Issue with denying unauthenticated connections #4535
-
|
I'm trying to set up a NATS server instance which:
From reading the docs it suggests you can create a user under the The issue I have is that when this system account is defined, connections with no credentials passed are still able to connect and act as a normal user and publish/subscribe, which I'm trying to avoid! This is the test configuration I've been using: I can connect as these users as expected. I can also connect with no user/pass. If I comment out the I'm aware of the I've scoured the documentation, but please could someone help me understand why defining a separate account changes this behaviour 🙏Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 11 replies
-
|
Hi @alexherington, could you try with nats-py v2.4.0 which I have just published? I think this should be fixed there: https://pypi.org/project/nats-py/ |
Beta Was this translation helpful? Give feedback.
-
|
I ran into the same issue and can confirm that simply having an https://docs.nats.io/running-a-nats-service/configuration/securing_nats/accounts#no-auth-user |
Beta Was this translation helpful? Give feedback.
-
|
Hey folks, the user/pass, token, or a list of users in the top-level For setups that want the system account exposed and one or more application However if you only define the system account, the default account named When a non-system account is defined, the default At that point you can add users under |
Beta Was this translation helpful? Give feedback.
-
|
ok found the bug and will do a PR and should be in 2.10.2 release which is coming very soon. |
Beta Was this translation helpful? Give feedback.
Hey folks, the user/pass, token, or a list of users in the top-level
authorizationblock was one of original config options (pre-multi tenancy and system account). When multi-tenancy was introduced, this block still works and defaults to an implicit$Gaccount.For setups that want the system account exposed and one or more application
accounts, the accounts block should be used.However if you only define the system account, the default account named
$Gis still in effect and does not require auth. the simplest way to address is to define a new explicit account.