Authentication & Authorisation

[rcrowe]

Two use cases identified

• Who is consuming (authentication)
• Restrict who can publish (authorisation)

Authentication

As the number of consumers has grown & the ability to do so is not restricted we've been unable to keep track. When an issue arises or we have to coordinate changes (for example, as we've been making changes to the underlying nats streaming cluster) it's been helpful to chat with other teams/consumers.

An identifier could also be used in metrics (who's consuming/publishing the most) or logs (which client caused a repeatable server panic).

I played with 2 ideas for identifying a client

1. Client ID. An identifying token over a gRPC TLS connection.
2. Mutual TLS. Identify the client through the cert.

ACL

The main driver for authentication has been to implement ACL on the publishing side of things. We should be able to restrict who can publish back into the stream.

An example spike looks like...

func NewStreamServerInterceptor(auth authorisor) grpc.StreamServerInterceptor {
	return func(srv interface{}, stream grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
		newCtx, err := auth.Authorise(stream.Context(), info.FullMethod)
		if err != nil {
			return err
		}

		wrapped := grpc_middleware.WrapServerStream(stream)
		wrapped.WrappedContext = newCtx
		return handler(srv, wrapped)
	}
}

func (a *BasicAuthorisor) Authorise(ctx context.Context, method string) (context.Context, error) {
	if !a.SecureConsume && !a.SecurePublish {
		return ctx, nil
	}

	token, err := grpc_auth.AuthFromMD(ctx, "basic")
	if err != nil {
		return nil, err
	}

	client, err := a.clientFromToken(token)
	if err != nil {
		return ctx, grpc.Errorf(codes.Unauthenticated, "Unable to identifiy client with token `%s`", token)
	}

	// Client has been authenticated, that's enough to consume
	// Now check client is authorised to publish
	if a.SecurePublish && strings.Contains(strings.ToLower(method), "publish") && !client.acl.publish {
		return ctx, grpc.Errorf(codes.PermissionDenied, "Client `%s` has no permission to publish", token)
	}

	return ctx, nil
}

[simonhdickson]

Am I interested in reviving this issue, but also introducing the ability to lock down consume/publish on a per-topic basis as well.

Potentially have some kind of config file that would have contain access rights for different roles clients? (being optional if you choose not to use this feature)