event-gateway

command

v0.0.0-...-7cac148 Latest Latest Go to latest Published: May 21, 2024 License: Apache-2.0 Imports: 3 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/chef/automate

Links

Open Source Insights

README ¶

Event Gateway

Event Gateway is the external-facing NATS instance that allows external clients to submit messages to Automate. Currently it is used by habitat clients to send applications-related data to the applications service.

Much like Automate Gateway does for HTTP protocol clients, Automate Event Gateway handles authentication and authorization for NATS protocol clients.

Our NATS architecture looks like this:


                ------------       ------------------
hab client -----| NATS (gw) |----- | NATS (internal)|---- domain services
                -------------      ------------------
                      |                    | |
                      |                    | |
                      |              ----------------
                --------------       |NATS STREAMING|
                | A2 AuthN/Z |       |is a client of|
                --------------       |NATS          |
                                     ----------------

We have the following requirements for external clients:

"normal" TLS, i.e., the hostname is the CN, no client certs required, etc.
uses existing Automate authentication/authorization mechanisms (at this time that means tokens which get verified by auth-service)

For internal clients:

authenticate with each other using mutual TLS; clients must provide certificates
expect the CN of the certificate to match the service name (e.g., "event-service")

Research showed that it would be extremely difficult or impossible to meet all of these requirements with just one instance of NATS for various reasons, therefore we have one for each set of clients. The two NATS instances communicate on a separate NATS gateway protocol that runs on a different port. Connections to the gateway port are secured with mTLS.

Authentication

Event Gateway only supports tokens. External NATS clients should configure an authentication token in the manner supported by the NATS library used. When using the go client, the token may be encoded in the URL, like nats://[email protected]:4222.

Automate Authorization

The design of NATS requires that Automate-level authorization is checked when a client attempts to connect. We must also set NATS-level authorization permissions at this time (see below). This means that we must determine the set of authorized actions for clients ahead of time, instead of when an action is attempted.

It is assumed that the only purpose for external clients to connect to this service is to submit data for ingest, therefore incoming connection requests are checked for authorization on a hard-coded set of ingest-related permissions.

NATS Authorization

As described above, permissions to actions on NATS resources (i.e., publishing or subcribing to a topic) must be set at connection time. Currently we assume that clients are only connecting for the purpose of publishing applications (hab) data for consumption by the applications-service. We therefore restrict clients to the set of publish/subscribe permissions necessary for publishing to the relevant topics via the NATS-streaming protocol.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

event-gateway.go

Directories ¶

Path	Synopsis
commands

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL