NATS文档
  • 欢迎
  • 发行备注
    • 最新情况
      • NATS 2.2
      • NATS 2.0
  • NATS 概念
    • 概览
      • 比较 NATS
    • 什么是NATS
      • 演练安装
    • 基于主题的消息
    • 核心NATS
      • 发布和订阅
        • 发布/订阅演 练
      • 请求和响应
        • 请求/响应 演练
      • 队列组
        • 队列 演练
    • JetStream
      • 流
      • 消费者
        • 示例
      • JetStream 演练
      • 键值对存储
        • 键值对存储演练
      • 对象存储
        • 对象存储演练
    • 主题映射与分区
    • NATS服务器基础架构
      • NATS部署架构适配
    • 安全
    • 连接性
  • 使用 NATS
    • NATS工具
      • nats
        • nats基准测试
      • nk
      • nsc
        • 基础
        • 流
        • 服务
        • 签名密钥
        • 撤销
        • 管理操作
      • nats-top
        • 教程
    • 用NATS开发
      • 一个NATS应用的解剖
      • 连接
        • 连接到默认服务器
        • 连接到特定服务器
        • 连接到群集
        • 连接名称
        • 用用户名和密码做认证
        • 用令牌做认证
        • 用NKey做认证
        • 用一个可信文件做认证
        • 用TLS加密连接
        • 设置连接超时
        • 乒乓协议
        • 关闭响应消息
        • 杂技功能
        • 自动恢复
          • 禁用自动重连
          • 设置自动重新连接的最大次数
          • 随机
          • 重连尝试之间暂停
          • 关注重连事件
          • 重连尝试期间缓存消息
        • 监视连接
          • 关注连接事件
          • 低速消费者
      • 接收消息
        • 同步订阅
        • 异步订阅
        • 取消订阅
        • N个消息后取消订阅
        • 回复一个消息
        • 通配符订阅
        • 队列订阅
        • 断开连接前清除消息
        • 接收结构化数据
      • 发送消息
        • 包含一个回复主题
        • 请求回复语义
        • 缓存刷入和乒
        • 发送结构化数据
      • JetStream
        • 深入JetStream模型
        • 管理流和消费者
        • 消费者详情
        • 发布到流
        • 使用键值对存储
        • 使用对象存储
      • 教程
        • 用go做个自定义拨号器
  • 运行一个NATS服务
    • 安装、运行和部署NATS服务
      • 安装一个NATS服务
      • 运行和部署一个NATS服务
      • Windows服务
      • 信号
    • 环境约束
    • NATS和Docker
      • 教程
      • Docker Swarm
      • Python 和 NGS 运行在Docker
      • JetStream
    • NATS和Kubernetes
      • 用Helm 部署NATS
      • 创建一个Kubernetes群集
      • NATS群集和认证管理
      • 用cfssl保护NATS群集
      • 用负载均衡来保护外部的NATS访问
      • 在Digital Ocean用Helm创建超级NATS群集
      • 使用Helm从0到K8S再到叶子节点
    • NATS服务的客户端
    • 配置 NATS服务
      • 配置 JetStream
        • 配置管理 Management
          • NATS管理命令行
          • 地形
          • GitHub Actions
          • Kubernetes控制器
      • 群集
        • 群集配置
        • JetStream 群集
          • 管理
      • 网关超级群集
        • 配置
      • 叶子节点
        • 配置
        • JetStream在叶子节点
      • 安全加固NATS
        • 使用 TLS
        • 认证
          • 令牌
          • 用户名/密码
          • TLS认证
            • 群集中的TLS认证
          • NKeys
          • 认证超时
          • 去中心化的 JWT 认证/授权
            • 使用解析器查找帐户
            • 内存解析器教程
            • 混合认证/授权安装
        • 授权
        • 基于账户的多租户
        • OCSP Stapling
      • 日志
      • 使用监控
      • MQTT
        • 配置
      • 配置主题映射
      • 系统事件
        • 系统时间和去中心化的JWT教程
      • WebSocket
        • 配置
    • 管理和监控你的NATS服务基础架构
      • 监控
        • 监控 JetStream
      • 管理 JetStream
        • 账号信息
        • 命名流,消费者和账号
        • 流
        • 消费者
        • 数据复制
        • 灾难回复
        • 加密Rest
      • 管理JWT安全
        • 深入JWT指南
      • 升级一个群集
      • 慢消费者
      • 信号
      • 跛脚鸭模式
  • 参考
    • 常见问题
    • NATS协议
      • 协议演示
      • 客户端协议
        • 开发一个客户端
      • NATS群集协议
      • JetStream API参考
  • 遗产
    • STAN='NATS流'
      • STAN概念
        • 和NATS的关系
        • 客户端连接
        • 频道
          • 消息日志
          • 订阅
            • 通常的
            • 持久化的
            • 队列组
            • 重新投递
        • 存储接口
        • 存储加密
        • 群集
          • Supported Stores
          • Configuration
          • Auto Configuration
          • Containers
        • Fault Tolerance
          • Active Server
          • Standby Servers
          • Shared State
          • Failover
        • Partitioning
        • Monitoring
          • Endpoints
      • Developing With STAN
        • Connecting to NATS Streaming Server
        • Publishing to a Channel
        • Receiving Messages from a Channel
        • Durable Subscriptions
        • Queue Subscriptions
        • Acknowledgements
        • The Streaming Protocol
      • STAN NATS Streaming Server
        • Installing
        • Running
        • Configuring
          • Command Line Arguments
          • Configuration File
          • Store Limits
          • Persistence
            • File Store
            • SQL Store
          • Securing
        • Process Signaling
        • Windows Service
        • Embedding NATS Streaming Server
        • Docker Swarm
        • Kubernetes
          • NATS Streaming with Fault Tolerance.
    • nats账号服务
      • Basics
      • Inspecting JWTs
      • Directory Store
      • Update Notifications
由 GitBook 提供支持
在本页
  • Permissions Configuration Map
  • Permission Map
  • Allow Responses Map
  • Examples
  • Variables
  • Allow/Deny Specified
  • allow_responses
  • Queue Permissions
  1. 运行一个NATS服务
  2. 配置 NATS服务
  3. 安全加固NATS

