choria-legacy / go-network-broker Goto Github PK
View Code? Open in Web Editor NEWThe Choria Network Broker
License: Apache License 2.0
The Choria Network Broker
License: Apache License 2.0
We need to support https://nats-io.github.io/docs/leafnodes/
These are used in scenarios where you wish to jump across auth domains, so in our use for example a new node without any authentication tokens - like one in provisioning - would connect to a leaf node and join an account specific to provisioning so there is a hard separation.
This will let us configure a provisioning broker with relaxed/no auth and have it form part of a specifically chosen account where provisioner run.
This should be the specific aim for this so we might only support a subset of the leaf node features at first.
This is to allow a binary built with TLS disabled to be used for brokers with or without TLS when required. For 99% of people this will not be used at all
While testing the NetworkAllowedClientHosts
option, I found that node discovery was only returning the nodes listed in the option, where it should have returned all the other servers.
Traced it back to this error message: NATS client on broker_host encountered an error: nats: Permissions Violation for Publish to \"mcollective.reply.fqdn.bc1d24...\"
Seems that default publish perms are too strict when NetworkAllowedClientHosts
option is enabled.
We need to support https://nats-io.github.io/docs/gateways/
These are used to create a local cluster in a remote DC that in turn connects to a central cluster. All nodes connected to that cluster is visible to the super cluster. Good for big sites that do not want to send all their traffic to a local and good for isolating traffic to scaling clusters. We need to support these 2 use cases specifically.
Should set reject_unknown
by default
varz now has a Leafs
we should expose that to prometheus
As per choria-io/go-choria#492
https://github.com/nats-io/nats-server/releases/tag/v2.0.4
look at exposing leafnode stats to prometheus (see changelog), investigate revokes,
In choria-legacy/go-config#20 , an option was added to configure TLS timeouts on the broker. Let's hook that option up to the timeout value
Relates to choria-io/go-choria#617
This should support storing account files on disk and should have a way to know when these files change and notify the nats broker that it has
This means writing an AccountResolver and setting it into the embedded nats using SetAccountResolver
Relates to choria-io/go-choria#612
gateways especially but potentially leaf nodes too will come with often different TLS CAs, for example you would have 2 DCs each DC with their own CA and you want to connect them together, in this case you might have a CA for intra DC links or just assign the links to use the CA of the receiving DC.
All of this will require TLS configs on a per leaf/gateway remote basis
It would be good to limit where clients can connect from, should support ips and subnets both v6 and 4.
blocked by nats-io/nats-server#832 but in POC this is roughly whats needed should that ticket be resolved
package network
import (
"github.com/nats-io/gnatsd/server"
)
type IPAuth struct {
allowList []string
}
// by default we let everyone do whatever they like, choria doesnt really
// care for the security of the network when correctly deployed
//
// however when a ip list is set we deny the ability to publish to the request
// targets for anyone but clients
func (a *IPAuth) Check(c server.ClientAuthentication) (verified bool) {
user := a.createUser(c)
if !a.remoteInClientAllowList(c) {
user.Permissions.Publish = &server.SubjectPermission{
Deny: []string{
"*.broadcast.agent.*",
"*.node.*",
},
}
}
c.RegisterUser(user)
return true
}
// todo subnets
func (a *IPAuth) remoteInClientAllowList(c server.ClientAuthentication) bool {
if len(a.allowList) == 0 {
return true
}
remote := c.RemoteAddress()
if remote == nil {
return false
}
rip := remote.IP.String()
for _, allowed := range a.allowList {
if rip == allowed {
return true
}
}
return false
}
func (a *IPAuth) createUser(c server.ClientAuthentication) *server.User {
opts := c.GetOpts()
return &server.User{
Username: opts.Username,
Password: opts.Password,
Permissions: &server.Permissions{},
}
}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.