tarmac icon indicating copy to clipboard operation
tarmac copied to clipboard

Published 20 hours ago verified publisher icon tarmac-project

Auth - authz

Open gedw99 opened this issue 2 years ago • 6 comments

As far as I can see there is not any auth or authz in tarmac.

i generally use NATS for rerouting events into tarmac . Nats just wants a jwt to control Auth and Authz. But even without NATS , Tarnac needs to assert who can do what.

https://github.com/pocketbase/pocketbase looks like a nice solution to this. .Or at least to use as one way to add auth / authz. It’s probable that others might want a different solution and that’s why jwt is loose coupled.

the cool thing about pocketbaae is that it’s real time and simple.

have a look

gedw99 avatar Jul 11 '22 16:07 gedw99

Auth N/Z is def something I plan to add. Will look into the best way to implement this.

madflojo avatar Jul 15 '22 03:07 madflojo

With the latest release, there is now Mutual TLS as an Auth option (thanks to this issue). BTW would love to hear more about how you are using Tarmac (i.e., is it for fun or actual work, is it a POC or in production, etc.)

madflojo avatar Jul 29 '22 14:07 madflojo

Thanks for the addition of m-tls.

I am experimenting with using Tarmac to allow scientists to build data processing and charting. It’s for biomimicry and open science platform so that peer review done by both other scientists and the public is reproducible.

The problem it solves is one of transparency. Currently scientists write a paper with detailed explanations of their experiments and thesis, but without the data and logic and charts that they used to come to their conclusions,

I want to help this situation by making it easy to run other scientists code and data. Most scientists work with data in excel and do their charts also with excel.

The reason for auth and authz is so that a scientist can give access or share their code and data with others.

gedw99 avatar Jul 31 '22 20:07 gedw99

Btw jwt would be perfect for me because I use NATS as the routing system for events and rpc.

nats has a full identity and authz system based on jwt. So I can create a users account or service account in nats and then use tarmac jwt to authenticate into NATS system.

nats is golang based.

https://docs.nats.io/running-a-nats-service/configuration/securing_nats/auth_intro/jwt

gedw99 avatar Jul 31 '22 21:07 gedw99

@gedw99 sounds really cool. I will be adding jwt for sure.

madflojo avatar Aug 01 '22 00:08 madflojo

Consider NATS for the other layers maybe:

I noticed you have a KV store using cassandra at https://github.com/madflojo/tarmac/blob/main/pkg/callbacks/kvstore/kvstore.go

Here is a KV store with different drivers, and one of them is NATS: https://github.com/HeavyHorst/easykv

And for durable TLS Certs: https://github.com/HeavyHorst/certmagic-nats

NATS also has an Object store.

The potent thing here is that the NATS security controls access to ALL of this. Doing authz is one thing but authouriation is hard as it needs to be enforced throughout the stack. NATS does it for you and is highly extensible.

https://github.com/bots-garden/capsule/blob/main/capsulemodule/hostfunctions/nats.go is similar to Capsule and exposes NATS directly as WASM Host function.

Many people also ship Logging and Metrics over NATS, using non durable topic. SO then even this gets the NATS security overlay.

Anyways, don't want to be pushy pushy.. I use NATS for many different projects as its highly reusable.

gedw99 avatar Sep 27 '22 12:09 gedw99