NATS文档
  • 欢迎
  • 发行备注
    • 最新情况
      • NATS 2.2
      • NATS 2.0
  • NATS 概念
    • 概览
      • 比较 NATS
    • 什么是NATS
      • 演练安装
    • 基于主题的消息
    • 核心NATS
      • 发布和订阅
        • 发布/订阅演 练
      • 请求和响应
        • 请求/响应 演练
      • 队列组
        • 队列 演练
    • JetStream
      • 流
      • 消费者
        • 示例
      • JetStream 演练
      • 键值对存储
        • 键值对存储演练
      • 对象存储
        • 对象存储演练
    • 主题映射与分区
    • NATS服务器基础架构
      • NATS部署架构适配
    • 安全
    • 连接性
  • 使用 NATS
    • NATS工具
      • nats
        • nats基准测试
      • nk
      • nsc
        • 基础
        • 流
        • 服务
        • 签名密钥
        • 撤销
        • 管理操作
      • nats-top
        • 教程
    • 用NATS开发
      • 一个NATS应用的解剖
      • 连接
        • 连接到默认服务器
        • 连接到特定服务器
        • 连接到群集
        • 连接名称
        • 用用户名和密码做认证
        • 用令牌做认证
        • 用NKey做认证
        • 用一个可信文件做认证
        • 用TLS加密连接
        • 设置连接超时
        • 乒乓协议
        • 关闭响应消息
        • 杂技功能
        • 自动恢复
          • 禁用自动重连
          • 设置自动重新连接的最大次数
          • 随机
          • 重连尝试之间暂停
          • 关注重连事件
          • 重连尝试期间缓存消息
        • 监视连接
          • 关注连接事件
          • 低速消费者
      • 接收消息
        • 同步订阅
        • 异步订阅
        • 取消订阅
        • N个消息后取消订阅
        • 回复一个消息
        • 通配符订阅
        • 队列订阅
        • 断开连接前清除消息
        • 接收结构化数据
      • 发送消息
        • 包含一个回复主题
        • 请求回复语义
        • 缓存刷入和乒
        • 发送结构化数据
      • JetStream
        • 深入JetStream模型
        • 管理流和消费者
        • 消费者详情
        • 发布到流
        • 使用键值对存储
        • 使用对象存储
      • 教程
        • 用go做个自定义拨号器
  • 运行一个NATS服务
    • 安装、运行和部署NATS服务
      • 安装一个NATS服务
      • 运行和部署一个NATS服务
      • Windows服务
      • 信号
    • 环境约束
    • NATS和Docker
      • 教程
      • Docker Swarm
      • Python 和 NGS 运行在Docker
      • JetStream
    • NATS和Kubernetes
      • 用Helm 部署NATS
      • 创建一个Kubernetes群集
      • NATS群集和认证管理
      • 用cfssl保护NATS群集
      • 用负载均衡来保护外部的NATS访问
      • 在Digital Ocean用Helm创建超级NATS群集
      • 使用Helm从0到K8S再到叶子节点
    • NATS服务的客户端
    • 配置 NATS服务
      • 配置 JetStream
        • 配置管理 Management
          • NATS管理命令行
          • 地形
          • GitHub Actions
          • Kubernetes控制器
      • 群集
        • 群集配置
        • JetStream 群集
          • 管理
      • 网关超级群集
        • 配置
      • 叶子节点
        • 配置
        • JetStream在叶子节点
      • 安全加固NATS
        • 使用 TLS
        • 认证
          • 令牌
          • 用户名/密码
          • TLS认证
            • 群集中的TLS认证
          • NKeys
          • 认证超时
          • 去中心化的 JWT 认证/授权
            • 使用解析器查找帐户
            • 内存解析器教程
            • 混合认证/授权安装
        • 授权
        • 基于账户的多租户
        • OCSP Stapling
      • 日志
      • 使用监控
      • MQTT
        • 配置
      • 配置主题映射
      • 系统事件
        • 系统时间和去中心化的JWT教程
      • WebSocket
        • 配置
    • 管理和监控你的NATS服务基础架构
      • 监控
        • 监控 JetStream
      • 管理 JetStream
        • 账号信息
        • 命名流,消费者和账号
        • 流
        • 消费者
        • 数据复制
        • 灾难回复
        • 加密Rest
      • 管理JWT安全
        • 深入JWT指南
      • 升级一个群集
      • 慢消费者
      • 信号
      • 跛脚鸭模式
  • 参考
    • 常见问题
    • NATS协议
      • 协议演示
      • 客户端协议
        • 开发一个客户端
      • NATS群集协议
      • JetStream API参考
  • 遗产
    • STAN='NATS流'
      • STAN概念
        • 和NATS的关系
        • 客户端连接
        • 频道
          • 消息日志
          • 订阅
            • 通常的
            • 持久化的
            • 队列组
            • 重新投递
        • 存储接口
        • 存储加密
        • 群集
          • Supported Stores
          • Configuration
          • Auto Configuration
          • Containers
        • Fault Tolerance
          • Active Server
          • Standby Servers
          • Shared State
          • Failover
        • Partitioning
        • Monitoring
          • Endpoints
      • Developing With STAN
        • Connecting to NATS Streaming Server
        • Publishing to a Channel
        • Receiving Messages from a Channel
        • Durable Subscriptions
        • Queue Subscriptions
        • Acknowledgements
        • The Streaming Protocol
      • STAN NATS Streaming Server
        • Installing
        • Running
        • Configuring
          • Command Line Arguments
          • Configuration File
          • Store Limits
          • Persistence
            • File Store
            • SQL Store
          • Securing
        • Process Signaling
        • Windows Service
        • Embedding NATS Streaming Server
        • Docker Swarm
        • Kubernetes
          • NATS Streaming with Fault Tolerance.
    • nats账号服务
      • Basics
      • Inspecting JWTs
      • Directory Store
      • Update Notifications
由 GitBook 提供支持
在本页
  • Multi Tenancy using Accounts
  • Accounts
  • Exporting and Importing
  • No Auth User
  • See Also
  1. 运行一个NATS服务
  2. 配置 NATS服务
  3. 安全加固NATS

基于账户的多租户

上一页授权下一页OCSP Stapling

最后更新于2年前

Multi Tenancy using Accounts

In modern microservice architecture it is common to share infrastructure - such as NATS - between services. are securely isolated communication contexts that allow multi-tenancy in a NATS deployment. They allow users to bifurcate technology from business driven use cases, where data silos are created by design, not software limitations. Furthermore, they facilitate the of information between those data silos/Tenants/Accounts.

Accounts

Accounts expand on the authorization foundation. With traditional authorization, all clients can publish and subscribe to anything unless explicitly configured otherwise. To protect clients and information, you have to carve the subject space and permission clients carefully.

Accounts allow the grouping of clients, isolating them from clients in other accounts, thus enabling multi-tenancy in the server. With accounts, the subject space is not globally shared, greatly simplifying the messaging environment. Instead of devising complicated subject name carving patterns, clients can use short subjects without explicit authorization rules. are an example of this isolation at work.

Accounts configuration is done in accounts map. The contents of an account entry includes:

Property
Description

users

exports

imports

The accounts list is a map, where the keys on the map are an account name.

accounts: {
    A: {
        users: [
            {user: a, password: a}
        ]
    },
    B: {
        users: [
            {user: b, password: b}
        ]
    },
}

In the most straightforward configuration above you have an account named A which has a single user identified by the username a and the password a, and an account named B with a user identified by the username b and the password b.

These two accounts are isolated from each other. Messages published by users in A are not visible to users in B.

  • username/password

  • nkeys

  • and add permissions

While the name account implies one or more users, it is much simpler and enlightening to think of one account as a messaging container for one application. Users in the account are simply the minimum number of services that must work together to provide some functionality. In simpler terms, more accounts with few (even one) clients is a better design topology than a large account with many users with complex authorization configuration.

Exporting and Importing

Messaging exchange between different accounts is enabled by exporting streams and services from one account and importing them into another. Each account controls what is exported and imported.

  • Streams are messages your application publishes. Importing applications won't be able to make requests from your applications but will be able to consume messages you generate.

  • Services are messages your application can consume and act on, enabling other accounts to make requests that are fulfilled by your account.

Export Configuration Map

The export configuration map binds a subject for use as a service or stream and optionally defines specific accounts that can import the stream or service. Here are the supported configuration properties:

Property
Description

stream

A subject or subject with wildcards that the account will publish. (exclusive of service)

service

A subject or subject with wildcards that the account will subscribe to. (exclusive of stream)

accounts

A list of account names that can import the stream or service. If not specified, the service or stream is public and any account can import it.

response_type

Indicates if a response to a service request consists of a single or a stream of messages. Possible values are: single or stream. (Default value is singleton)

Here are some example exports:

accounts: {
    A: {
        users: [
            {user: a, password: a}
        ]
        exports: [
            {stream: puba.>}
            {service: pubq.>}
            {stream: b.>, accounts: [B]}
            {service: q.b, accounts: [B]}
        ]
    }
    ...
}

Here's what A is exporting:

  • a public stream on the wildcard subject puba.>

  • a public service on the wildcard subject pubq.>

  • a stream to account B on the wildcard subject b.>

  • a service to account B on the subject q.b

Import Configuration Map

An import enables an account to consume streams published by another account or make requests to services implemented by another account. All imports require a corresponding export on the exporting account. Accounts cannot do self-imports.

Property
Description

stream

service

prefix

A local subject prefix mapping for the imported stream. (applicable to stream)

to

A local subject mapping for imported service. (applicable to service)

The prefix and to options are optional and allow you to remap the subject that is used locally to receive stream messages from or publish service requests to. This way the importing account does not depend on naming conventions picked by another. Currently, a service import can not make use of wildcards, which is why the import subject can be rewritten. A stream import may make use of wildcards. To retain information contained in the subject, it can thus only be prefixed with prefix...

Source Configuration Map

Property
Description

account

Account name owning the export.

subject

The subject under which the stream or service is made accessible to the importing account

Import/Export Example

accounts: {
    A: {
        users: [
            {user: a, password: a}
        ]
        exports: [
            {stream: puba.>}
            {service: pubq.>}
            {stream: b.>, accounts: [B]}
            {service: q.b, accounts: [B]}
        ]
    },
    B: {
        users: [
            {user: b, password: b}
        ]
        imports: [
            {stream: {account: A, subject: b.>}}
            {service: {account: A, subject: q.b}}
        ]
    }
    C: {
        users: [
            {user: c, password: c}
        ]
        imports: [
            {stream: {account: A, subject: puba.>}, prefix: from_a}
            {service: {account: A, subject: pubq.C}, to: Q}
        ]
    }
}

Account B imports:

  • the private stream from A that only B can receive on b.>

  • the private service from A that only B can send requests on q.b

Account C imports the public service and stream from A, but also:

  • remaps the puba.> stream to be locally available under from_a.puba.>. The messages will have their original subjects prefixed by from_a.

  • remaps the pubq.C service to be locally available under Q. Account C only needs to publish to Q locally.

It is important to reiterate that:

  • stream puba.> from A is visible to all external accounts that imports the stream.

  • service pubq.> from A is available to all external accounts so long as they know the full subject of where to send the request. Typically an account will export a wildcard service but then coordinate with a client account on specific subjects where requests will be answered. On our example, account C access the service on pubq.C (but has mapped it for simplicity to Q).

  • stream b.> is private, only account B can receive messages from the stream.

  • service q.b is private; only account B can send requests to the service.

  • When C publishes a request to Q, local C clients will see Q messages. However, the server will remap Q to pubq.C and forward the requests to account A.

No Auth User

Clients connecting without authentication can be associated with a particular user within an account.

accounts: {
    A: {
        users: [
            {user: a, password: a}
        ]
    },
    B: {
        users: [
            {user: b, password: b}
        ]
    }
}
no_auth_user: a

The above example shows how clients without authentication can be associated with the user a within account A.

See Also

a list of

a list of

a list of

The user configuration map is the same as any other NATS . You can use:

The exports configuration list enable you to define the services and streams that others can import. Exported services and streams are expressed as an . The imports configuration lists the services and streams that an Account imports. Imported services and streams are expressed as an .

Stream import . (exclusive of service)

Service import (exclusive of stream)

The source configuration map describes an export from a remote account by specifying the account and subject of the export being imported. This map is embedded in the :

Please note that the no_auth_user will not work with nkeys. The user referenced can also be part of the block.

Despite no_auth_user being set, clients still need to communicate that they will not be using credentials. The applies to this process as well. When your connection is slow, you may run into this timeout and the resulting Authentication Timeout error, despite not providing credentials.

authorization
authentication timeout
Multi-tenancy and resource management
System Events
Accounts
controlled exchange
Export configuration map
Import configuration map
import configuration map
export maps
import maps
source configuration
source configuration
user configuration map
user configuration maps