Comments (7)
kozlovic
commented on June 3, 2024
1
This should be addressed with PR #5395. Closing this issue now.
from nats-server.
chezgi
commented on June 3, 2024
or maybe we can add another connection type: Pipe
and we can limit connection type of user to it
from nats-server.
kozlovic
commented on June 3, 2024
@chezgi Adding a new connection type may not be enough because the server would still do network source validation and fail (unless we change that code anyway).
Since one can technically run a server from a process but that server be configured to have listen ports opened and still make InProcess connections (see
Line 2698 in a0fac40
- disable source validation if we detect that the client is in-process
- do source validation but add support for "inprocess" (or "pipe") in the JWT library's CIDR list
One could argue that the JWT configuration/limits should be respected and therefore, adding the "inprocess" CIDR would make more sense? @derekcollison what do you think?
@chezgi By the way, how are you running the server? Are you setting the DontListen option or somehow connect in-process clients without the DontListen option?
from nats-server.
kozlovic
commented on June 3, 2024
@chezgi Or are you saying that you would then add a "PIPE" connection type to that JWT but then remove the CIDR? In other words, you want to use a JWT but want to make sure that only an in-process client can use that JWT?
If you were to configure the server with the DontListen option, you would necessarily limit clients that are in-process (since they would not have any way to connect to this server) and that proposal would be moot. Any reason why you are not running this way?
from nats-server.
chezgi
commented on June 3, 2024
@kozlovic
my usage: i want to use my authorization callout user to be in process.
therefore my jwt must limit this user for only in process connection,
or 127.0.0.1 must interpreted to in process connection type .
server is servicing others from network, therefore DontListen is disabled.
and this user can't have source connection limit. and it is very insecure in this situation.
from nats-server.
kozlovic
commented on June 3, 2024
@chezgi But then this PR (#5395) won't be enough, right? I mean as long as you define a Src limit, in-process connections won't work (even with the PR). If you have to use CIDR, then should you have 2 different JWT: one with CDIR and allow connection type STANDARD) and one with no CDIR and allow connection type IN_PROCESS?
from nats-server.
chezgi
commented on June 3, 2024
@kozlovic
if i can limit user jwt to only IN_PROCESS connection type, it works for me.
from nats-server.
Related Issues (20)
- '408 Request Timeout' instead of '404 No Messages' from $JS.API.CONSUMER.MSG.NEXT.<stream>.<consumer> HOT 4
- NATS Deleting Recovered Stream as Orphaned HOT 5
- Interest retention doesn't drop messages if not captured by consumer FilterSubjects HOT 3
- Performance degradation HOT 2
- Comment at end of config file is a parse error HOT 6
- Explicit server route connection retry does not backoff HOT 1
- Dynamic append headers for clients messages HOT 4
- Add support for inline configuration in CLI
- Embedded nats servers with opt.LogFile have no logging HOT 2
- Consumer not receiving messages when power off and restart, consumer's ack floor is ahead of stream's last sequence HOT 12
- Connection between Leafnode and Core NATS over satellite link fails to get established
- NATS Cluster - Dynamically del node HOT 3
- Durable Consumer Does not Consume From Last Message Per Subject HOT 3
- Abnormal NATS write load associated with a specific jetstream HOT 2
- Jetstream KV Cluster loosing data after nodes restart/ HOT 4
- Add the time zone designator to the time when `logtime_utc` is enabled
- WorkQueue jetstream messages are not deleted on non-leader nodes when used as mirror source
- Too many CPU/System resource used after many consumer created in idle cluster HOT 2
- Healthcheck fails when JetStream account is removed from configuration HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nats-server.