search

owncloud / ocis

:atom_symbol: ownCloud Infinite Scale Stack
https://doc.owncloud.com/ocis/next/
Apache License 2.0
1.26k stars 169 forks source link

NATS authentication / Multi Tenancy #7801

Closed wkloucek closed 6 months ago

wkloucek commented 7 months ago

Is your feature request related to a problem? Please describe.

I have multiple oCIS installations in Kubernetes. Each oCIS has a NATS cluster with three pods.

I those oCIS installations to share a single NATS cluster for deployment / management overhead reasons.

NATS is multi tenancy capable if we are using accounts. Accounts are separated and to oCIS it looks like they are alone on a NATS installation. Compare https://docs.nats.io/running-a-nats-service/configuration/securing_nats/accounts

We can't use NATS accounts right now because oCIS is connecting anonymously. As there is only one no_auth_user we only can map that to one account (see eg. https://github.com/owncloud/ocis-charts/blob/29ddf4d476220d3c685334e9e4b166af6ffe4608/deployments/ocis-nats/helmfile.yaml#L45)

Describe the solution you'd like

If we'd introduce autentication (username + passwort) for nats-js based:

We can use NATS in a multi tenancy configuration

Describe alternatives you've considered

Keep running a NATS cluster for each oCIS installation

Additional context

dragotin commented 7 months ago

@kobergj @micbar huge potential to safe resources with this, any chance to consider?

micbar commented 7 months ago

I agree, this seems to be like a quick win.

@kobergj Do you agree?

kobergj commented 7 months ago

Not sure if it is "quick" but it is definitely a "win", also for security

kobergj commented 6 months ago

What would be the best way to authenticate with the nats cluster? I see two options:

The first one would need a go-micro PR, but this is not a problem. I would go for the way that has the least maintenance and setup cost. @wkloucek do you prefer one way over the other? What would be easier to configure for you?

wkloucek commented 6 months ago

What would be the best way to authenticate with the nats cluster? I see two options:

The first one would need a go-micro PR, but this is not a problem. I would go for the way that has the least maintenance and setup cost. @wkloucek do you prefer one way over the other? What would be easier to configure for you?

From a 5 minute research I honestly see username/password as a easier solution to be implemented our project specific deployment side. We already have some logic in place to generate usernames / passwords. We're gonna use NACK (https://github.com/nats-io/nack) to manage accounts (tenants) and that supports both username / password and nkeys.