Skip to content

Commit

Permalink
Updates to address documentation issues #406,#430,#662 (#339)
Browse files Browse the repository at this point in the history
  • Loading branch information
@gcolliso @aricart
gcolliso authored and aricart committed May 23, 2018
1 parent ec3a8b3 commit 6218153
Show file tree
Hide file tree
Showing 4 changed files with 46 additions and 70 deletions.
8 changes: 4 additions & 4 deletions content/documentation/concepts/nats-queueing.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,12 +9,12 @@ category = "concepts"
parent = "Concepts"
+++

# NATS Queueing
# NATS Queue Subscribers

NATS supports message queueing using point-to-point (one-to-one) communication.
NATS provides a load balancing feature called queue subscriptions. Using queue subscribers will load balance message delivery across a group of subscribers which can be used to provide application fault tolerance and scale workload processing.

To create a message queue, subscribers register a queue name. All subscribers with the same queue name form the queue group. As messages on the registered subject are published, one member of the group is chosen randomly to receive the message. Although queue groups have multiple subscribers, each message is consumed by only one.
To create a queue subscription, subscribers register a queue name. All subscribers with the same queue name form the queue group. As messages on the registered subject are published, one member of the group is chosen randomly to receive the message. Although queue groups have multiple subscribers, each message is consumed by only one.

Queue subscribers can be asynchronous, in which case the message handler callback function processes the delivered message. Synchronous queue subscribers must build in logic to processes the message.
Queue subscribers can be asynchronous, in which case the message handler callback function processes the delivered message. Synchronous queue subscribers must build in logic to process the message. Queue subscribers are ideal for auto scaling as you can add or remove them anytime, without any configuration changes or restarting the server or clients.

![drawing](/img/documentation/nats-queue.png)
4 changes: 2 additions & 2 deletions content/documentation/server/gnatsd-authentication.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@ date = "2015-09-27"
title = "Server Authentication"
description = ""
category = "server"
[menu.documentation]
[menu.main]
name = "Server Authentication"
weight = 3
identifier = "server-gnatsd-authentication"
parent = "server"
parent = "Server"
+++

# NATS Server Authentication
Expand Down
87 changes: 31 additions & 56 deletions content/documentation/server/gnatsd-authorization.md
View file
Original file line number Diff line number Diff line change
@@ -1,96 +1,71 @@
+++
date = "2016-06-23"
date = "2018-05-22"
title = "Server Authorization"
description = ""
category = "server"
[menu.documentation]
[menu.main]
name = "Server Authorization"
weight = 3
identifier = "server-gnatsd-authorization"
parent = "server"
parent = "Server"
+++

The latest release of the NATS Server (0.9.0) supports user/client authorization using subject-level permissioning.
# NATS Server Authorization

Subject-level permissioning is available with multi-user authentication configurations and leverages configuation variables. You enable multi-user authentication and permissioning using a NATS Server configuration file that defines the user credentials and permissions.
The NATS server supports authorization using subject-level permissions on a per-user basis. Permission-based authorization is available with [multi-user authentication](/documentation/server/gnatsd-authentication/).

## Usage
Each permission grant is an object with two fields: what subject(s) the authenticated user can publish to, and what subject(s) the authenticated user can subscribe to. The parser is generous at understanding what the intent is, so both arrays and singletons are processed. Subjects themselves can contain wildcards. Permissions make use of [variables](/documentation/server/gnatsd-config/#variables).

Each permission grant is an object with two fields: what subject(s) the authenticated user can publish to, and what subject(s) the authenticated user can subscribe to. Authorization filters (subjects) can be a singleton or an array. Subjects can contain wildcards.

```
PERMSSION_NAME // Variable
publish // Singleton or array
subscribe // Singleton or array
```

## Example

For example, since Alice is an ADMIN she can publish/subscribe on any subject. We use the wildcard “>” to match any subject.
You set permissions by creating an entry inside of the `authorization` configuration block that conforms to the following syntax:

```
authorization {
ADMIN = {
publish = ">"
subscribe = ">"
}
}
```

Bob is REQUESTOR and can publish requests on subjects req.foo or req.bar, and subscribe to anything that is a response (_INBOX.*).

```
authorization {
REQUESTOR = {
publish = ["req.foo", "req.bar"]
subscribe = "_INBOX.*"
PERMISSION_NAME = {
publish = "singleton" or ["array", ...]
subscribe = "singleton" or ["array", ...]
}
}
```

Note that the publish field is an array with two subjects; the subscribe field is a singleton. The parser is generous at understanding what the intent is, so arrays and singletons are processed.
# Example

Joe has no permission grant and therefore inherits the default permission set. You set the inherited default permissions by assigning them to the default_permissions entry inside of the authorization configuration block.
Here is an example authorization configuration that defines four users, three of whom are assigned explicit permissions.

```
authorization {
default_permissions = {
publish = "SANDBOX.*"
subscribe = ["PUBLIC.>", "_INBOX.>"]
}
}
```

Note that `_INBOX.*` subscribe permissions must be granted in order to use the request APIs in the Synadia supported clients. If an unauthorized client publishes or attempts to subscribe to a subject, the action fails and is logged at the server, and an error message is returned to the client.

## Complete example

```
authorization {
ADMIN = {
publish = ">"
subscribe = ">"
}
REQUESTOR = {
publish = ["req.foo", "req.bar"]
subscribe = "_INBOX.*"
subscribe = "_INBOX.>"
}
RESPONDER = {
subscribe = ["req.foo", "req.bar"]
publish = "_INBOX.>"
}
DEFAULT_PERMISSIONS = {
publish = "SANDBOX.*"
subscribe = ["PUBLIC.>", "_INBOX.>"]
}
PASS: abcdefghijklmnopqrstuvwxwz0123456789
users = [
{user: alice, password: foo, permissions: $ADMIN}
{user: bob, password: bar, permissions: $REQUESTOR}
{user: joe, password: $PASS}
{user: joe, password: foo, permissions: $ADMIN}
{user: alice, password: bar, permissions: $REQUESTOR}
{user: bob, password: $PASS, permissions: $RESPONDER}
{user: charlie, password: bar}
]
}
```

Note that the variable identifier (name) is not case sensitive, but is capitalized by convention for readability. The variable is referenced using the $ character.
Since Joe is an ADMIN he can publish/subscribe on any subject. We use the wildcard “>” to match any subject.

Alice is a REQUESTOR and can publish requests on subjects "req.foo" or "req.bar", and subscribe to anything that is a response ("_INBOX.>").

Charlie has no permissions granted and therefore inherits the default permission set. You set the inherited default permissions by assigning them to the default_permissions entry inside of the authorization configuration block.

Bob is a RESPONDER to any of Alice's requests, so Bob needs to be able to subscribe to the request subjects and respond to Alice's reply subject which will be an _INBOX.>.

Important to note, NATS Authorizations are whitelist only, meaning in order to not break request/reply patterns you need to add rules as above with Alice and Bob for the _INBOX.> pattern. If an unauthorized client publishes or attempts to subscribe to a subject that has not been whitelisted, the action fails and is logged at the server, and an error message is returned to the client.
17 changes: 9 additions & 8 deletions content/documentation/server/gnatsd-config.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,31 +49,32 @@ In general the configuration parameters are the same as the [command line argume

## Sample server config file

The following demonstrates an example NATS server config file. See also the [NATS Server README]
The following demonstrates an example NATS server config file. See also the [NATS Server README](https://github.com/nats-io/gnatsd/blob/master/README.md#configuration-file)

```
port: 4242 # port to listen for client connections
net: myhost.lan # net interface to listen
net: localhost # optional listen interface, default is 0.0.0.0 (all)
http_port: 8222 # HTTP monitoring port
# Authorization for client connections
authorization {
user: derek
password: T0pS3cr3t
# ./util/mkpasswd -p T0pS3cr3t
password: $2a$11$W2zko751KUvVy59mUTWmpOdWjpEm5qhcCZRd05GjI/sSOT.xtiHyG
timeout: 1
}
# Cluster definition
cluster {
host: '127.0.0.1' # host/net interface
port: 4244 # port for inbound route connections
listen: localhost:4244 # host/port for inbound route connections
# Authorization for route connections
authorization {
user: route_user
password: T0pS3cr3tT00!
# ./util/mkpasswd -p T0pS3cr3tT00!
password: $2a$11$xH8dkGrty1cBNtZjhPeWJewu/YPbSU.rXJWmS6SFilOBXzmZoMk9m
timeout: 0.5
}
Expand All @@ -90,10 +91,10 @@ cluster {
debug: false
trace: true
logtime: false
log_file: "/tmp/gnatsd.log"
log_file: "/tmp/nats-server.log"
# pid file
pid_file: "/tmp/gnatsd.pid"
pid_file: "/tmp/nats-server.pid"
# Some system overides
Expand Down

0 comments on commit 6218153

Please sign in to comment.