NATS authentication / Multi Tenancy #7801
Comments
wkloucek
changed the title
|
I agree, this seems to be like a quick win. @kobergj Do you agree? |
micbar
added
the
Priority:p2-high
|
Not sure if it is "quick" but it is definitely a "win", also for security |
|
What would be the best way to authenticate with the nats cluster? I see two options:
The first one would need a go-micro PR, but this is not a problem. I would go for the way that has the least maintenance and setup cost. @wkloucek do you prefer one way over the other? What would be easier to configure for you? |
From a 5 minute research I honestly see username/password as a easier solution to be implemented our project specific deployment side. We already have some logic in place to generate usernames / passwords. |
github-project-automation
bot
moved this from Prio 2
to Done
in Infinite Scale Team Board
Is your feature request related to a problem? Please describe.
I have multiple oCIS installations in Kubernetes. Each oCIS has a NATS cluster with three pods.
I those oCIS installations to share a single NATS cluster for deployment / management overhead reasons.
NATS is multi tenancy capable if we are using accounts. Accounts are separated and to oCIS it looks like they are alone on a NATS installation. Compare https://docs.nats.io/running-a-nats-service/configuration/securing_nats/accounts
We can't use NATS accounts right now because oCIS is connecting anonymously. As there is only one
no_auth_userwe only can map that to one account (see eg. https://github.com/owncloud/ocis-charts/blob/29ddf4d476220d3c685334e9e4b166af6ffe4608/deployments/ocis-nats/helmfile.yaml#L45)Describe the solution you'd like
If we'd introduce autentication (username + passwort) for nats-js based:
We can use NATS in a multi tenancy configuration
Describe alternatives you've considered
Keep running a NATS cluster for each oCIS installation
Additional context
The text was updated successfully, but these errors were encountered: