How to set up Decentralized Authentication/Authorization in NATS | Rethink Connectivity Episode 6
HTML-код
- Опубликовано: 8 фев 2025
- Learn how to set up a decentralized security model with NATS operators, accounts and users. In this episode, Jeremy will go over the core design of NATS decentralized auth component, and how to set up your cluster with an operator, accounts and users.
View the source code for this video here:
github.com/Con...
NATS is a connective technology powering modern distributed systems, unifying Cloud, On-Premise, Edge, and IoT.
Join the NATS Community on Slack: slack.nats.io
Learn More about NATS at docs.nats.io/
Im a fan of your videos Jeremy! I’m pretty hooked on NATS now thanks to you and want to use it for everything 😅
Glad to hear it. NATS can do so much and I think it’s a great tool to have in your toolbox
Great video! I would like to make a suggestion. I know that the secret key can be created through the CLI. In addition to the secret key, these configurations are best reflected in the cluster configuration file. I think this is more suitable for the vast majority of company-level users.
This is the best conceptual explaination I could find . Thank you. Just subscribed.
Thanks for watching! Glad you got value out of it
Nats will really take off when there is a GUI to manage the clusters. A high level view of your cluster and being able to see the messages too.
Definitely something we are looking into
Exactly, the moment I saw New Relic Pixie GUI I was immediately hooked.
let me guess, it will be pay only
Thank you for this invaluable tutorial. I look forward to the next episode.
Great video Jeremy, especially the demo part!
Great video, i can't wait for next episodes. Do you have in plan make series about NATS administrative ?
Lots more videos to come!
Ok, I understood. But
- what about some oidc idp auth? e.g. keycloak
- this is okfor local services, but let's take a mobile client or websocket client, do you distribute those creds with them so anyone can publicly access them? Isn't that a bit short sighted?
Awesome video Jeremy!..I was looking for this on, tysm😄
I'd really like more videos about permission, and maybe JWT structure for user sessions.
You talked about root keys and not using them. What root key and how are the created?
27:12 I'm surprised you didn't need to nsc push in order to narrow the permissions. What exactly denied this operation?
That’s the beauty of using a trust chain. Only account JWTs need to be pushed to the server. Users can be created on the fly and don’t need to be stored anywhere, hence the decentralized part.
@@SynadiaCommunications hopefully, with a bit of use, it becomes obvious which operations happen live, immediately, on the production environment, and which operations just manipulate files on your local system with no influence until pushed. Thanks :)
This was great! Started looking into this topic a while ago and this sums it up very well.
Could you touch upon jetstream enabled leaf nodes/clusters in the future?
That’s exactly our next episode, stay tuned
Great vid. I wonder what something like authzed/spicedb managed RBAC would look like integrated with this nsc
Nice video.Going from conceptual theory to practical examples is always a great way to get understanding.
I was wondering, is there an API that can be accessed directly? Obviously, the manual work you just did would be automated and using a CLI is sub-optimal. I'd imagine there is an API that can be accessed directly, right? I guess I could go and look it up in the docs, but I'm just "skimming the tech" currently and the question came to mind.
Yeah at the end of the day these are all flat files and some get pushed to a server.
The CLI is built atop a lower level library github.com/nats-io/jwt.
We also have support in Node as well
@@SynadiaCommunications So, the CLI is the only way to make access changes?
Great! keep it up!
How to push created operator and account to the NATS server without using the NSC tool, I want to do it using Java only, any reference?
Is there an example of how to work with NSC from a new local environment, for instance using the git?
Hi Jeremy, thanks for the cool video. NATS is really awesome! I have a question considering a schema validation. Are there plans for NATS to offer a built in validation - so that the message is rejected while publishing, if a certain schema the message should comply with is not matched? That would be a great feature :-) Keep up the good work!
why is this not in the documentation, instead you have to manually create a system account etc, push and change the config and all that...
wondering this myself as well, important information left out in documentation, maybe to promote synadia cloud, sigh~
hello greate video can you make one configuring with helm making jetstreams with helm infact using helm to do clusters and everything
All sound cool and fun until you want to make NATS system a part of IaC. In this scenario all these steps with nsc are felt more like a nightmare.
Hello! How much does paid support cost? I wrote to your email, but do not answer me.
hello greate video can you make one configuring with helm making jetstreams with helm infact using helm to do clusters and everything
hello greate video can you make one configuring with helm making jetstreams with helm infact using helm to do clusters and everything