Skip to content

Narad v0.1.0-alpha.2 — the security release

Pre-release
Pre-release

Choose a tag to compare

@DebanganThakuria DebanganThakuria released this 06 Jul 17:52
8e9bf0a

Second alpha of the v0.1.0 line. The headline is security: Narad now has full authentication, RBAC, and encrypted+authenticated intra-cluster transports — and it's secure by default. Still pre-1.0 and not production-ready (see the honest gate list below); suitable for evaluation and early integration behind a trusted boundary.

Image: ghcr.io/debanganthakuria/narad:v0.1.0-alpha.2 (linux/amd64 + linux/arm64).

🔐 Security (new)

  • HTTP API authentication — HTTP Basic auth over a bcrypt-hashed user store, with a per-node verification cache (positive/negative caches + decaying failed-attempt throttle + singleflight) so the hot path never pays bcrypt's cost. Secure by default; a root admin is seeded at first boot (random password logged once, or NARAD_ADMIN_PASSWORD).
  • RBAC — users with produce / consume (incl. ack) / create / admin grants over literal or prefix-wildcard (orders-*) topic patterns. Full user-management API (/v1/users) with no-privilege-escalation invariants (only root confers admin; nobody edits their own grants; root is undeletable/immutable).
  • Topic ownership — the creator owns a topic; only the owner or an admin may alter/delete it (distinct from produce/consume, which are grant-governed).
  • Cluster RPC auth — the node-to-node QUIC transport (already TLS 1.3) now requires a shared-secret HMAC handshake per stream.
  • Raft metadata transport mTLS — mutual TLS on the consensus channel that replicates user hashes and grants; peers authenticate by cluster-CA-signed certs. Optional, off until certs are provisioned.
  • Pentested on a live cluster: 44/44 designed invariants held; the one finding (public /metrics exposure via the ingress) is fixed.

🛠 Reliability & correctness

  • 40-bug correctness pass across storage, WAL, cluster, and broker.
  • Multi-arch images fixed — arm64 images now contain arm64 binaries (previously every arm64 image shipped an amd64 binary and crash-looped).

🧹 Internals

  • Deep readability refactor (file/function splits, dedup) with no behavior change.
  • Dropped the inert SyncBytes knob and pruned debug-only metrics to the operator-useful set.

⚠️ Upgrade / breaking notes

  • Secure by default. Existing unauthenticated clients will get 401 after upgrade. Provide credentials, or set NARAD_SECURITY_ENABLED=false for local/dev.
  • Config decoding is strict — a removed key (e.g. ingress_wal_sync_bytes) now errors; delete it.
  • Enabling Raft mTLS on a running cluster briefly pauses consensus writes mid-rollout (plaintext and mTLS nodes can't talk); reads continue.

🚧 Not production-ready — remaining gates

This alpha closes the security gate. Still open before prod:

  • Durability / DR (hard gate) — no tested backup/restore runbook or measured RPO/RTO for this single-copy (no-replication) design.
  • Soak & SLOs — only a point-in-time ~50k msg/s benchmark; no multi-day soak under fault injection against written SLOs.
  • Upgrade/rollback contract — on-disk and node-RPC formats are current-version-only; mixed-version rolling upgrades are undefined.
  • Partition rebalance — ownership is sticky; new capacity doesn't absorb existing partitions.

Full changelog: v0.1.0-alpha.1...v0.1.0-alpha.2