Narad v0.1.0-alpha.2 — the security release
Pre-release
Pre-release
Second alpha of the v0.1.0 line. The headline is security: Narad now has full authentication, RBAC, and encrypted+authenticated intra-cluster transports — and it's secure by default. Still pre-1.0 and not production-ready (see the honest gate list below); suitable for evaluation and early integration behind a trusted boundary.
Image: ghcr.io/debanganthakuria/narad:v0.1.0-alpha.2 (linux/amd64 + linux/arm64).
🔐 Security (new)
- HTTP API authentication — HTTP Basic auth over a bcrypt-hashed user store, with a per-node verification cache (positive/negative caches + decaying failed-attempt throttle + singleflight) so the hot path never pays bcrypt's cost. Secure by default; a root
adminis seeded at first boot (random password logged once, orNARAD_ADMIN_PASSWORD). - RBAC — users with
produce/consume(incl. ack) /create/admingrants over literal or prefix-wildcard (orders-*) topic patterns. Full user-management API (/v1/users) with no-privilege-escalation invariants (only root confersadmin; nobody edits their own grants; root is undeletable/immutable). - Topic ownership — the creator owns a topic; only the owner or an admin may alter/delete it (distinct from produce/consume, which are grant-governed).
- Cluster RPC auth — the node-to-node QUIC transport (already TLS 1.3) now requires a shared-secret HMAC handshake per stream.
- Raft metadata transport mTLS — mutual TLS on the consensus channel that replicates user hashes and grants; peers authenticate by cluster-CA-signed certs. Optional, off until certs are provisioned.
- Pentested on a live cluster: 44/44 designed invariants held; the one finding (public
/metricsexposure via the ingress) is fixed.
🛠 Reliability & correctness
- 40-bug correctness pass across storage, WAL, cluster, and broker.
- Multi-arch images fixed — arm64 images now contain arm64 binaries (previously every arm64 image shipped an amd64 binary and crash-looped).
🧹 Internals
- Deep readability refactor (file/function splits, dedup) with no behavior change.
- Dropped the inert
SyncBytesknob and pruned debug-only metrics to the operator-useful set.
⚠️ Upgrade / breaking notes
- Secure by default. Existing unauthenticated clients will get
401after upgrade. Provide credentials, or setNARAD_SECURITY_ENABLED=falsefor local/dev. - Config decoding is strict — a removed key (e.g.
ingress_wal_sync_bytes) now errors; delete it. - Enabling Raft mTLS on a running cluster briefly pauses consensus writes mid-rollout (plaintext and mTLS nodes can't talk); reads continue.
🚧 Not production-ready — remaining gates
This alpha closes the security gate. Still open before prod:
- Durability / DR (hard gate) — no tested backup/restore runbook or measured RPO/RTO for this single-copy (no-replication) design.
- Soak & SLOs — only a point-in-time ~50k msg/s benchmark; no multi-day soak under fault injection against written SLOs.
- Upgrade/rollback contract — on-disk and node-RPC formats are current-version-only; mixed-version rolling upgrades are undefined.
- Partition rebalance — ownership is sticky; new capacity doesn't absorb existing partitions.
Full changelog: v0.1.0-alpha.1...v0.1.0-alpha.2