CNCF and Synadia Align on Securing the Future of the NATS.io Project. Read the joint press release.
NATS Docs
NATS.ioNATS by ExampleGitHubSlackTwitter
  • Welcome
  • Release Notes
    • What's New!
      • NATS 2.11
      • NATS 2.10
      • NATS 2.2
      • NATS 2.0
  • NATS Concepts
    • Overview
      • Compare NATS
    • What is NATS
      • Walkthrough Setup
    • Subject-Based Messaging
    • Core NATS
      • Publish-Subscribe
        • Pub/Sub Walkthrough
      • Request-Reply
        • Request-Reply Walkthrough
      • Queue Groups
        • Queueing Walkthrough
    • JetStream
      • Streams
      • Source and Mirror Streams
        • Example
      • Consumers
        • Example
      • JetStream Walkthrough
      • Key/Value Store
        • Key/Value Store Walkthrough
      • Object Store
        • Object Store Walkthrough
      • Headers
    • Subject Mapping and Partitioning
    • NATS Service Infrastructure
      • NATS Adaptive Deployment Architectures
    • Security
    • Connectivity
  • Using NATS
    • NATS Tools
      • nats
        • nats bench
      • nk
      • nsc
        • Basics
        • Streams
        • Services
        • Signing Keys
        • Revocation
        • Managed Operators
      • nats-top
        • Tutorial
    • Developing With NATS
      • Anatomy of a NATS application
      • Connecting
        • Connecting to the Default Server
        • Connecting to a Specific Server
        • Connecting to a Cluster
        • Connection Name
        • Authenticating with a User and Password
        • Authenticating with a Token
        • Authenticating with an NKey
        • Authenticating with a Credentials File
        • Encrypting Connections with TLS
        • Setting a Connect Timeout
        • Ping/Pong Protocol
        • Turning Off Echo'd Messages
        • Miscellaneous functionalities
        • Automatic Reconnections
          • Disabling Reconnect
          • Set the Number of Reconnect Attempts
          • Avoiding the Thundering Herd
          • Pausing Between Reconnect Attempts
          • Listening for Reconnect Events
          • Buffering Messages During Reconnect Attempts
        • Monitoring the Connection
          • Listen for Connection Events
          • Slow Consumers
      • Receiving Messages
        • Synchronous Subscriptions
        • Asynchronous Subscriptions
        • Unsubscribing
        • Unsubscribing After N Messages
        • Replying to a Message
        • Wildcard Subscriptions
        • Queue Subscriptions
        • Draining Messages Before Disconnect
        • Receiving Structured Data
      • Sending Messages
        • Including a Reply Subject
        • Request-Reply Semantics
        • Caches, Flush and Ping
        • Sending Structured Data
      • Building Services
      • JetStream
        • JetStream Model Deep Dive
        • Managing Streams and consumers
        • Consumer Details
        • Publishing to Streams
        • Using the Key/Value Store
        • Using the Object Store
      • Tutorials
        • Advanced Connect and Custom Dialer in Go
    • Running Workloads on NATS
      • Getting Started
        • Installing Nex
        • Building a Service
        • Starting a Node
        • Deploying Services
        • Building a Function
        • Deploying Functions
      • Host Services
        • Javascript | V8
      • Nex Internals
        • Architecture Overview
        • Node Process
        • Nex Agent
        • No Sandbox Mode
        • Root File System
        • Control Interface
      • FAQ
  • Running a NATS service
    • Installing, running and deploying a NATS Server
      • Installing a NATS Server
      • Running and deploying a NATS Server
      • Windows Service
      • Flags
    • Environmental considerations
    • NATS and Docker
      • Tutorial
      • Docker Swarm
      • Python and NGS Running in Docker
      • JetStream
      • NGS Leaf Nodes
    • NATS and Kubernetes
    • NATS Server Clients
    • Configuring NATS Server
      • Configuring JetStream
        • Configuration Management
          • NATS Admin CLI
          • Terraform
          • GitHub Actions
          • Kubernetes Controller
      • Clustering
        • Clustering Configuration
        • v2 Routes
        • JetStream Clustering
          • Administration
          • Troubleshooting
      • Super-cluster with Gateways
        • Configuration
      • Leaf Nodes
        • Configuration
        • JetStream on Leaf Nodes
      • Securing NATS
        • Enabling TLS
        • Authentication
          • Tokens
          • Username/Password
          • TLS Authentication
            • TLS Authentication in clusters
          • NKeys
          • Authentication Timeout
          • Decentralized JWT Authentication/Authorization
            • Account lookup using Resolver
            • Memory Resolver Tutorial
            • Mixed Authentication/Authorization Setup
        • Authorization
        • Multi Tenancy using Accounts
        • OCSP Stapling
        • Auth Callout
      • Logging
      • Enabling Monitoring
      • MQTT
        • Configuration
      • Configuring Subject Mapping
      • System Events
        • System Events & Decentralized JWT Tutorial
      • WebSocket
        • Configuration
    • Managing and Monitoring your NATS Server Infrastructure
      • Monitoring
        • Monitoring JetStream
      • Managing JetStream
        • Account Information
        • Naming Streams, Consumers, and Accounts
        • Streams
        • Consumers
        • Data Replication
        • Disaster Recovery
        • Encryption at Rest
      • Managing JWT Security
        • In Depth JWT Guide
      • Upgrading a Cluster
      • Slow Consumers
      • Signals
      • Lame Duck Mode
      • Profiling
  • Reference
    • FAQ
    • NATS Protocols
      • Protocol Demo
      • Client Protocol
        • Developing a Client
      • NATS Cluster Protocol
      • JetStream wire API Reference
    • Roadmap
    • Contributing
  • Legacy
    • nats-account-server
Powered by GitBook
On this page
  • Multi Tenancy using Accounts
  • Accounts
  • Exporting and Importing
  • No Auth User
  • See Also

