Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Auth - authz #34

Open
gedw99 opened this issue Jul 11, 2022 · 6 comments
Open

Auth - authz #34

gedw99 opened this issue Jul 11, 2022 · 6 comments
Labels
enhancement New feature or request

Comments

@gedw99
Copy link

gedw99 commented Jul 11, 2022

As far as I can see there is not any auth or authz in tarmac.

i generally use NATS for rerouting events into tarmac . Nats just wants a jwt to control Auth and Authz.
But even without NATS , Tarnac needs to assert who can do what.

https://github.com/pocketbase/pocketbase looks like a nice solution to this.
.Or at least to use as one way to add auth / authz. It’s probable that others might want a different solution and that’s why jwt is loose coupled.

the cool thing about pocketbaae is that it’s real time and simple.

have a look

@madflojo
Copy link
Member

Auth N/Z is def something I plan to add. Will look into the best way to implement this.

@madflojo madflojo added the enhancement New feature or request label Jul 28, 2022
@madflojo
Copy link
Member

With the latest release, there is now Mutual TLS as an Auth option (thanks to this issue). BTW would love to hear more about how you are using Tarmac (i.e., is it for fun or actual work, is it a POC or in production, etc.)

@gedw99
Copy link
Author

gedw99 commented Jul 31, 2022

Thanks for the addition of m-tls.

I am experimenting with using Tarmac to allow scientists to build data processing and charting. It’s for biomimicry and open science platform so that peer review done by both other scientists and the public is reproducible.

The problem it solves is one of transparency. Currently scientists write a paper with detailed explanations of their experiments and thesis, but without the data and logic and charts that they used to come to their conclusions,

I want to help this situation by making it easy to run other scientists code and data. Most scientists work with data in excel and do their charts also with excel.

The reason for auth and authz is so that a scientist can give access or share their code and data with others.

@gedw99
Copy link
Author

gedw99 commented Jul 31, 2022

Btw jwt would be perfect for me because I use NATS as the routing system for events and rpc.

nats has a full identity and authz system based on jwt. So I can create a users account or service account in nats and then use tarmac jwt to authenticate into NATS system.

nats is golang based.

https://docs.nats.io/running-a-nats-service/configuration/securing_nats/auth_intro/jwt

@madflojo
Copy link
Member

madflojo commented Aug 1, 2022

@gedw99 sounds really cool. I will be adding jwt for sure.

@gedw99
Copy link
Author

gedw99 commented Sep 27, 2022

Consider NATS for the other layers maybe:

I noticed you have a KV store using cassandra at https://github.com/madflojo/tarmac/blob/main/pkg/callbacks/kvstore/kvstore.go

Here is a KV store with different drivers, and one of them is NATS: https://github.com/HeavyHorst/easykv

And for durable TLS Certs: https://github.com/HeavyHorst/certmagic-nats

NATS also has an Object store.

The potent thing here is that the NATS security controls access to ALL of this. Doing authz is one thing but authouriation is hard as it needs to be enforced throughout the stack. NATS does it for you and is highly extensible.

https://github.com/bots-garden/capsule/blob/main/capsulemodule/hostfunctions/nats.go is similar to Capsule and exposes NATS directly as WASM Host function.

Many people also ship Logging and Metrics over NATS, using non durable topic. SO then even this gets the NATS security overlay.

Anyways, don't want to be pushy pushy.. I use NATS for many different projects as its highly reusable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Development

No branches or pull requests

2 participants