server. With accounts, the subject space is not globally shared, greatly simplifying the messaging environment. Instead of devising complicated subject name carving patterns, clients can use short subjects without explicit authorization rules. +_Accounts_ allow the grouping of clients, *isolating* them from clients in other accounts, thus enabling *multi-tenancy* in the server. With accounts, the subject space is not globally shared, greatly simplifying the messaging environment. Instead of devising complicated subject name carving patterns, clients can use short subjects without explicit authorization rules. Accounts configuration is done in `accounts` map. The contents of an account entry includes: @@ -51,7 +51,7 @@ The `exports` configuration list enable you to define the services and streams t ### Streams -Streams are messages you application publishes. Importing applications won't be able to make requests from your applications but will be able to consume messages you generate. +Streams are messages your application publishes. Importing applications won't be able to make requests from your applications but will be able to consume messages you generate. ### Services