Was this helpful?

Edit on GitHub
Export as PDF
  1. Running a NATS service
  2. Configuring NATS Server
  3. Securing NATS

Multi Tenancy using Accounts

PreviousAuthorizationNextOCSP Stapling

Last updated 1 year ago

Was this helpful?

Multi Tenancy using Accounts

In modern microservice architecture it is common to share infrastructure - such as NATS - between services. are securely isolated communication contexts that allow multi-tenancy in a NATS deployment. They allow users to bifurcate technology from business driven use cases, where data silos are created by design, not software limitations. Furthermore, they facilitate the of information between those data silos/Tenants/Accounts.

Accounts

Accounts expand on the authorization foundation. With traditional authorization, all clients can publish and subscribe to anything unless explicitly configured otherwise. To protect clients and information, you have to carve the subject space and permission clients carefully.

Accounts allow the grouping of clients, isolating them from clients in other accounts, thus enabling multi-tenancy in the server. With accounts, the subject space is not globally shared, greatly simplifying the messaging environment. Instead of devising complicated subject name carving patterns, clients can use short subjects without explicit authorization rules. are an example of this isolation at work.

Accounts configuration is done in accounts map. The contents of an account entry includes:

Property
Description

users

exports

imports

The accounts list is a map, where the keys on the map are an account name.

accounts: {
    A: {
        users: [
            {user: a, password: a}
        ]
    },
    B: {
        users: [
            {user: b, password: b}
        ]
    },
}

In the most straightforward configuration above you have an account named A which has a single user identified by the username a and the password a, and an account named B with a user identified by the username b and the password b.

These two accounts are isolated from each other. Messages published by users in A are not visible to users in B.

  • username/password

  • nkeys

  • and add permissions

While the name account implies one or more users, it is much simpler and enlightening to think of one account as a messaging container for one application. Users in the account are simply the minimum number of services that must work together to provide some functionality. In simpler terms, more accounts with few (even one) clients is a better design topology than a large account with many users with complex authorization configuration.

Exporting and Importing

Messaging exchange between different accounts is enabled by exporting streams and services from one account and importing them into another. Each account controls what is exported and imported.

  • Streams are messages your application publishes. Importing applications won't be able to make requests from your applications but will be able to consume messages you generate.

  • Services are messages your application can consume and act on, enabling other accounts to make requests that are fulfilled by your account.

The term stream in the context of import and export account configuration does not refer to and should not be confused with a JetStream stream (unfortunate collision of terms as the import/export between accounts predates JetStream), it is just a 'stream of (Core NATS) messages'

Export Configuration Map

The export configuration map binds a subject for use as a service or stream and optionally defines specific accounts that can import the stream or service. Here are the supported configuration properties:

Property
Description

stream

A subject or subject with wildcards that the account will publish. (exclusive of service)

service

A subject or subject with wildcards that the account will subscribe to. (exclusive of stream)

accounts

A list of account names that can import the stream or service. If not specified, the service or stream is public and any account can import it.

response_type

Indicates if a response to a service request consists of a single or a stream of messages. Possible values are: single or stream. (Default value is singleton)

Here are some example exports:

accounts: {
    A: {
        users: [
            {user: a, password: a}
        ]
        exports: [
            {stream: puba.>}
            {service: pubq.>}
            {stream: b.>, accounts: [B]}
            {service: q.b, accounts: [B]}
        ]
    }
    ...
}

Here's what A is exporting:

  • a public stream on the wildcard subject puba.>

  • a public service on the wildcard subject pubq.>

  • a stream to account B on the wildcard subject b.>

  • a service to account B on the subject q.b

Import Configuration Map

An import enables an account to consume streams published by another account or make requests to services implemented by another account. All imports require a corresponding export on the exporting account. Accounts cannot do self-imports.

Property
Description

stream

service

prefix

A local subject prefix mapping for the imported stream. (applicable to stream)

to

A local subject mapping for imported service. (applicable to service)

The prefix and to options are optional and allow you to remap the subject that is used locally to receive stream messages from or publish service requests to. This way the importing account does not depend on naming conventions picked by another. Currently, a service import can not make use of wildcards, which is why the import subject can be rewritten. A stream import may make use of wildcards. To retain information contained in the subject, it can thus only be prefixed with prefix...

Source Configuration Map

Property
Description

account

Account name owning the export.

subject

The subject under which the stream or service is made accessible to the importing account

Import/Export Example

accounts: {
    A: {
        users: [
            {user: a, password: a}
        ]
        exports: [
            {stream: puba.>}
            {service: pubq.>}
            {stream: b.>, accounts: [B]}
            {service: q.b, accounts: [B]}
        ]
    },
    B: {
        users: [
            {user: b, password: b}
        ]
        imports: [
            {stream: {account: A, subject: b.>}}
            {service: {account: A, subject: q.b}}
        ]
    }
    C: {
        users: [
            {user: c, password: c}
        ]
        imports: [
            {stream: {account: A, subject: puba.>}, prefix: from_a}
            {service: {account: A, subject: pubq.C}, to: Q}
        ]
    }
}

Account B imports:

  • the private stream from A that only B can receive on b.>

  • the private service from A that only B can send requests on q.b

Account C imports the public service and stream from A, but also:

  • remaps the puba.> stream to be locally available under from_a.puba.>. The messages will have their original subjects prefixed by from_a.

  • remaps the pubq.C service to be locally available under Q. Account C only needs to publish to Q locally.

It is important to reiterate that:

  • stream puba.> from A is visible to all external accounts that imports the stream.

  • service pubq.> from A is available to all external accounts so long as they know the full subject of where to send the request. Typically an account will export a wildcard service but then coordinate with a client account on specific subjects where requests will be answered. On our example, account C access the service on pubq.C (but has mapped it for simplicity to Q).

  • stream b.> is private, only account B can receive messages from the stream.

  • service q.b is private; only account B can send requests to the service.

  • When C publishes a request to Q, local C clients will see Q messages. However, the server will remap Q to pubq.C and forward the requests to account A.

No Auth User

Clients connecting without authentication can be associated with a particular user within an account.

accounts: {
    A: {
        users: [
            {user: a, password: a}
        ]
    },
    B: {
        users: [
            {user: b, password: b}
        ]
    }
}
no_auth_user: a

The above example shows how clients without authentication can be associated with the user a within account A.

Exporting and importing JetStream streams between accounts

It is possible to import/export messages stored in JetStream streams between accounts. While it is possible to allow a client application in one account to access a stream located in another account, in most use cases people want a setup where a stream in one account is mirrored or sourced in another account (and the applications in that other account simply use that mirrored/sourced stream in their account), as this is a more 'locked-down' way to share messages in streams between accounts, compared to letting the client applications directly use a stream in another account.

There are two resources documenting and giving examples of how to do this:

See Also

a list of

a list of

a list of

The user configuration map is the same as any other NATS . You can use:

The exports configuration list enable you to define the services and streams that others can import. Exported services and streams are expressed as an . The imports configuration lists the services and streams that an Account imports. Imported services and streams are expressed as an .

Stream import . (exclusive of service)

Service import (exclusive of stream)

The source configuration map describes an export from a remote account by specifying the account and subject of the export being imported. This map is embedded in the :

Please note that the no_auth_user will not work with nkeys. The user referenced can also be part of the block.

Despite no_auth_user being set, clients still need to communicate that they will not be using credentials. The applies to this process as well. When your connection is slow, you may run into this timeout and the resulting Authentication Timeout error, despite not providing credentials.

explains and has a walkthrough example of how to do this using simple static security (as is probably the best one to start with) and

explains how to do the same thing but when using the 'operator' JWT-based security mode of operation.

authorization
authentication timeout
Cross account JetStream sourcing
Connect Streams Cross Accounts
Multi-tenancy and resource management
System Events
Accounts
controlled exchange
Export configuration map
Import configuration map
import configuration map
export maps
import maps
source configuration
source configuration
user configuration map
user configuration maps