taigrr/nats.docs
1
0
Fork 0
mirror of https://github.com/taigrr/nats.docs synced 2025-01-18 04:03:23 -08:00
Code Issues Projects Releases Wiki Activity
nats.docs/docs/nats_server/authorization.html
Alberto Ricart 249e072d55 updated generated book
2019-05-15 14:19:51 -05:00

947 lines
28 KiB
HTML
Raw Blame History

<!DOCTYPE HTML>
<html lang="" >
<head>
<meta charset="UTF-8">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<title>Authorization ยท NATS</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="description" content="">
<meta name="generator" content="GitBook 3.2.3">
<meta name="author" content="The NATS Maintainers">
<link rel="stylesheet" href="../gitbook/style.css">
<link rel="stylesheet" href="../gitbook/gitbook-plugin-prism/prism.css">
<link rel="stylesheet" href="../gitbook/gitbook-plugin-search/search.css">
<link rel="stylesheet" href="../gitbook/gitbook-plugin-fontsettings/website.css">
<meta name="HandheldFriendly" content="true"/>
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="black">
<link rel="apple-touch-icon-precomposed" sizes="152x152" href="../gitbook/images/apple-touch-icon-precomposed-152.png">
<link rel="shortcut icon" href="../gitbook/images/favicon.ico" type="image/x-icon">
<link rel="next" href="clustering.html" />
<link rel="prev" href="authentication.html" />
<link rel="stylesheet" href="https://cdn.materialdesignicons.com/3.6.95/css/materialdesignicons.min.css">
</head>
<body>
<div class="book">
<div class="book-summary">
<div id="book-search-input" role="search">
<input type="text" placeholder="Type to search" />
</div>
<nav role="navigation">
<ul class="summary">
<li class="chapter " data-level="1.1" data-path="../">
<a href="../">
Introduction
</a>
<ul class="articles">
<li class="chapter " data-level="1.1.1" data-path="./">
<a href="./">
NATS Server
</a>
<ul class="articles">
<li class="chapter " data-level="1.1.1.1" data-path="installation.html">
<a href="installation.html">
Installing
</a>
</li>
<li class="chapter " data-level="1.1.1.2" data-path="running.html">
<a href="running.html">
Running
</a>
</li>
<li class="chapter " data-level="1.1.1.3" data-path="clients.html">
<a href="clients.html">
Clients
</a>
</li>
<li class="chapter " data-level="1.1.1.4" data-path="flags.html">
<a href="flags.html">
Flags
</a>
</li>
<li class="chapter " data-level="1.1.1.5" data-path="configuration.html">
<a href="configuration.html">
Configuration File
</a>
<ul class="articles">
<li class="chapter " data-level="1.1.1.5.1" data-path="authentication.html">
<a href="authentication.html">
Authentication
</a>
</li>
<li class="chapter active" data-level="1.1.1.5.2" data-path="authorization.html">
<a href="authorization.html">
Authorization
</a>
</li>
<li class="chapter " data-level="1.1.1.5.3" data-path="clustering.html">
<a href="clustering.html">
Clustering
</a>
</li>
<li class="chapter " data-level="1.1.1.5.4" data-path="tls.html">
<a href="tls.html">
TLS Security
</a>
</li>
<li class="chapter " data-level="1.1.1.5.5" data-path="logging.html">
<a href="logging.html">
Logging
</a>
</li>
<li class="chapter " data-level="1.1.1.5.6" data-path="monitoring.html">
<a href="monitoring.html">
Monitoring
</a>
<ul class="articles">
<li class="chapter " data-level="1.1.1.5.6.1" data-path="natstop.html">
<a href="natstop.html">
Statistics
</a>
<ul class="articles">
<li class="chapter " data-level="1.1.1.5.6.1.1" data-path="nats_top_tutorial.html">
<a href="nats_top_tutorial.html">
NATS Top Tutorial
</a>
</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
<li class="chapter " data-level="1.1.1.6" data-path="signals.html">
<a href="signals.html">
Signals
</a>
</li>
<li class="chapter " data-level="1.1.1.7" data-path="windows_srv.html">
<a href="windows_srv.html">
Window Service
</a>
</li>
<li class="chapter " data-level="1.1.1.8" data-path="upgrading.html">
<a href="upgrading.html">
Upgrading a Cluster
</a>
</li>
</ul>
</li>
</ul>
</li>
<li class="chapter " data-level="1.2" data-path="../developer/">
<a href="../developer/">
Developing with NATS
</a>
<ul class="articles">
<li class="chapter " data-level="1.2.1" data-path="../developer/connecting.html">
<a href="../developer/connecting.html">
Connecting
</a>
</li>
</ul>
</li>
<li class="divider"></li>
<li>
<a href="https://www.gitbook.com" target="blank" class="gitbook-link">
Published with GitBook
</a>
</li>
</ul>
</nav>
</div>
<div class="book-body">
<div class="body-inner">
<div class="book-header" role="navigation">
<!-- Title -->
<h1>
<i class="fa fa-circle-o-notch fa-spin"></i>
<a href=".." >Authorization</a>
</h1>
</div>
<div class="page-wrapper" tabindex="-1" role="main">
<div class="page-inner">
<div id="book-search-results">
<div class="search-noresults">
<section class="normal markdown-section">
<h2 id="authorization">Authorization</h2>
<p>The NATS server supports authorization using subject-level permissions on a per-user basis. Permission-based authorization is available with <a href="../documentation/managing_the_server/authentication">multi-user authentication</a>.</p>
<p>Each permission grant is an object with two fields: what subject(s) the authenticated user can publish to, and what subject(s) the authenticated user can subscribe to. The parser is generous at understanding what the intent is, so both arrays and singletons are processed. Subjects themselves can contain wildcards. Permissions can make use of <a href="../documentation/managing_the_server/configuration">variables</a>.</p>
<p>You set permissions by creating an entry inside of the <code>authorization</code> configuration block that conforms to the following syntax:</p>
<pre class="language-"><code class="lang-ascii">authorization {
PERMISSION_NAME = {
publish = &quot;singleton&quot; or [&quot;array&quot;, ...]
subscribe = &quot;singleton&quot; or [&quot;array&quot;, ...]
}
}
</code></pre>
<p><strong>Important Note</strong> NATS Authorizations are whitelist only, meaning in order to not break request/reply patterns you need to add rules as above with Alice and Bob for the <code>_INBOX.&gt;</code> pattern. If an unauthorized client publishes or attempts to subscribe to a subject that has not been whitelisted, the action fails and is logged at the server, and an error message is returned to the client.</p>
<h3 id="example">Example</h3>
<p>Here is an example authorization configuration that defines four users, three of whom are assigned explicit permissions.</p>
<pre class="language-"><code class="lang-ascii">authorization {
ADMIN = {
publish = &quot;&gt;&quot;
subscribe = &quot;&gt;&quot;
}
REQUESTOR = {
publish = [&quot;req.foo&quot;, &quot;req.bar&quot;]
subscribe = &quot;_INBOX.&gt;&quot;
}
RESPONDER = {
subscribe = [&quot;req.foo&quot;, &quot;req.bar&quot;]
publish = &quot;_INBOX.&gt;&quot;
}
DEFAULT_PERMISSIONS = {
publish = &quot;SANDBOX.*&quot;
subscribe = [&quot;PUBLIC.&gt;&quot;, &quot;_INBOX.&gt;&quot;]
}
PASS: abcdefghijklmnopqrstuvwxwz0123456789
users = [
{user: joe, password: foo, permissions: $ADMIN}
{user: alice, password: bar, permissions: $REQUESTOR}
{user: bob, password: $PASS, permissions: $RESPONDER}
{user: charlie, password: bar}
]
}
</code></pre>
<p>Since Joe is an ADMIN he can publish/subscribe on any subject. We use the wildcard <code>&gt;</code> to match any subject.</p>
<p>Alice is a REQUESTOR and can publish requests on subjects <code>req.foo</code> or <code>req.bar</code>, and subscribe to anything that is a response (<code>_INBOX.&gt;</code>).</p>
<p>Charlie has no permissions granted and therefore inherits the default permission set. You set the inherited default permissions by assigning them to the default_permissions entry inside of the authorization configuration block.</p>
<p>Bob is a RESPONDER to any of Alice&apos;s requests, so Bob needs to be able to subscribe to the request subjects and respond to Alice&apos;s reply subject which will be an <code>_INBOX.&gt;</code>.</p>
</section>
</div>
<div class="search-results">
<div class="has-results">
<h1 class="search-results-title"><span class='search-results-count'></span> results matching "<span class='search-query'></span>"</h1>
<ul class="search-results-list"></ul>
</div>
<div class="no-results">
<h1 class="search-results-title">No results matching "<span class='search-query'></span>"</h1>
</div>
</div>
</div>
</div>
</div>
</div>
<a href="authentication.html" class="navigation navigation-prev " aria-label="Previous page: Authentication">
<i class="fa fa-angle-left"></i>
</a>
<a href="clustering.html" class="navigation navigation-next " aria-label="Next page: Clustering">
<i class="fa fa-angle-right"></i>
</a>
</div>
<script>
var gitbook = gitbook || [];
gitbook.push(function() {
gitbook.page.hasChanged({"page":{"title":"Authorization","level":"1.1.1.5.2","depth":4,"next":{"title":"Clustering","level":"1.1.1.5.3","depth":4,"path":"nats_server/clustering.md","ref":"nats_server/clustering.md","articles":[]},"previous":{"title":"Authentication","level":"1.1.1.5.1","depth":4,"path":"nats_server/authentication.md","ref":"nats_server/authentication.md","articles":[]},"dir":"ltr"},"config":{"plugins":["prism","-highlight","include-html"],"styles":{"website":"styles/website.css","pdf":"styles/pdf.css","epub":"styles/epub.css","mobi":"styles/mobi.css","ebook":"styles/ebook.css","print":"styles/print.css"},"pluginsConfig":{"prism":{},"include-html":{},"search":{},"lunr":{"maxIndexSize":1000000,"ignoreSpecialCharacters":false},"sharing":{"facebook":true,"twitter":true,"google":false,"weibo":false,"instapaper":false,"vk":false,"all":["facebook","google","twitter","weibo","instapaper"]},"fontsettings":{"theme":"white","family":"sans","size":2},"theme-default":{"styles":{"website":"styles/website.css","pdf":"styles/pdf.css","epub":"styles/epub.css","mobi":"styles/mobi.css","ebook":"styles/ebook.css","print":"styles/print.css"},"showLevel":false}},"theme":"default","author":"The NATS Maintainers","pdf":{"pageNumbers":true,"fontSize":12,"fontFamily":"Arial","paperSize":"a4","chapterMark":"pagebreak","pageBreaksBefore":"/","margin":{"right":62,"left":62,"top":56,"bottom":56}},"structure":{"langs":"LANGS.md","readme":"README.md","glossary":"GLOSSARY.md","summary":"SUMMARY.md"},"variables":{},"title":"NATS","gitbook":"*","description":"Administrative, developer and conceptual documentation for the NATS messaging system."},"file":{"path":"nats_server/authorization.md","mtime":"2019-05-15T18:45:32.117Z","type":"markdown"},"gitbook":{"version":"3.2.3","time":"2019-05-15T19:18:57.723Z"},"basePath":"..","book":{"language":""}});
});
</script>
</div>
<!-- Viz Support -->
<script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/viz.js/2.1.2/viz.js"> </script>
<script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/viz.js/2.1.2/lite.render.js"> </script>
<!-- Site code -->
<script>
function flash(elem, text, speed) {
if (!elem) {
return;
}
var s = elem.style;
elem.textContent = text;
s.display = 'block';
s.opacity = 1;
(function fade() {
(s.opacity -= .1) < .1 ? s.display = "none" : setTimeout(fade, speed)
})();
}
function copyToClipboard(text, el) {
var copyTest = document.queryCommandSupported('copy');
var elOriginalText = el.getAttribute('data-original-title');
if (copyTest === true) {
var copyTextArea = document.createElement("textarea");
copyTextArea.value = text;
document.body.appendChild(copyTextArea);
copyTextArea.select();
try {
var successful = document.execCommand('copy');
var msg = successful ? 'Copied!' : 'Whoops, not copied!';
var parent = el.parentNode.parentNode;
var msgElem = parent.querySelector(".copy-msg");
flash(msgElem, msg, 100);
} catch (err) {
console.log('Oops, unable to copy', err);
}
document.body.removeChild(copyTextArea);
el.setAttribute('data-original-title', elOriginalText);
} else {
// Fallback if browser doesn't support .execCommand('copy')
window.prompt("Copy to clipboard: Ctrl+C or Command+C, Enter", text);
}
}
function processGraphVizSections(elements) {
var elements = document.querySelectorAll("[data-viz]");
var viz = new Viz();
Array.prototype.forEach.call(elements, function (x) {
var engine = x.getAttribute("data-viz");
var image = viz.renderImageElement(x.innerText, {
format: "png",
engine: engine
}).then(function (element) {
x.parentNode.insertBefore(element, x);
});
});
};
function updateLanguageParameter(value) {
const param = "lang";
if (window.location.href.indexOf("?") >= 0) {
const regExp = new RegExp(param + "(.+?)(&|$)", "g");
const newUrl = window.location.href.replace(regExp, param + "=" + encodeURIComponent(value) + "$2");
window.history.pushState("", "", newUrl);
} else {
const newUrl = window.location.href + "?" + param + "=" + encodeURIComponent(value);
window.history.pushState("", "", newUrl);
}
}
function getLanguageParameter() {
var match = RegExp('[?&]lang=([^&]*)').exec(window.location.search);
return match && decodeURIComponent(match[1].replace(/\+/g, ' '));
}
function docReady() {
window.gitbook.events.bind("page.change", function () {
pageChanged();
});
}
function pageChanged() {
document.querySelectorAll('.js-copy').forEach(elem => {
elem.addEventListener("click", function () {
var el = this;
var parent = this.parentNode.parentNode;
var code = parent.querySelector('code');
var text = code.textContent || code.innerText;
copyToClipboard(text, el);
})
});
document.querySelectorAll('.api-lang').forEach(elem => {
elem.addEventListener("click", function () {
var curLang = sessionStorage.getItem('nats-api-language');
var lang = this.getAttribute('data-language');
// Stop the infinite loop
if (curLang == lang) {
return;
}
sessionStorage.setItem('nats-api-language', lang); // So we only do this 1x
updateLanguageParameter(lang)
document.querySelectorAll('.api-lang[data-language=' + lang + ']').forEach(elem => {
elem.click();
});
})
});
if (sessionStorage) {
var curLang = sessionStorage.getItem('nats-api-language');
var queryLang = getLanguageParameter();
var lang = curLang;
if (queryLang) { // query takes precedent
lang = queryLang
}
if (lang) {
document.querySelectorAll('.api-lang[data-language=' + lang + ']').forEach(elem => {
elem.click();
});
}
}
setTimeout(function () {
processGraphVizSections();
}, 1);
}
if (document.readyState != 'loading') docReady();
else if (document.addEventListener) document.addEventListener('DOMContentLoaded', docReady);
else document.attachEvent('onreadystatechange', function () {
if (document.readyState == 'complete') docReady();
});
</script>
<!-- Github Buttons -->
<script async defer src="https://buttons.github.io/buttons.js"></script>
<!-- Styles -->
<style>
div.graphviz {
background: transparent;
border: 0;
padding-top: 15px;
padding-right: 15px;
padding-bottom: 15px;
padding-left: 15px;
}
code[data-viz] {
display: none;
}
.tab-wrap {
transition: 0.3s box-shadow ease;
border-radius: 6px;
max-width: 100%;
display: flex;
flex-wrap: wrap;
position: relative;
list-style: none;
background-color: #fff;
margin: 10px 0;
/* box-shadow: 0 1px 3px rgba(0, 0, 0, 0.12), 0 1px 2px rgba(0, 0, 0, 0.24);*/
}
.tab-wrap:hover {
box-shadow: 0 12px 23px rgba(0, 0, 0, 0.23), 0 10px 10px rgba(0, 0, 0, 0.19);
}
.tab {
display: none;
}
/* Using scss these would be generated, we have to manually create enough for all tabs, start with 8 */
.tab:checked:nth-of-type(1)~.tab__content:nth-of-type(1) {
opacity: 1;
transition: 0.5s opacity ease-in, 0.8s -webkit-transform ease;
transition: 0.5s opacity ease-in, 0.8s transform ease;
transition: 0.5s opacity ease-in, 0.8s transform ease, 0.8s -webkit-transform ease;
position: relative;
top: 0;
z-index: 100;
-webkit-transform: translateY(0px);
transform: translateY(0px);
text-shadow: 0 0 0;
}
.tab:checked:nth-of-type(2)~.tab__content:nth-of-type(2) {
opacity: 1;
transition: 0.5s opacity ease-in, 0.8s -webkit-transform ease;
transition: 0.5s opacity ease-in, 0.8s transform ease;
transition: 0.5s opacity ease-in, 0.8s transform ease, 0.8s -webkit-transform ease;
position: relative;
top: 0;
z-index: 100;
-webkit-transform: translateY(0px);
transform: translateY(0px);
text-shadow: 0 0 0;
}
.tab:checked:nth-of-type(3)~.tab__content:nth-of-type(3) {
opacity: 1;
transition: 0.5s opacity ease-in, 0.8s -webkit-transform ease;
transition: 0.5s opacity ease-in, 0.8s transform ease;
transition: 0.5s opacity ease-in, 0.8s transform ease, 0.8s -webkit-transform ease;
position: relative;
top: 0;
z-index: 100;
-webkit-transform: translateY(0px);
transform: translateY(0px);
text-shadow: 0 0 0;
}
.tab:checked:nth-of-type(4)~.tab__content:nth-of-type(4) {
opacity: 1;
transition: 0.5s opacity ease-in, 0.8s -webkit-transform ease;
transition: 0.5s opacity ease-in, 0.8s transform ease;
transition: 0.5s opacity ease-in, 0.8s transform ease, 0.8s -webkit-transform ease;
position: relative;
top: 0;
z-index: 100;
-webkit-transform: translateY(0px);
transform: translateY(0px);
text-shadow: 0 0 0;
}
.tab:checked:nth-of-type(5)~.tab__content:nth-of-type(5) {
opacity: 1;
transition: 0.5s opacity ease-in, 0.8s -webkit-transform ease;
transition: 0.5s opacity ease-in, 0.8s transform ease;
transition: 0.5s opacity ease-in, 0.8s transform ease, 0.8s -webkit-transform ease;
position: relative;
top: 0;
z-index: 100;
-webkit-transform: translateY(0px);
transform: translateY(0px);
text-shadow: 0 0 0;
}
.tab:checked:nth-of-type(6)~.tab__content:nth-of-type(6) {
opacity: 1;
transition: 0.5s opacity ease-in, 0.8s -webkit-transform ease;
transition: 0.5s opacity ease-in, 0.8s transform ease;
transition: 0.5s opacity ease-in, 0.8s transform ease, 0.8s -webkit-transform ease;
position: relative;
top: 0;
z-index: 100;
-webkit-transform: translateY(0px);
transform: translateY(0px);
text-shadow: 0 0 0;
}
.tab:checked:nth-of-type(7)~.tab__content:nth-of-type(7) {
opacity: 1;
transition: 0.5s opacity ease-in, 0.8s -webkit-transform ease;
transition: 0.5s opacity ease-in, 0.8s transform ease;
transition: 0.5s opacity ease-in, 0.8s transform ease, 0.8s -webkit-transform ease;
position: relative;
top: 0;
z-index: 100;
-webkit-transform: translateY(0px);
transform: translateY(0px);
text-shadow: 0 0 0;
}
.tab:checked:nth-of-type(8)~.tab__content:nth-of-type(8) {
opacity: 1;
transition: 0.5s opacity ease-in, 0.8s -webkit-transform ease;
transition: 0.5s opacity ease-in, 0.8s transform ease;
transition: 0.5s opacity ease-in, 0.8s transform ease, 0.8s -webkit-transform ease;
position: relative;
top: 0;
z-index: 100;
-webkit-transform: translateY(0px);
transform: translateY(0px);
text-shadow: 0 0 0;
}
.tab:first-of-type:not(:last-of-type)+label {
border-top-right-radius: 0;
border-bottom-right-radius: 0;
}
.tab:not(:first-of-type):not(:last-of-type)+label {
border-radius: 0;
}
.tab:last-of-type:not(:first-of-type)+label {
border-top-left-radius: 0;
border-bottom-left-radius: 0;
}
.tab:checked+label {
background-color: #fff;
box-shadow: 0 -1px 0 #fff inset;
cursor: default;
font-weight: bold;
border: 1px solid #ddd;
border-bottom-color: transparent;
}
.tab:checked+label:hover {
box-shadow: 0 -1px 0 #fff inset;
background-color: #fff;
}
.tab+label {
box-shadow: 0 -1px 0 #eee inset;
border-radius: 6px 6px 0 0;
cursor: pointer;
display: block;
text-decoration: none;
color: #27aae1;
flex-grow: 3;
text-align: center;
-webkit-user-select: none;
-moz-user-select: none;
-ms-user-select: none;
user-select: none;
text-align: center;
transition: 0.3s background-color ease, 0.3s box-shadow ease;
height: 50px;
box-sizing: border-box;
padding: 15px;
}
.tab+label:hover {
background-color: #f9f9f9;
box-shadow: 0 1px 0 #f4f4f4 inset;
}
.tab__content {
padding: 2px 2px;
background-color: transparent;
position: absolute;
width: 100%;
z-index: -1;
opacity: 0;
left: 0;
-webkit-transform: translateY(-3px);
transform: translateY(-3px);
border-radius: 6px;
}
.tab__content pre {
margin-bottom: 0px !important;
}
.toolbar-icons {
display: inline-block;
position: relative;
padding-left: 4px;
}
a.toolbar-icons {
text-decoration: none;
}
.toolbar-icons .mdi {
color: #4183c4;
}
.copy-msg {
color: #4183c4;
}
.pull-right {
float: right !important;
}
.pull-left {
float: left !important;
}
</style>
<script src="../gitbook/gitbook.js"></script>
<script src="../gitbook/theme.js"></script>
<script src="../gitbook/gitbook-plugin-search/search-engine.js"></script>
<script src="../gitbook/gitbook-plugin-search/search.js"></script>
<script src="../gitbook/gitbook-plugin-lunr/lunr.min.js"></script>
<script src="../gitbook/gitbook-plugin-lunr/search-lunr.js"></script>
<script src="../gitbook/gitbook-plugin-sharing/buttons.js"></script>
<script src="../gitbook/gitbook-plugin-fontsettings/fontsettings.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink