Giter Site home page Giter Site logo

go-network-broker's People

Contributors

ripienaar avatar

Stargazers

avatar avatar avatar

Watchers

avatar avatar

Forkers

snakeb1t vjanelle

go-network-broker's Issues

support leaf nodes

We need to support https://nats-io.github.io/docs/leafnodes/

These are used in scenarios where you wish to jump across auth domains, so in our use for example a new node without any authentication tokens - like one in provisioning - would connect to a leaf node and join an account specific to provisioning so there is a hard separation.

This will let us configure a provisioning broker with relaxed/no auth and have it form part of a specifically chosen account where provisioner run.

This should be the specific aim for this so we might only support a subset of the leaf node features at first.

NetworkAllowedClientHosts option is excluding all other servers from responding

While testing the NetworkAllowedClientHosts option, I found that node discovery was only returning the nodes listed in the option, where it should have returned all the other servers.

Traced it back to this error message: NATS client on broker_host encountered an error: nats: Permissions Violation for Publish to \"mcollective.reply.fqdn.bc1d24...\"

Seems that default publish perms are too strict when NetworkAllowedClientHosts option is enabled.

support gateway nodes

We need to support https://nats-io.github.io/docs/gateways/

These are used to create a local cluster in a remote DC that in turn connects to a central cluster. All nodes connected to that cluster is visible to the super cluster. Good for big sites that do not want to send all their traffic to a local and good for isolating traffic to scaling clusters. We need to support these 2 use cases specifically.

Should set reject_unknown by default

support a nats 2.0 file store on disk

This should support storing account files on disk and should have a way to know when these files change and notify the nats broker that it has

This means writing an AccountResolver and setting it into the embedded nats using SetAccountResolver

Relates to choria-io/go-choria#612

on gateways and leafs support custom TLS

gateways especially but potentially leaf nodes too will come with often different TLS CAs, for example you would have 2 DCs each DC with their own CA and you want to connect them together, in this case you might have a CA for intra DC links or just assign the links to use the CA of the receiving DC.

All of this will require TLS configs on a per leaf/gateway remote basis

support limiting clients to a allow list of ips

It would be good to limit where clients can connect from, should support ips and subnets both v6 and 4.

blocked by nats-io/nats-server#832 but in POC this is roughly whats needed should that ticket be resolved

package network

import (
	"github.com/nats-io/gnatsd/server"
)

type IPAuth struct {
	allowList []string
}

// by default we let everyone do whatever they like, choria doesnt really
// care for the security of the network when correctly deployed
//
// however when a ip list is set we deny the ability to publish to the request
// targets for anyone but clients
func (a *IPAuth) Check(c server.ClientAuthentication) (verified bool) {
	user := a.createUser(c)

	if !a.remoteInClientAllowList(c) {
		user.Permissions.Publish = &server.SubjectPermission{
			Deny: []string{
				"*.broadcast.agent.*",
				"*.node.*",
			},
		}
	}

	c.RegisterUser(user)

	return true
}

// todo subnets
func (a *IPAuth) remoteInClientAllowList(c server.ClientAuthentication) bool {
	if len(a.allowList) == 0 {
		return true
	}

	remote := c.RemoteAddress()
	if remote == nil {
		return false
	}

	rip := remote.IP.String()
	for _, allowed := range a.allowList {
		if rip == allowed {
			return true
		}
	}

	return false
}

func (a *IPAuth) createUser(c server.ClientAuthentication) *server.User {
	opts := c.GetOpts()

	return &server.User{
		Username:    opts.Username,
		Password:    opts.Password,
		Permissions: &server.Permissions{},
	}
}

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.