授权

上一页混合认证/授权安装下一页基于账户的多租户

最后更新于2年前

The NATS server supports authorization using subject-level permissions on a per-user basis. Permission-based authorization is available with multi-user authentication via the users list.

Each permission specifies the subjects the user can publish to and subscribe to. The parser is generous at understanding what the intent is, so both arrays and singletons are processed. For more complex configuration, you can specify a permission object which explicitly allows or denies subjects. The specified subjects can specify wildcards as well. Permissions can make use of .

A special field inside the authorization map is default_permissions. When present, it contains permissions that apply to users that do not have permissions associated with them.

Permissions Configuration Map

The permissions map specify subjects that can be subscribed to or published by the specified client.

Property
Description

publish

subscribe

allow_responses

Permission Map

The permission map provides additional properties for configuring a permissions map. Instead of providing a list of allowable subjects and optional queues, the permission map allows you to explicitly list those you want toallow or deny. Both lists can be provided. In case of overlap deny has priority.

Property
Description

allow

List of subject names that are allowed to the client

deny

List of subjects that are denied to the client

Important Note It is important to not break request-reply patterns. In some cases (as shown ) you need to add rules for the _INBOX.> pattern. If an unauthorized client publishes or attempts to subscribe to a subject that has not been allow listed, the action fails and is logged at the server, and an error message is returned to the client. The option can simplify this.

Allow Responses Map

The allow_responses option dynamically allows publishing to reply subjects and is designed for responders. When set to true, an implicit publish allow permission is enforced which enables the service to have temporary permission to publish to the reply subject during a request-reply exchange. If true, the client supports a one-time publish. If allow_responses is a map, it allows you to configure a maximum number of responses and how long the permission is valid.

Property
Description

max

The maximum number of response messages that can be published.

expires

The amount of time the permission is valid. Values such as 1s, 1m, 1h (1 second, minute, hour) etc can be specified. Default doesn't have a time limit.

When allow_responses is set to true, it defaults to the equivalent of { max: 1 } and no time limit.

Important Note When using nsc to configure your users, you can specify the --allow-pub-response and --response-ttl to control these settings.

Examples

Variables

Here is an example authorization configuration that uses variables which defines four users, three of whom are assigned explicit permissions.

authorization {
  default_permissions = {
    publish = "SANDBOX.*"
    subscribe = ["PUBLIC.>", "_INBOX.>"]
  }
  ADMIN = {
    publish = ">"
    subscribe = ">"
  }
  REQUESTOR = {
    publish = ["req.a", "req.b"]
    subscribe = "_INBOX.>"
  }
  RESPONDER = {
    subscribe = ["req.a", "req.b"]
    publish = "_INBOX.>"
  }
  users = [
    {user: admin,   password: $ADMIN_PASS, permissions: $ADMIN}
    {user: client,  password: $CLIENT_PASS, permissions: $REQUESTOR}
    {user: service,  password: $SERVICE_PASS, permissions: $RESPONDER}
    {user: other, password: $OTHER_PASS}
  ]
}

default_permissions is a special entry. If defined, it applies to all users that don't have specific permissions set.

  • admin has ADMIN permissions and can publish/subscribe on any subject. We use the wildcard > to match any subject.

  • client is a REQUESTOR and can publish requests on subjects req.a or req.b, and subscribe to anything that is a response (_INBOX.>).

  • service is a RESPONDER to req.a and req.b requests, so it needs to be able to subscribe to the request subjects and respond to client's that can publish requests to req.a and req.b. The reply subject is an inbox. Typically inboxes start with the prefix _INBOX. followed by a generated string. The _INBOX.> subject matches all subjects that begin with _INBOX..

  • other has no permissions granted and therefore inherits the default permission set.

Allow/Deny Specified

Here's an example without variables, where the allow and deny options are specified:

authorization: {
    users = [
        {
            user: admin
            password: secret
            permissions: {
                publish: ">"
                subscribe: ">"
            }
        }
        {
            user: test
            password: test
            permissions: {
                publish: {
                    deny: ">"
                },
                subscribe: {
                    allow: "client.>"
                }
            }
        }
    ]
}

allow_responses

Here's an example with allow_responses:

authorization: {
    users: [
        { user: a, password: a },
        { user: b, password: b, permissions: {subscribe: "q", allow_responses: true } },
        { user: c, password: c, permissions: {subscribe: "q", allow_responses: { max: 5, expires: "1m" } } }
        { user: d, password: d, permissions: {subscribe: "q", publish: "x", allow_responses: true } }
    ]
}
  • User a has no restrictions.

  • User b can listen on q for requests and can only publish once to reply subjects. All other publish subjects are denied implicitly when allow_responses is set.

  • User c can listen on q for requests, but is able to return at most 5 reply messages, and the reply subject can be published at most for 1 minute.

  • User d has the same behavior as user b, except that it can explicitly publish to subject x as well, which overrides the implicit deny from allow_responses.

Queue Permissions

User a can ony subscribe to foo as part of the queue subscriptions queue. User b has permissions for queue subscriptions as well as plain subscriptions. You can allow plain subscriptions on foo but constrain the queues to which a client can join, as well as preventing any service from using a queue subscription with the name *.prod:

users = [
  {
    user: "a", password: "a", permissions: {
      sub: {
        allow: ["foo queue"]
     }
  }
  {
    user: "b", password: "b", permissions: {
      sub: {
        # Allow plain subscription foo, but only v1 groups or *.dev queue groups
        allow: ["foo", "foo v1", "foo v1.>", "foo *.dev"]

        # Prevent queue subscriptions on prod groups
        deny: ["> *.prod"]
     }
  }
]

subject, list of subjects, or the client can publish

subject, list of subjects, or the client can subscribe to. In this context it is possible to provide an optional queue name: <subject> <queue> to express queue group permissions. These permissions can also use wildcards such as v2.* or >.

boolean or , default is false. Enabling this implicitly denies publish to other subjects, however an explicit publish allow on a subject will override this implicit deny for that subject.

Note that in the above example, any client with permissions to subscribe to _INBOX.> can receive all responses published. More sensitive installations will want to add or subset the prefix to further limit subjects that a client can subscribe. Alternatively, allow complete isolation limiting what members of an account can see.

Accounts
service
variables
below
allow responses
permission map
permission map
responses map