nats-io · wallyqs · Mar 29, 2018 · Mar 22, 2018 · Mar 23, 2018 · Mar 23, 2018
diff --git a/example/clients-auth-permissions.json b/example/clients-auth-permissions.json
@@ -0,0 +1,15 @@
+{
+  "users": [
+    { "username": "user1", "password": "user1secret" },
+    { "username": "user2", "password": "user2secret",
+      "permissions": {
+	"publish": ["hello.*"],
+	"subscribe": ["hello.world"]
+      }
+    }
+  ],
+  "default_permissions": {
+    "publish": ["SANDBOX.*"],
+    "subscribe": ["PUBLIC.>"]
+  }
+}
diff --git a/example/example-nats-cluster-auth.yaml b/example/example-nats-cluster-auth.yaml
@@ -0,0 +1,14 @@
+apiVersion: "nats.io/v1alpha2"
+kind: "NatsCluster"
+metadata:
+  name: "example-nats-auth"
+spec:
+  size: 3
+  version: "1.0.4"
+
+  auth:
+    # Definition in JSON of the users permissions
+    clientsAuthSecret: "nats-clients-auth"
+
+    # How long to wait for authentication
+    clientsAuthTimeout: 5
diff --git a/pkg/conf/natsconf.go b/pkg/conf/natsconf.go
@@ -39,30 +39,54 @@ type TLSConfig struct {
 }
 
 type AuthorizationConfig struct {
-	Username string `json:"username,omitempty"`
-	Password string `json:"password,omitempty"`
-	Token    string `json:"token,omitempty"`
-	Timeout  int    `json:"timeout,omitempty"`
+	Username           string       `json:"username,omitempty"`
+	Password           string       `json:"password,omitempty"`
+	Token              string       `json:"token,omitempty"`
+	Timeout            int          `json:"timeout,omitempty"`
+	Users              []*User      `json:"users,omitempty"`
+	DefaultPermissions *Permissions `json:"default_permissions,omitempty"`
+}
+
+type User struct {
+	User        string       `json:"username,omitempty"`
+	Password    string       `json:"password,omitempty"`
+	Permissions *Permissions `json:"permissions,omitempty"`
+}
+
+// Permissions are the allowed subjects on a per
+// publish or subscribe basis.
+type Permissions struct {
+	Publish   []string `json:"publish,omitempty"`
+	Subscribe []string `json:"subscribe,omitempty"`
 }
 
 var (
 	ErrInvalidConfig = errors.New("natsconf: cannot produce valid config")
 )
 
 func Marshal(conf *ServerConfig) ([]byte, error) {
-	js, err := json.MarshalIndent(conf, "", "  ")
+	buf := &bytes.Buffer{}
+	encoder := json.NewEncoder(buf)
+	encoder.SetEscapeHTML(false)
+	err := encoder.Encode(conf)
+	if err != nil {
+		return nil, err
+	}
+	buf2 := &bytes.Buffer{}
+	err = json.Indent(buf2, buf.Bytes(), "", "  ")
 	if err != nil {
 		return nil, err
 	}
-	if len(js) < 1 || len(js)-1 <= 1 {
+	js := buf2.Bytes()
+	if len(js) < 1 || len(js)-2 <= 1 {
 		return nil, ErrInvalidConfig
 	}
 
 	// Slice the initial and final brackets from the
 	// resulting JSON configuration so gnatsd config parsers
 	// almost treats it as valid config.
 	js = js[1:]
-	js = js[:len(js)-1]
+	js = js[:len(js)-2]
 
 	// Replacing all commas with line breaks still keeps
 	// arrays valid and makes the top level configuration

diff --git a/pkg/conf/natsconf_test.go b/pkg/conf/natsconf_test.go
@@ -163,6 +163,34 @@ func TestConfMarshal(t *testing.T) {
 
       "key_file": "/etc/nats-tls/server-key.pem"
     }
+  }`,
+			err: nil,
+		},
+		{
+			input: &ServerConfig{
+				Port:     4222,
+				HTTPPort: 8222,
+				Authorization: &AuthorizationConfig{
+					DefaultPermissions: &Permissions{
+						Publish:   []string{"PUBLISH.>"},
+						Subscribe: []string{"PUBLISH.*"},
+					},
+				},
+			},
+			output: `"port": 4222
+
+  "http_port": 8222
+
+  "authorization": {
+    "default_permissions": {
+      "publish": [
+        "PUBLISH.>"
+      ]
+
+      "subscribe": [
+        "PUBLISH.*"
+      ]
+    }
   }`,
 			err: nil,
 		},

diff --git a/pkg/spec/cluster.go b/pkg/spec/cluster.go
@@ -83,6 +83,9 @@ type ClusterSpec struct {
 
 	// TLS is the configuration to secure the cluster.
 	TLS *TLSConfig `json:"tls,omitempty"`
+
+	// Auth is the configuration to set permissions for users.
+	Auth *AuthConfig `json:"auth,omitempty"`
 }
 
 // TLSConfig is the optional TLS configuration for the cluster.
@@ -127,6 +130,13 @@ type PodPolicy struct {
 	NatsEnv []v1.EnvVar `json:"natsEnv,omitempty"`
 }
 
+// AuthConfig is the authorization configuration for
+// user permissions in the cluster.
+type AuthConfig struct {
+	ClientsAuthSecret  string `json:"clientsAuthSecret,omitempty"`
+	ClientsAuthTimeout int    `json:"clientsAuthTimeout,omitempty"`
+}
+
 func (c *ClusterSpec) Validate() error {
 	if c.Pod != nil {
 		for k := range c.Pod.Labels {

diff --git a/pkg/spec/zz_generated.deepcopy.go b/pkg/spec/zz_generated.deepcopy.go
@@ -23,6 +23,22 @@ import (
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthConfig) DeepCopyInto(out *AuthConfig) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthConfig.
+func (in *AuthConfig) DeepCopy() *AuthConfig {
+	if in == nil {
+		return nil
+	}
+	out := new(AuthConfig)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterCondition) DeepCopyInto(out *ClusterCondition) {
 	*out = *in
@@ -60,6 +76,15 @@ func (in *ClusterSpec) DeepCopyInto(out *ClusterSpec) {
 			**out = **in
 		}
 	}
+	if in.Auth != nil {
+		in, out := &in.Auth, &out.Auth
+		if *in == nil {
+			*out = nil
+		} else {
+			*out = new(AuthConfig)
+			**out = **in
+		}
+	}
 	return
 }
 

diff --git a/pkg/util/kubernetes/kubernetes.go b/pkg/util/kubernetes/kubernetes.go
@@ -146,6 +146,34 @@ func addTLSConfig(sconfig *natsconf.ServerConfig, cs spec.ClusterSpec) {
 	}
 }
 
+// addAuthConfig fills the Auth configuration to be used in config map.
+func addAuthConfig(kubecli corev1client.CoreV1Interface, ns string, sconfig *natsconf.ServerConfig, cs spec.ClusterSpec) error {
+	if cs.Auth == nil {
+		return nil
+	}
+	if cs.Auth.ClientsAuthSecret != "" {
+		result, err := kubecli.Secrets(ns).Get(cs.Auth.ClientsAuthSecret, metav1.GetOptions{})
+		if err != nil {
+			return err
+		}
+
+		var clientAuth *natsconf.AuthorizationConfig
+		for _, v := range result.Data {
+			err := json.Unmarshal(v, &clientAuth)
+			if err != nil {
+				return err
+			}
+			if cs.Auth.ClientsAuthTimeout > 0 {
+				clientAuth.Timeout = cs.Auth.ClientsAuthTimeout
+			}
+			sconfig.Authorization = clientAuth
+			break
+		}
+		return nil
+	}
+	return nil
+}
+
 // CreateAndWaitPod is an util for testing.
 // We should eventually get rid of this in critical code path and move it to test util.
 func CreateAndWaitPod(kubecli corev1client.CoreV1Interface, ns string, pod *v1.Pod, timeout time.Duration) (*v1.Pod, error) {
@@ -191,6 +219,10 @@ func CreateConfigMap(kubecli corev1client.CoreV1Interface, clusterName, ns strin
 		},
 	}
 	addTLSConfig(sconfig, cluster)
+	err := addAuthConfig(kubecli, ns, sconfig, cluster)
+	if err != nil {
+		return err
+	}
 
 	rawConfig, err := natsconf.Marshal(sconfig)
 	if err != nil {
@@ -242,6 +274,10 @@ func UpdateConfigMap(kubecli corev1client.CoreV1Interface, clusterName, ns strin
 		},
 	}
 	addTLSConfig(sconfig, cluster)
+	err = addAuthConfig(kubecli, ns, sconfig, cluster)
+	if err != nil {
+		return err
+	}
 
 	rawConfig, err := natsconf.Marshal(sconfig)
 	if err != nil {