taigrr/nats.docs
1
0
Fork 0
mirror of https://github.com/taigrr/nats.docs synced 2025-01-18 04:03:23 -08:00
Code Issues Projects Releases Wiki Activity

GitBook: [master] 326 pages and 16 assets modified

Browse Source
This commit is contained in:
Ginger Collison
2019-10-04 17:48:52 +00:00
committed by gitbook-bot
parent 8b7ba5c3bb
commit fb0d5c8355
203 changed files with 4640 additions and 3107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
nats-server/configuration/securing_nats/auth_intro/README.md Normal file
View File

@@ -0,0 +1,38 @@
# Authentication
The NATS server provides various ways of authenticating clients:
* [Token Authentication](tokens.md)
* [Username/Password credentials](username_password.md)
* [TLS Certificate](tls_mutual_auth.md)
* [NKEY with Challenge](nkey_auth.md)
* [Accounts](accounts.md)
* [JWTs](jwt_auth.md)
Authentication deals with allowing a NATS client to connect to the server. Except for JWT authentication, authentication and authorization are configured in the `authorization` section of the configuration.
## Authorization Map
The `authorization` block provides _authentication_ configuration as well as _authorization_:
| Property | Description |
| :--- | :--- |
| [`token`](tokens.md) | Specifies a global token that can be used to authenticate to the server \(exclusive of user and password\) |
| [`user`](username_password.md) | Specifies a single _global_ user name for clients to the server \(exclusive of token\) |
| [`password`](username_password.md) | Specifies a single _global_ password for clients to the server \(exclusive of `token`\) |
| `users` | A list of user configuration maps |
| `timeout` | Maximum number of seconds to wait for client authentication |
For multiple username and password credentials, specify a `users` list.
## User Configuration Map
A `user` configuration map specifies credentials and permissions options for a single user:
| Property | Description |
| :--- | :--- |
| [`user`](username_password.md) | username for client authentication |
| [`password`](username_password.md) | password for the user entry |
| [`nkey`](nkey_auth.md) | public nkey identifying an user |
| [`permissions`](../authorization.md) | permissions map configuring subjects accessible to the user |

169
nats-server/configuration/securing_nats/auth_intro/accounts.md Normal file
View File

