taigrr/nats.docs
1
0
Fork 0
mirror of https://github.com/taigrr/nats.docs synced 2025-01-18 04:03:23 -08:00
Code Issues Projects Releases Wiki Activity
nats.docs/nats_server/authentication.md
Alberto Ricart 28dfe4b752 wip
2019-05-15 14:12:30 -05:00

112 lines
3.3 KiB
Markdown
Raw Blame History

## NATS Server Authentication
You can enable authentication on the NATS server so that a client must authenticate its identity when connecting. The NATS server supports single user authentication via the command line or using a configuration file, and multi-user authentication via a configuration file. Single user authentication is truly single user. The server will accept one set of credentials and no other.
## Command Line Options
You can start the NATS server with single-user authentication enabled by passing in the required credentials on the command line. The following server authentication options are supported on the command line:
--user user User required for connections
--pass password Password required for connections
--auth token Authorization token required for connections
Token is mutually exclusive from user and password, so only use one of those.
For example:
```sh
nats-server -DV --user foo --pass bar
```
will allow the user `foo` to log in with the password `bar`, but no other users to access the server.
Using the command line with an authorization token:
```sh
nats-server -DV -auth 'S3Cr3T0k3n!'
```
will allow clients with that token to connect, and no others.
## Single User Configuration Options
Single-user authentication can be configured in the configuration file:
```ascii
authorization {
user: derek
password: T0pS3cr3t
timeout: 1
}
```
If the server is part of a cluster, you can set up single-user authentication for route connections as well:
```ascii
cluster {
authorization {
user: route_user
password: T0pS3cr3tT00!
timeout: 0.5
}
}
```
Both of these configurations set a user and password as well as a connect timeout. The `auth` option can also be set to use tokens *instead of* user/password.
## Multi-User Authentication
Multi-user Authentication can only be set up in the configuration file. Users are defined in a list with user/password pairs.
For example, to define two users `alice` and `bob`:
```ascii
authorization {
users = [
{user: alice, password: foo}
{user: bob, password: bar}
]
}
```
You can also use [variables](/documentation/managing_the_server/configuration) to set user and password values. For example, here a password is declared as a variable named PASS and assigned to Joe.
```ascii
authorization {
PASS: abcdefghijklmnopqrstuvwxyz0123456789
users = [
{user: alice, password: foo}
{user: bob, password: bar}
{user: joe, password: $PASS}
]
}
```
The nats-server source code includes a tool that can be used to bcrypt passwords for the config file:
```sh
> go run mkpasswd.go -p
> password: password
> bcrypt hash: $2a$11$1oJy/wZYNTxr9jNwMNwS3eUGhBpHT3On8CL9o7ey89mpgo88VG6ba
```
This allows you to store hashed passwords instead of plain text ones.
## Client connection string
To connect to the server as an authenticated client, you can pass in the credentials in the connection string.
For example, user 'foo' with password 'bar':
```sh
nats://foo:bar@localhost:4222
```
Using token 'S3Cr3T0k3n!'
```sh
nats://S3Cr3T0k3n!@localhost:4222
```
The server also supports TLS mutual authentication documented in the [Security/Encryption section](/documentation/managing_the_server/security). Other methods are also discussed in the [developer doc](/documentation/writing_applications/secure_connection).
Reference in New Issue View Git Blame Copy Permalink