Closed wkloucek closed 6 months ago
@kobergj @micbar huge potential to safe resources with this, any chance to consider?
I agree, this seems to be like a quick win.
@kobergj Do you agree?
Not sure if it is "quick" but it is definitely a "win", also for security
What would be the best way to authenticate with the nats cluster? I see two options:
The first one would need a go-micro PR, but this is not a problem. I would go for the way that has the least maintenance and setup cost. @wkloucek do you prefer one way over the other? What would be easier to configure for you?
What would be the best way to authenticate with the nats cluster? I see two options:
- username/password
- nkeys (see https://docs.nats.io/using-nats/developer/connecting/nkey )
The first one would need a go-micro PR, but this is not a problem. I would go for the way that has the least maintenance and setup cost. @wkloucek do you prefer one way over the other? What would be easier to configure for you?
From a 5 minute research I honestly see username/password as a easier solution to be implemented our project specific deployment side. We already have some logic in place to generate usernames / passwords. We're gonna use NACK (https://github.com/nats-io/nack) to manage accounts (tenants) and that supports both username / password and nkeys.
Is your feature request related to a problem? Please describe.
I have multiple oCIS installations in Kubernetes. Each oCIS has a NATS cluster with three pods.
I those oCIS installations to share a single NATS cluster for deployment / management overhead reasons.
NATS is multi tenancy capable if we are using accounts. Accounts are separated and to oCIS it looks like they are alone on a NATS installation. Compare https://docs.nats.io/running-a-nats-service/configuration/securing_nats/accounts
We can't use NATS accounts right now because oCIS is connecting anonymously. As there is only one
no_auth_user
we only can map that to one account (see eg. https://github.com/owncloud/ocis-charts/blob/29ddf4d476220d3c685334e9e4b166af6ffe4608/deployments/ocis-nats/helmfile.yaml#L45)Describe the solution you'd like
If we'd introduce autentication (username + passwort) for nats-js based:
We can use NATS in a multi tenancy configuration
Describe alternatives you've considered
Keep running a NATS cluster for each oCIS installation
Additional context