@@ -0,0 +1,169 @@
# Accounts
## Accounts
_Accounts_ expand on the authentication foundation. With traditional authentication \(except for JWT authentication\), all clients can publish and subscribe to anything unless explicitly configured otherwise. To protect clients and information, you have to carve the subject space and permission clients carefully.
_Accounts_ allow the grouping of clients, _isolating_ them from clients in other accounts, thus enabling _multi-tenancy_ in the server. With accounts, the subject space is not globally shared, greatly simplifying the messaging environment. Instead of devising complicated subject name carving patterns, clients can use short subjects without explicit authorization rules.
Accounts configuration is done in `accounts` map. The contents of an account entry includes:
| Property | Description |
| :--- | :--- |
| `users` | a list of [user configuration maps](./#user-configuration-map) |
| `exports` | a list of export maps |
| `imports` | a list of import maps |
The `accounts` list is a map, where the keys on the map are an account name.
```text
accounts: {
A: {
users: [
{user: a, password: a}
]
},
B: {
users: [
{user: b, password: b}
]
},
}
```
> In the most straightforward configuration above you have an account named `A` which has a single user identified by the username `a` and the password `a`, and an account named `B` with a user identified by the username `b` and the password `b`.
>
> These two accounts are isolated from each other. Messages published by users in `A` are not visible to users in `B`.
>
> The user configuration map is the same as any other NATS [user configuration map](./#user-configuration-map). You can use:
* username/password
* nkeys
* and add permissions
> While the name _account_ implies one or more users, it is much simpler and enlightening to think of one account as a messaging container for one application. Users in the account are simply the minimum number of services that must work together to provide some functionality. In simpler terms, more accounts with few \(even one\) clients is a better design topology than a large account with many users with complex authorization configuration.
### Exporting and Importing
Messaging exchange between different accounts is enabled by _exporting_ streams and services from one account and _importing_ them into another. Each account controls what is exported and imported.
The `exports` configuration list enable you to define the services and streams that others can import. Services and streams are expressed as an [Export configuration map](accounts.md#export-configuration-map).
### Streams
Streams are messages your application publishes. Importing applications won't be able to make requests from your applications but will be able to consume messages you generate.
### Services
Services are messages your application can consume and act on, enabling other accounts to make requests that are fulfilled by your account.
### Export Configuration Map
The export configuration map binds a subject for use as a `service` or `stream` and optionally defines specific accounts that can import the stream or service. Here are the supported configuration properties:
| Property | Description |
| :--- | :--- |
| `stream` | A subject or subject with wildcards that the account will publish. \(exclusive of `service`\) |
| `service` | A subject or subject with wildcards that the account will subscribe to. \(exclusive of `stream`\) |
| `accounts` | A list of account names that can import the stream or service. If not specified, the service or stream is public and any account can import it. |
Here are some example exports:
```text
accounts: {
A: {
users: [
{user: a, password: a}
]
exports: [
{stream: puba.>}
{service: pubq.>}
{stream: b.>, accounts: [B]}
{service: q.b, accounts: [B]}
]
}
...
}
```
Here's what `A` is exporting:
* a public stream on the wildcard subject `puba.>`
* a public service on the wildcard subject `pubq.>`
* a stream to account `B` on the wildcard subject `a.>`
* a service to account `B` on the subject `q.b`
## Source Configuration Map
The _source configuration map_ describes an export from a remote account by specifying the `account` and `subject` of the export being imported. This map is embedded in the [import configuration map](accounts.md#import-configuration-map):
| Property | Description |
| :--- | :--- |
| `account` | Account name owning the export. |
| `subject` | The subject under which the stream or service is made accessible to the importing account |
### Import Configuration Map
An import enables an account to consume streams published by another account or make requests to services implemented by another account. All imports require a corresponding export on the exporting account. Accounts cannot do self-imports.
| Property | Description |
| :--- | :--- |
| `stream` | Stream import source configuration. \(exclusive of `service`\) |
| `service` | Service import source configuration \(exclusive of `stream`\) |
| `prefix` | A local subject prefix mapping for the imported stream. |
| `to` | A local subject mapping for imported service. |
The `prefix` and `to` options allow you to remap the subject that is used locally to receive stream messages or publish service requests.
```text
accounts: {
A: {
users: [
{user: a, password: a}
]
exports: [
{stream: puba.>}
{service: pubq.>}
{stream: b.>, accounts: [B]}
{service: q.b, accounts: [B]}
]
},
B: {
users: [
{user: b, password: b}
]
imports: [
{stream: {account: A, subject: b.>}}
{service: {account: A, subject: q.b}}
]
}
C: {
users: [
{user: c, password: c}
]
imports: [
{stream: {account: A, subject: puba.>}, prefix: from_a}
{service: {account: A, subject: pubq.C}, to: Q}
]
}
}
```
Account `B` imports:
* the private stream from `A` that only `B` can receive on `b.>`
* the private service from `A` that only `B` can send requests on `q.b`
Account `C` imports the public service and stream from `A`, but also:
* remaps the `puba.>` stream to be locally available under `from_a.puba.>`. The messages will have their original subjects prefixed by `from_a`.
* remaps the `pubq.C` service to be locally available under `Q`. Account `C` only needs to publish to `Q` locally.
It is important to reiterate that:
* stream `puba.>` from `A` is visible to all external accounts that imports the stream.
* service `pubq.>` from `A` is available to all external accounts so long as they know the full subject of where to send the request. Typically an account will export a wildcard service but then coordinate with a client account on specific subjects where requests will be answered. On our example, account `C` access the service on `pubq.C` \(but has mapped it for simplicity to `Q`\).
* stream `b.>` is private, only account `B` can receive messages from the stream.
* service `q.b` is private; only account `B` can send requests to the service.
* When `C` publishes a request to `Q`, local `C` clients will see `Q` messages. However, the server will remap `Q` to `pubq.C` and forward the requests to account `A`.

20
nats-server/configuration/securing_nats/auth_intro/auth_timeout.md Normal file
View File

@@ -0,0 +1,20 @@
# Authentication Timeout
Much like the [`tls timeout` option](../tls.md#tls-timeout), authentication can specify a `timeout` value.
If a client doesn't authenticate to the server within the specified time, the server disconnects the server to prevent abuses.
Timeouts are specified in seconds \(and can be fractional\).
As with TLS timeouts, long timeouts can be an opportunity for abuse. If setting the authentication timeout, it is important to note that it should be longer than the `tls timeout` option, as the authentication timeout includes the TLS upgrade time.
```text
authorization: {
timeout: 3
users: [
{user: a, password b},
{user: b, password a}
]
}
```

81
nats-server/configuration/securing_nats/auth_intro/jwt_auth.md Normal file
View File

@@ -0,0 +1,81 @@
# JWTs
_Accounts_ expand on [Accounts](accounts.md) and [NKeys](nkey_auth.md) authentication foundation to create a decentralized authentication and authorization model.
With other authentication mechanisms, configuration for identifying a user or an account is in the server configuration file. JWT authentication leverages [JSON Web Tokens \(JWT\)](https://jwt.io/) to describe the various entities supported. When a client connects, servers query for account JWTs and validate a trust chain. Users are not directly tracked by the server, but rather verified as belonging to an account. This enables the management of users without requiring server configuration updates.
Effectively, accounts provide for a distributed configuration paradigm. Previously each user \(or client\) needed to be known and authorized a priori in the servers configuration requiring an administrator to modify and update server configurations. Accounts eliminate these chores.
## JSON Web Tokens
[JSON Web Tokens \(JWT\)](https://jwt.io/) are an open and industry standard [RFC7519](https://tools.ietf.org/html/rfc7519) method for representing claims securely between two parties.
Claims are a fancy way of asserting information on a _subject_. In this context, a _subject_ is the entity being described \(not a messaging subject\). Standard JWT claims are typically digitally signed and verified.
NATS further restricts JWTs by requiring that JWTs be:
* Digitally signed _always_ and only using [Ed25519](https://ed25519.cr.yp.to/).
* NATS adopts the convention that all _Issuer_ and _Subject_ fields in a JWT claim must be a public [NKEY](nkey_auth.md).
* _Issuer_ and _Subject_ must match specific roles depending on the claim [NKeys](https://github.com/nats-io/nkeys).
### NKey Roles
NKey Roles are:
* Operators
* Accounts
* Users
Roles are hierarchical and form a chain of trust. Operators issue Accounts which in turn issue Users. Servers trust specific Operators. If an account is issued by an operator that is trusted, account users are trusted.
## The Authentication Process
When a _User_ connects to a server, it presents a JWT issued by its _Account_. The user proves its identity by signing a server-issued cryptographic challenge with its private key. The signature verification validates that the signature is attributable to the user's public key. Next, the server retrieves the associated account JWT that issued the user. It verifies the _User_ issuer matches the referenced account. Finally, the server checks that a trusted _Operator_ issued the _Account_, completing the trust chain verification.
## The Authorization Process
From an authorization point of view, the account provides information on messaging subjects that are imported from other accounts \(including any ancillary related authorization\) as well as messaging subjects exported to other accounts. Accounts can also bear limits, such as the maximum number of connections they may have. A user JWT can express restrictions on the messaging subjects to which it can publish or subscribe.
When a new user is added to an account, the account configuration need not change, as each user can and should have its own user JWT that can be verified by simply resolving its parent account.
## JWTs and Privacy
One crucial detail to keep in mind is that while in other systems JWTs are used as sessions or proof of authentication, NATS JWTs are only used as configuration describing:
* the public ID of the entity
* the public ID of the entity that issued it
* capabilities of the entity
Authentication is a public key cryptographic process — a client signs a nonce proving identity while the trust chain and configuration provides the authorization.
The server is never aware of private keys but can verify that a signer or issuer indeed matches a specified or known public key.
Lastly, all NATS JWTs \(Operators, Accounts, Users and others\) are expected to be signed using the [Ed25519](https://ed25519.cr.yp.to/) algorithm. If they are not, they are rejected by the system.
## Sharing Between Accounts
While accounts provide isolation, there are many cases where you want to be able to consume messages produced by one account in another. There are two kinds of shares an account can _export_:
* Streams
* Services
Streams are messages published by a foreign account; Subscribers in an _importing_ account can receive messages from a stream _exported_ by another.
Services are endpoints exported by a foreign account; Requesters _importing_ the service can publish requests to the _exported_ endpoint.
Streams and Services can be public; Public exports can be imported by any account. Or they can be private. Private streams and services require an authorization token from the exporting account that authorizes the foreign account to import the stream or service.
An importing account can remap the subject where a stream subscriber will receive messages or where a service requestor can make requests. This enables the importing account to simplify their subject space.
Exports and imports from an account are explicit, and they are visible in the account's JWT. For private exports, the import will embed an authorization token or a URL storing the token. Imports and exports make it easy to audit where data is coming from or going to.
## Configuration
Entity JWT configuration is done using the [`nsc` tool](../../../../nats-tools/nsc/). The basic steps include:
* [Creation of an operator JWT](../../../../nats-tools/nsc/nsc.md#creating-an-operator)
* [Configuring an Account Server](../../../../nats-tools/nsc/nsc.md#account-server-configuration)
* [Setting up the NATS server to resolve Accounts](../../../../nats-tools/nsc/nsc.md#nats-server-configuration)
After that, `nsc` is used to create and edit accounts and users.

61
nats-server/configuration/securing_nats/auth_intro/nkey_auth.md Normal file
View File

@@ -0,0 +1,61 @@
# NKeys
NKeys are a new, highly secure public-key signature system based on [Ed25519](https://ed25519.cr.yp.to/).
With NKeys the server can verify identities without ever storing or ever seeing private keys. The authentication system works by requiring a connecting client to provide its public key and digitally sign a challenge with its private key. The server generates a random challenge with every connection request, making it immune to playback attacks. The generated signature is validated against the provided public key, thus proving the identity of the client. If the public key is known to the server, authentication succeeds.
> NKey is an excellent replacement for token authentication because a connecting client will have to prove it controls the private key for the authorized public key.
To generate nkeys, you'll need the [`nk` tool](../../../../nats-tools/nk.md).
## Generating NKeys and Configuring the Server
To generate a _User_ NKEY:
```text
> nk -gen user -pubout
SUACSSL3UAHUDXKFSNVUZRF5UHPMWZ6BFDTJ7M6USDXIEDNPPQYYYCU3VY
UDXU4RCSJNZOIQHZNWXHXORDPRTGNJAHAHFRGZNEEJCPQTT2M7NLCNF4
```
The first output line starts with the letter `S` for _Seed_. The second letter, `U` stands for _User_. Seeds are private keys; you should treat them as secrets and guard them with care.
The second line starts with the letter `U` for _User_ and is a public key which can be safely shared.
To use nkey authentication, add a user, and set the `nkey` property to the public key of the user you want to authenticate:
```text
authorization: {
users: [
{ nkey: UDXU4RCSJNZOIQHZNWXHXORDPRTGNJAHAHFRGZNEEJCPQTT2M7NLCNF4 }
]
}
```
Note that the user section sets the `nkey` property \(user/password/token properties are not needed\). Add `permission` sections as required.
## Client Configuration
Now that you have a user nkey, let's configure a client to use it for authentication. As an example, here are the connect options for the node client:
```javascript
const NATS = require('nats');
const nkeys = require('ts-nkeys');
const nkey_seed = SUACSSL3UAHUDXKFSNVUZRF5UHPMWZ6BFDTJ7M6USDXIEDNPPQYYYCU3VY;
const nc = NATS.connect({
port: PORT,
nkey: 'UDXU4RCSJNZOIQHZNWXHXORDPRTGNJAHAHFRGZNEEJCPQTT2M7NLCNF4',
sigCB: function (nonce) {
// client loads seed safely from a file
// or some constant like `nkey_seed` defined in
// the program
const sk = nkeys.fromSeed(Buffer.from(nkey_seed));
return sk.sign(nonce);
}
});
...
```
The client provides a function that it uses to parse the seed \(the private key\) and sign the connection challenge.

97
nats-server/configuration/securing_nats/auth_intro/tls_mutual_auth.md Normal file
View File

