NATS Weekly #23
Byron Ruth
Published on Apr 25th, 2022
Week of April 18 - 24, 2022
🗞 Announcements, writings, and projects
A short list of announcements, blog posts, projects updates and other news.
️ 💁 News
Random announcements that don't fit into the other categories.
- NATS Server v2.8.0 has been released! See what's new and the full release notes. Note there was a patch release v2.8.1 this week as well (linked below).
- CVE-2022-28357 - Arbitrary file write from the privileged system account. Fixed in nats-server v2.8.0 and nats-streaming-server v0.24.4.
⚡Releases
Official releases from NATS repos and others in the ecosystem.
- nats-io/nats.rs - nats v0.19.0 and async-nats v0.11.0
- nats-io/natscli - v0.0.32
- nats-io/k8s - nats v0.16.0
- nats-io/k8s - nats-kafka v0.13.1
- nats-io/nats-streaming-server - v0.24.5
- nats-io/nats-server - v2.8.1
- nats-io/nsc - v2.7.1
- nats-io/jwt.js - v0.0.1
📖 Articles
Blog posts, tutorials, or any other text-based content about NATS.
- Learn nats.io - slide deck by Tamal Saha
💬 Discussions
Github Discussions from various NATS repositories.
- nats-io/nats.go - Modify message deadline/timeout by the natsgo client
- nats-io/nats.py - Broken pipe error if the task takes too much time
💡 Recently asked questions
Questions sourced from Slack, Twitter, or individuals. Responses and examples are in my own words, unless otherwise noted.
How can I use subject mapping to prepend a token?
This is a tip from Jean-Noel Moyne to introduce an default token when the publish subject is an optional prefix.
Given the subjects events.foo
and special.events.foo
, a subscription of *.events.foo
would only match the latter. If a client ommitted the prefix token or if you are migrating from an existing subject mapping to require a specific subject hierarchy, then this can be done using subject mapping.
For this specific question, a subject maping from events.foo
to, say, no_prefix.events.foo
could be defined. This logically prepends a token so that a subscription of *.events.foo
now receives messages published to events.foo
.
One thing to keep in mind is choosing a new token that would not conflict with another existing subject. My choice for filling in tokens is to use a single underscore, e.g. _.events.foo
.
Generalizing this pattern, optional tokens could be placed anywhere in the subject, e.g. _.events.foo._
, for example if a suffix token is desired in the future.
How can you disconnect all connections for a specific user?
Two use cases that motivate this need would be operational and/or security related. A fairly straightforward one is handling the case when credentials are compromised and a user needs to either be removed completely or their password/token/key needs to be changed.
Another example would be an organization that has a policy in place that requires a person (or some level of automation) to control which users have access at what time and/or force password/token/key rotation.
NATS has multiple authentication methods, most of which support differentiating users, including:
- list of username/password pairs in the config
authorization
block - list of users identified with nkeys (in the same
authorization
block) - list of accounts with users defined in the server config
- decentralized JWT method which allows for account and user creation outside of the server config via the nsc tool
For the first three methods above, since the users are defined in the server config, forcing a specific user connections to disconnect would require to remove the user from the respective block and then hot reloading the server.
For the JWT method, revocations are built-in with the ability to remove a revocation later if desired. Note, when a recovation is added or removed, the changes need to be pushed to the server to take effect (e.g. nsc push
).
How many different ways can you run a NATS server?
This question is generalized from a user asking how they can run NATS in a testing/development environment.
The tl;dr is that NATS pretty much runs everywhere and with arbitrary topologies, and that is by design.
Here is a brief list of the ways that a NATS server process can run.
- Embedded in your application process if you are using Go. See the server's
test
package for some examples. - Download the binary for your host architecture and run
nats-server
for a single node deployment. This can be on a physical machine/device or in a virtualized host such as a VM or container. Add the-js
option is you want JetStream enabled. Alternately use-c
and provide a config file. - Multiple nodes can be clustered together. For test/dev setups, this could be multiple nodes on the same host (machine or VM) using different ports. This could be used to mimic a production deployment with the same topology, but simplified to remove the need to provision additional servers. For a production setup, each node should be on a separate machine, across zones in the same region.
- Gateways are used to cross region/geographic boundaries. These are clusters that are linked together.
- Leaf nodes are a way to extend an existing cluster with a local authorization policy and/or for scenarios where low latency round trip time (RTT) is desired in the local application. Leaf nodes will transparently communicate with the cluster for subjects that are remote.
Note that all of these extended features like gateways and leaf nodes can be modeled with a set of nats-server
processes on the same physical host. If each node is configured with its own port, they can be networked together using the various configuration blocks to create the topology you desire.