Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is it possible to block anonymous access to nats cluster? #774

Closed
mojoscale opened this issue Aug 8, 2023 · 5 comments
Closed

Is it possible to block anonymous access to nats cluster? #774

mojoscale opened this issue Aug 8, 2023 · 5 comments

Comments

@mojoscale
Copy link

I have enabled auth and have setup one users in the values.yaml file for deploying using helm chart. My expectation is that anonymous access should not be allowed, but it does not seem to work. Is it possible to block anon' access to nats-cluster, and if so, how? My setting looks as below:

`config:
cluster:
enabled: true
port: 6222
# must be 2 or higher when jetstream is enabled
replicas: 2

# apply to generated route URLs that connect to other pods in the StatefulSet
routeURLs:
  # if both user and password are set, they will be added to route URLs
  # and the cluster authorization block
  user:
  password:
  # set to true to use FQDN in route URLs
  useFQDN: false
  k8sClusterDomain: cluster.local

auth:
  enabled: true

  # NOTE: Only supported in Kubernetes v1.12+ clusters having the "TokenRequest" API enabled.
  enableServiceAccounts: false

  ## This is where you enter a username/password for 1 user
  username: "my-user"
  password: "T0pS3cr3t"

  ## This is a where you can specify 2 or more users
  users: []`
@caleblloyd
Copy link
Contributor

Try upgrading to the 1.0.0 helm chart, then you can do something like this:

config:
  cluster:
    enabled: true
    replicas: 2
  merge:
    authorization:
      users:
      - user: my-user
        password: T0pS3cr3t
natsBox:
  contexts:
    default:
      merge:
        user: my-user
        password: T0pS3cr3t

@caleblloyd
Copy link
Contributor

Anonymous user access is automatically blocked as long as auth is properly configured

@mojoscale
Copy link
Author

I am already using chart v1.0.0 and above did not work. So, i changed the values.yaml as suggested above, and after redeployment, I am still able to publish a message to the cluster without creds. Anything i could be doing wrong here?

@caleblloyd
Copy link
Contributor

Not sure. When I take the natsBox.contexts section out of the above example and publish a message anonymously from the nats-box container, I get Authorization Denied.

@discostur
Copy link

@caleblloyd didn't work for me either - NATs deploys the config and for me it looks correct, but it says

nats-server: /etc/nats-config/nats.conf:3:6: Cluster authorization does not allow multiple users

even in the config file i see just one authorization part. Then i just used the part from the helm chart:

    # apply to generated route URLs that connect to other pods in the StatefulSet
    routeURLs:
      # if both user and password are set, they will be added to route URLs
      # and the cluster authorization block
      user: USER
      password: PASSWORD
      # set to true to use FQDN in route URLs
      useFQDN: false
      k8sClusterDomain: cluster.local

and that works for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@caleblloyd @discostur @mojoscale