@@ -0,0 +1,97 @@
# TLS Authentication
The server can require TLS certificates from a client. When needed, you can use the certificates to:
* Validate the client certificate matches a known or trusted CA
* Extract information from a trusted certificate to provide authentication
## Validating a Client Certificate
The server can verify a client certificate using a CA certificate. To require verification, add the option `verify` the TLS configuration section as follows:
```text
tls {
cert_file: "./configs/certs/server-cert.pem"
key_file: "./configs/certs/server-key.pem"
ca_file: "./configs/certs/ca.pem"
verify: true
}
```
Or via the command line:
```bash
> ./nats-server --tlsverify --tlscert=./test/configs/certs/server-cert.pem --tlskey=./test/configs/certs/server-key.pem --tlscacert=./test/configs/certs/ca.pem
```
This option verifies the client's certificate is signed by the CA specified in the `ca_file` option.
## Mapping Client Certificates To A User
In addition to verifying that a specified CA issued a client certificate, you can use information encoded in the certificate to authenticate a client. The client wouldn't have to provide or track usernames or passwords.
To have TLS Mutual Authentication map certificate attributes to the user's identity use `verify_and_map` as shown as follows:
```text
tls {
cert_file: "./configs/certs/server-cert.pem"
key_file: "./configs/certs/server-key.pem"
ca_file: "./configs/certs/ca.pem"
# Require a client certificate and map user id from certificate
verify_and_map: true
}
```
> Note that `verify` was changed to `verify_and_map`.
There are two options for certificate attributes that can be mapped to user names. The first is the email address in the Subject Alternative Name \(SAN\) field of the certificate. While generating a certificate with this attribute is outside the scope of this document, you can view one with `openssl`:
```text
$ openssl x509 -noout -text -in test/configs/certs/client-id-auth-cert.pem
Certificate:
...
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:127.0.0.1, email:derek@nats.io
X509v3 Extended Key Usage:
TLS Web Client Authentication
...
```
The configuration to authorize this user would be as follows:
```text
authorization {
users = [
{user: "derek@nats.io"}
]
}
```
> Note: This configuration only works for the first email address if there are multiple emails in the SAN field.
The second option is to use the RFC 2253 Distinguished Names syntax from the certificate subject as follows:
```text
$ openssl x509 -noout -text -in test/configs/certs/tlsauth/client2.pem
Certificate:
Data:
...
Subject: OU=CNCF, CN=example.com
...
```
The configuration to authorize this user would be as follows:
```text
authorization {
users = [
{user: "CN=example.com,OU=CNCF"}
]
}
```
## TLS Timeout
[TLS timeout](../tls.md#tls-timeout) is described here.

54
nats-server/configuration/securing_nats/auth_intro/tokens.md Normal file
View File

@@ -0,0 +1,54 @@
# Tokens
Token authentication is a string that if provided by a client, allows it to connect. It is the most straightforward authentication provided by the NATS server.
To use token authentication, you can specify an `authorization` section with the `token` property set:
```text
authorization {
token: "s3cr3t"
}
```
Token authentication can be used in the authorization section for clients and clusters.
Or start the server with the `--auth` flag:
```text
> nats-server --auth s3cr3t
```
A client can easily connect by specifying the server URL:
```text
> nats-sub -s nats://s3cr3t@localhost:4222 ">"
Listening on [>]
```
## Bcrypted Tokens
Tokens can be bcrypted enabling an additional layer of security, as the clear-text version of the token would not be persisted on the server configuration file.
You can generate bcrypted tokens and passwords using the [`mkpasswd`](../../../../nats-tools/mkpasswd.md) tool:
```text
> mkpasswd
pass: dag0HTXl4RGg7dXdaJwbC8
bcrypt hash: $2a$11$PWIFAL8RsWyGI3jVZtO9Nu8.6jOxzxfZo7c/W0eLk017hjgUKWrhy
```
Here's a simple configuration file:
```text
authorization {
token: "$2a$11$PWIFAL8RsWyGI3jVZtO9Nu8.6jOxzxfZo7c/W0eLk017hjgUKWrhy"
}
```
The client will still require the clear-text token to connect:
```text
nats-sub -s nats://dag0HTXl4RGg7dXdaJwbC8@localhost:4222 ">"
Listening on [>]
```

59
nats-server/configuration/securing_nats/auth_intro/username_password.md Normal file
View File

@@ -0,0 +1,59 @@
# Username/Password
You can authenticate one or more clients using username and passwords; this enables you to have greater control over the management and issuance of credential secrets.
For a single user:
```text
authorization: {
user: a,
password: b
}
```
You can also specify a single username/password by:
```text
> nats-server --user a --pass b
```
For multiple users:
```text
authorization: {
users: [
{user: a, password: b},
{user: b, password: a}
]
}
```
## Bcrypted Passwords
Username/password also supports bcrypted passwords using the [`mkpasswd`](../../../../nats-tools/mkpasswd.md) tool. Simply replace the clear text password with the bcrypted entries:
```text
> mkpasswd
ass: (Uffs#rG42PAu#Oxi^BNng
bcrypt hash: $2a$11$V1qrpBt8/SLfEBr4NJq4T.2mg8chx8.MTblUiTBOLV3MKDeAy.f7u
```
And on the configuration file:
```text
authorization: {
users: [
{user: a, password: "$2a$11$V1qrpBt8/SLfEBr4NJq4T.2mg8chx8.MTblUiTBOLV3MKDeAy.f7u"},
...
]
}
```
## Reloading a Configuration
As you add/remove passwords from the server configuration file, you'll want your changes to take effect. To reload without restarting the server and disconnecting clients, do:
```text
> nats-server --signal reload
```