Multi Tenancy using Accounts
In modern microservice architecture it is common to share infrastructure - such as NATS - between services. Accounts are securely isolated communication contexts that allow multi-tenancy in a NATS deployment. They allow users to bifurcate technology from business driven use cases, where data silos are created by design, not software limitations. Furthermore, they facilitate the controlled exchange of information between those data silos/Tenants/Accounts.
Accounts expand on the authorization foundation. With traditional authorization, all clients can publish and subscribe to anything unless explicitly configured otherwise. To protect clients and information, you have to carve the subject space and permission clients carefully.
Accounts allow the grouping of clients, isolating them from clients in other accounts, thus enabling multi-tenancy in the server. With accounts, the subject space is not globally shared, greatly simplifying the messaging environment. Instead of devising complicated subject name carving patterns, clients can use short subjects without explicit authorization rules. System Events are an example of this isolation at work.
Accounts configuration is done in
accounts map. The contents of an account entry includes:Property | Description |
|---|---|
users | |
exports | |
imports |
The
accounts list is a map, where the keys on the map are an account name.accounts: {
A: {
users: [
{user: a, password: a}
]
},
B: {
users: [
{user: b, password: b}
]
},
}
In the most straightforward configuration above you have an account namedAwhich has a single user identified by the usernameaand the passworda, and an account namedBwith a user identified by the usernameband the passwordb.These two accounts are isolated from each other. Messages published by users inAare not visible to users inB.
Messaging exchange between different accounts is enabled by exporting streams and services from one account and importing them into another. Each account controls what is exported and imported.
- Streams are messages your application publishes. Importing applications won't be able to make requests from your applications but will be able to consume messages you generate.
- Services are messages your application can consume and act on, enabling other accounts to make requests that are fulfilled by your account.
The
exports configuration list enable you to define the services and streams that others can import. Exported services and streams are expressed as an Export configuration map. The imports configuration lists the services and streams that an Account imports. Imported services and streams are expressed as an Import configuration map.The export configuration map binds a subject for use as a
service or stream and optionally defines specific accounts that can import the stream or service. Here are the supported configuration properties:Property | Description |
|---|---|
stream | A subject or subject with wildcards that the account will publish. (exclusive of service) |
service | A subject or subject with wildcards that the account will subscribe to. (exclusive of stream) |
accounts | A list of account names that can import the stream or service. If not specified, the service or stream is public and any account can import it. |
response_type | Indicates if a response to a service request consists of a single or a stream of messages. Possible values are: single or stream. (Default value is singleton) |
Here are some example exports:
accounts: {
A: {
users: [
{user: a, password: a}
]
exports: [
{stream: puba.>}
{service: pubq.>}
{stream: b.>, accounts: [B]}
{service: q.b, accounts: [B]}
]
}
...
}
Here's what
A is exporting:- a public stream on the wildcard subject
puba.> - a public service on the wildcard subject
pubq.> - a stream to account
Bon the wildcard subjectb.> - a service to account
Bon the subjectq.b
An import enables an account to consume streams published by another account or make requests to services implemented by another account. All imports require a corresponding export on the exporting account. Accounts cannot do self-imports.
Property | Description |
|---|---|
stream | |
service | |
prefix | A local subject prefix mapping for the imported stream. (applicable to stream) |
to | A local subject mapping for imported service. (applicable to service) |
The
prefix and to options are optional and allow you to remap the subject that is used locally to receive stream messages from or publish service requests to. This way the importing account does not depend on naming conventions picked by another. Currently, a service import can not make use of wildcards, which is why the import subject can be rewritten. A stream import may make use of wildcards. To retain information contained in the subject, it can thus only be prefixed with prefix...Source Configuration Map
The source configuration map describes an export from a remote account by specifying the
account and subject of the export being imported. This map is embedded in the import configuration map:Property | Description |
|---|---|
account | Account name owning the export. |
subject | The subject under which the stream or service is made accessible to the importing account |
accounts: {
A: {
users: [
{user: a, password: a}
]
exports: [
{stream: puba.>}
{service: pubq.>}
{stream: b.>, accounts: [B]}
{service: q.b, accounts: [B]}
]
},
B: {
users: [
{user: b, password: b}
]
imports: [
{stream: {account: A, subject: b.>}}
{service: {account: A, subject: q.b}}
]
}
C: {
users: [
{user: c, password: c}
]
imports: [
{stream: {account: A, subject: puba.>}, prefix: from_a}
{service: {account: A, subject: pubq.C}, to: Q}
]
}
}
Account
B imports:- the private stream from
Athat onlyBcan receive onb.> - the private service from
Athat onlyBcan send requests onq.b
Account
C imports the public service and stream from A, but also:- remaps the
puba.>stream to be locally available underfrom_a.puba.>. The messages will have their original subjects prefixed byfrom_a. - remaps the
pubq.Cservice to be locally available underQ. AccountConly needs to publish toQlocally.
It is important to reiterate that:
- stream
puba.>fromAis visible to all external accounts that imports the stream. - service
pubq.>fromAis available to all external accounts so long as they know the full subject of where to send the request. Typically an account will export a wildcard service but then coordinate with a client account on specific subjects where requests will be answered. On our example, accountCaccess the service onpubq.C(but has mapped it for simplicity toQ). - stream
b.>is private, only accountBcan receive messages from the stream. - service
q.bis private; only accountBcan send requests to the service. - When
Cpublishes a request toQ, localCclients will seeQmessages. However, the server will remapQtopubq.Cand forward the requests to accountA.
Clients connecting without authentication can be associated with a particular user within an account.
accounts: {
A: {
users: [
{user: a, password: a}
]
},
B: {
users: [
{user: b, password: b}
]
}
}
no_auth_user: a
The above example shows how clients without authentication can be associated with the user
a within account A.Please note that theno_auth_userwill not work with nkeys. The user referenced can also be part of the authorization block.Despiteno_auth_userbeing set, clients still need to communicate that they will not be using credentials. The authentication timeout applies to this process as well. When your connection is slow, you may run into this timeout and the resultingAuthentication Timeouterror, despite not providing credentials.
Last modified 2d ago