nats-streaming-server icon indicating copy to clipboard operation
nats-streaming-server copied to clipboard

Published 20 hours ago verified publisher icon nats-io

NATS Streaming Client Authorization

Open ramasa opened this issue 6 years ago • 18 comments
trafficstars

Pub/Sub permission is working only on Nats topic and not on NATS Streaming topics. This is a blocker for us to restrict our clients to specific topic

ramasa avatar Apr 01 '19 12:04 ramasa

@ramasa Yes, we need to have a better story for authentication/authorization in NATS Streaming. In the meantime, do you need to block producers only or subscribers too? If only producers, you may have a way to prevent sending to specific channel because the underlying subjects for streaming publish subject would allow that. However, it will not be possible for subscriptions since clients sends subscriptions requests to a single internal subject.

kozlovic avatar Apr 01 '19 15:04 kozlovic

Trying to migrate our clients from REST to NATS. Using JSON-RPC 2.0 over NATS request/response for majority of the use case and #192 solved security issue. Thought of using NATS Streaming for async updates to clients instead of REST polling. So for now the only streaming use case is clients as subscribers.

ramasa avatar Apr 02 '19 06:04 ramasa

@ramasa Thanks. We need to add some form of authentication/authorization at the NATS Streaming level since one cannot fully leverage the provided low level NATS ones.

kozlovic avatar Apr 03 '19 13:04 kozlovic

Hi,

We also are pretty surprised that NATS has a strong authorization mechanism, but NATS Streaming does not whatsoever. Do you have any plans?

Quentin-M avatar May 15 '19 00:05 Quentin-M

Not whatsoever. You can use NATS authentication and authorization, except for subscriptions. But will will add something in the near future. I don't have an ETA though.

kozlovic avatar May 15 '19 00:05 kozlovic

Hi @kozlovic is there any update on this? I would really like to be able to restrict subscriptions and publishers with nats streaming

julienvincent avatar Jun 24 '19 14:06 julienvincent

@julienvincent Still no ETA at the moment unfortunately.

kozlovic avatar Jun 27 '19 18:06 kozlovic

Tell me why, when I connect with the correct name and password I get a stan error: connect request timeout?

ihippik avatar Aug 23 '19 15:08 ihippik

@ihippik Could you give more details? How do you start the server and what do options do you use to connect? A "connect request timeout" is generally more indicative of using the wrong cluster name for instance, or the streaming server not reachable (you would get NATS connectivity, but the request does not reach the streaming server).

kozlovic avatar Aug 23 '19 15:08 kozlovic

He was not attentive. Connected with another claster-id. Thanks for the answer.

ihippik avatar Aug 28 '19 10:08 ihippik

@kozlovic Hi, is there any update on this? or alternative settings to deny to subscribe _INBOX.> . Maybe Leaf nodes can resolve this problem ? Thanks for your attention

vanya2143 avatar Nov 11 '19 13:11 vanya2143

@vanya2143 Streaming server and clients must be able to subscribe/publish on _INBOX.> since they are used to communicate. You can use leaf nodes to isolate a streaming server and its clients from the rest of the traffic on the same NATS cluster if you want, but for the streaming server/client account, you need permissions on _INBOX.>

kozlovic avatar Nov 11 '19 17:11 kozlovic

@ramasa or anyone, did you find a feasible workaround? or abandoned nats-streaming altogether?

costa avatar Apr 02 '20 15:04 costa

@costa Built something around this

Internal Sender -> NATS Streaming ->App

App

 Generate sequence
 Store in a DB(MongoDB)
 Publish to receiver via NATS on topic.sequence

External Receiver - Detect missing sequence if any and ask for it

ramasa avatar Apr 03 '20 05:04 ramasa

@ramasa Thank you, well you've effectively rolled your own streaming of sorts... Got me thinking in all directions, I might choose another message broker altogether, I need some sort of user permissions management, so if I have to write it myself, another platform might provide a better framework.

costa avatar Apr 05 '20 14:04 costa

@costa Not sure if you are aware, but we are working on another streaming product, called JetStream that is core of the NATS Server and therefore is accessed through normal NATS clients. This solves the client auth/account isolation issues that NATS Streaming suffers from. The product is currently in tech preview. Here is the branch you can look at if you wish: https://github.com/nats-io/nats-server/tree/jetstream

kozlovic avatar Apr 05 '20 21:04 kozlovic

Full guide to JetStream can be found here https://github.com/nats-io/jetstream/blob/master/README.md

ripienaar avatar Apr 05 '20 21:04 ripienaar

Thank you guys, and I wish you the best of luck with the new project, I will be sure to check it in a few months, but at the moment, with my current project, I can't afford the (very) early adoption.

My use case involves multiple clients each subscribing to its own single channel, and my current solution (after discovering the user auth problem) is a custom bridge component that runs on the NATS side, subscribes to channels for users and re-sends the messages to the other side using ZeroMQ, with actual authentication done by ssh (with server&client key pairs) which also provides secure tunnels for the setup above.

costa avatar Apr 06 '20 10:04 costa