-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Permissions to Client Certificates #546
Comments
I'm not dismissing this idea as it's interesting and I think worth consideration, but I did want to point out that as of v1.0 you can dynamically add/remove users and change permissions on a running server through config reload: https://github.com/nats-io/gnatsd#process-signaling. This might provide an alternative solution? |
Hi @tylertreat Cons |
Have you considered JWTs? I am looking into these a bit more for some future work. |
@derekcollison we ended up doing both authentication and authorization over Mutual TLS with a twist. Each NATS client certificate has the client Then when the server gets the client cert, it extracts the client ID and Type from it and applies it to a template of what it can publish/subscribe to. For example: If client type is Let us know if you're interested more into what we have implemented. |
Interesting, thanks for the info. Do you allows updates to permissions after the fact? How do you deal with revocation? Thanks again. |
@pivotal-jamil-shamy Interesting solution. I am assuming you applied this to a fork of gnatsd? Per @derekcollison's question, my guess is that revocation isn't technically required since the indirection with the server templates are what ultimately dictate the permission? I could imagine a control plane layer that manages these template/permission mappings. @derekcollison If you are looking for a more flexible solution beyond JWTs (which also suffer from the revocation issue), Open Policy Agent (OPA) may be good for this use case. It is also incubating in the CNCF. It is implemented in Go so can be embedded or it can be deployed as a sidecar. |
I will look at OPA (we presented together at an end-user meeting). JWTs will be most flexible IMO since they can be completely decoupled and self describing without additional operational components. |
@bruth yep, this was implemented into a fork of gnatsd. Open Policy Agent seems inetersting, will look into that. |
Agree with short lived permissions. We will encourage this in the JWT scheme we will deliver in Q3. We do feel a revocation system is needed and we are in the process of designing how that would work. |
@pivotal-jamil-shamy - Is there any documentation for this feature? If not:
|
We now support pulling user id from a client certificate, and will add a bit more custom version too. Still do not forsee adding in auth to the a x.509 client cert though. |
@nerdoftech cc @xtreme-andrew-su @h4xnoodle |
Would be great to work with you to merge necessary items back into master so you don't have to keep a fork. Merging to get to 2.0 release may be challenging. Be happy to discuss on a call. |
After doing a bit of research of who is who, I have a better understanding of everyone involved. @pivotal-jamil-shamy - Thanks for sending that info over, however, I did not realize that it was in a forked repo. I appreciate your response anyhow. @derekcollison - After spending a few hours researching, I think I found I was looking for like you mentioned and it is exactly what we need. I'm new to Go, so please let me know if I got this right. In this config file there is an option This sets This eventually gets to the method One question I have, I saw that the user's password is still checked later in the method: Would I be correct to assume that |
Yes that is correct. We have also added an additional mapping type that uses Go's Subject for x.509 certs. /cc @wallyqs |
Awesome! While I cant make a commitment without getting permission from my company, I am going to ask about contributing a documentation PR to the docs repo according to the contribution guidelines. It looks like add info to these two pages might be the right place: |
We appreciate any and all PRs, so if you are able please send away, and thanks in advance. |
Ah, I just noticed that this code is not yet in a release tag. I'm only allowed to use feature in an official release. I saw this PR #896 and the changes are approved. Are you able to share an ETA on when this feature will be release? |
Hi @nerdoftech I just merged that branch so would be part of the next release which would happen sometime in the next few weeks I think. |
Thanks, @wallyqs ! |
Can this be closed or should we wait for next release before closing? |
Seems like 2.0.0-RCX has the functionality. We're trying it out in cloudfoundry/bosh |
@h4xnoodle Great, ping us directly on Slack or email if you have any questions. |
@h4xnoodle I wanted to check in with you. I wanted to make sure that using NATS inside of BOSH and other things at VMW was going well. If not let's jump on a video call, I would like to understand the issues and anything we can do to make NATS better inside VMW. |
Feature Request
Use Case:
When mutual TLS is enabled by specifying
--tlsverify
flag, in theory a client no longer needs to pass a username and password to authenticate, since that was already being taken care of when verifying the client certificate.Looking at the code, we see that the username and password are still being used when mutual TLS is enabled; specifically to set the permissions for a client.
Proposed Change:
Allow the inclusion of a client permissions inside the client certificate itself. This way, each client is issued a cert with the permissions baked into its cert.
A X509 certificate can hold some metadata in itself (the RFC https://www.ietf.org/rfc/rfc5280.txt refers to that). The approach would be when creating a client certificate, add the permissions to the cert metadata itself, then after successfully authenticating the client gnatsd server can extract the permissions from the client certificate and injects these permissions into the user's session.
Who Benefits From The Change(s)?
With this approach we can technically add "users" dynamically to an already running server by creating a client certificate with the intended permissions.
Note: The client cert itself can also hold more info about the client (probably client name) for trace and audit purposes.
The text was updated successfully, but these errors were encountered: