NATS 2.0 is the largest feature release since the original code base for the server was released. NATS 2.0 was created to allow a new way of thinking about NATS as a shared utility, solving problems at scale through distributed security, multi-tenancy, larger networks, and secure sharing of data. In this presentation, Derek discusses the motives behind the newest features of NATS and how to leverage them to reduce total cost of ownership, decrease time to value, support extremely large scale deployments, and decentralize security to create secure and easy to manage modern distributed systems.
Report
Share
Report
Share
1 of 57
Download to read offline
More Related Content
A New Way of Thinking | NATS 2.0 & Connectivity
1. A New Way of Thinking
NATS 2.0 and Connectivity
2. Derek Collison / @derekcollison
Founder and CEO at Synadia
๏ Creator of NATS
๏ Founder and Former CEO at Apcera
๏ CTO, Chief Architect at VMware
๏ Architected CloudFoundry
๏ Technical Director at Google
๏ SVP and Chief Architect at TIBCO
10. Developing and deploying applications that communicate in distributed
systems can be complex, difficult and costly. A communication
infrastructure should provide features to make this easier including:
● Multiple messaging patterns bundled into one technology
○ Streams and Services
● Location transparency
● Transparent scalability and disaster recovery
● Decoupled producers and consumers
● Synchronous & Asynchronous communications
● Extensible and Open by default
Why is messaging important?
12. NATS is a simple and secure, production-proven messaging
technology for modern distributed systems.
● Scalable Services and Streams
● Easy to use for developers and operators
● Highly Resilient
● Highly Secure
● Extremely lightweight and performant
● Client support for over 32+ different programming languages
● A CNCF project with Kubernetes and Prometheus integrations
● Originally built to power CloudFoundry. Mature ~10yrs old.
● Applicable in the Cloud, On-Premise, Edge and IoT.
What is NATS?
13. ● Subject-Based routing, not IP
● Message based, not packet or byte streams
● Scalable Services and Streams, same technology
● Natively does N:M with queue delivery. Not just 1:1
● Secure and Isolated, decentralized by design
● Secure Sharing: Exports and Imports of Services and Streams
● Self Healing and Observable
● Capable of being a federated global utility - a Dial Tone
What is NATS?
14. NATS is an always available
dial tone to connect everything
20. ● NATS 2.0 is the largest feature release since the original code.
○ Backward Client compatibility
● Created to allow a new way of thinking about NATS as a secure
shared utility, globally through NGS, within an enterprise, or both.
● NATS now solves problems at scale through distributed security,
multi-tenancy, larger networks, and secure sharing of data.
NATS 2.0 allows new ways of architecting distributed systems,
service meshes and event/data streams.
NATS 2.0 Release
https://nats-io.github.io/docs/whats_new/whats_new_20.html
21. NATS v2
Released on Monday (June 10th, 2019)
Biggest release of the project since it started.
23. ● Accounts are securely isolated communication contexts that allow multi-tenancy.
● Bifurcate technology from business driven use cases
○ Data silos are created by design, not software limitations
● Securely share data between accounts
○ Secure Streams and Services
○ Mutual agreement permits data flow across account boundaries
● Easy, Secure and Cost Effective
○ One NATS deployment for operators to manage
○ Decentralized - Organizations can self-manage
Accounts - Containers for Messaging
24. Service definitions are a secure RPC endpoint
● Export a service to allow other accounts to import
● Import a service to allow requests to be sent and securely and seamlessly to
another account
● Use cases include most business applications, certificate generation service,
secure vault, location aware services
Stream definitions allow data flow between accounts
● Export a stream to allow egress
● Import a stream to allow ingress
● Use cases include observability, metrics, data analytics, etc.
...All with zero client configuration or API changes
Services and Streams
25. The system account publishes system messages under established
subject patterns.
Server initiated events:
● $SYS.ACCOUNT.<id>.CONNECT (client connects)
● $SYS.ACCOUNT.<id>.DISCONNECT (client disconnects)
● $SYS.SERVER.ACCOUNT.<id>.CONNS (account connections status)
● $SYS.SERVER.<id>.CLIENT.AUTH.ERR (authentication error)
● $SYS.ACCOUNT.<id>.LEAFNODE.CONNECT (leaf node connects)
● $SYS.ACCOUNT.<id>.LEAFNODE.DISCONNECT (leaf node disconnects)
● $SYS.SERVER.<id>.STATSZ (stats summary)
System Account
26. In addition other tools with system account privileges can initiate
requests:
● $SYS.REQ.SERVER.<id>.STATSZ (request server stat summary)
● $SYS.REQ.SERVER.PING (discover all servers and metrics)
Secure account servers publish messages when a claim is updated:
● $SYS.ACCOUNT.<id>.CLAIMS.UPDATE
With these few messages you can build useful monitoring and anomaly
detection tools.
System Account - Continued
28. ● Client and server connections reconnect automatically
● Auto-Discovery automatically exchanges server topology
■ Server ⇆ Server
■ Server → Client
○ Zero configuration changes, zero downtime
○ Dynamic and entirely transparent to applications
● Clients can failover to new servers that weren’t originally configured
● NATS server clusters dynamically adjust to new or removed servers
○ Used for rolling upgrades and scaling (up or down).
● NATS is deployment, cloud and geo agnostic.
Low Touch Operations - NATS Self-Healing
29. Superclusters
Create clusters of clusters to create a truly global NATS network
● Novel spline based technology
● Optimistic sends with interest graph pruning
● Transparent, intelligent support for geo-distributed queue subscribers
32. ● Leaf nodes allow hub and spoke topologies to extend superclusters.
● Leaf nodes allow you to bridge separate security domains. e.g. IoT,
mobile, POS, Web.
● Ideal for edge computing, IoT hubs, or data centers that need to be
connected to a global, regional, or national NATS deployment.
● Transparently bridge on-premise and cloud or edge deployments.
● Have your cake and eat it too!
Leaf Nodes
40. ● Full TLS Support: CA certificates, bidirectional support, default to most
secure ciphers.
○ Support for DN or SAN in certificates for NATS user identity
● Support for standard user/password auth
● Permissions restrict who can send and receive on what subjects
● Change these through configuration reload at runtime with zero downtime.
● Operator Mode - NATS >= 2.0
NATS Security Today
41. NATS 2.0 Security consists of defining Operators, Accounts, and Users within a
NATS deployment.
● Operator: Root of trust for the system, e.g. An Enterprise operator.
○ Create Accounts for account administrators. An account represents an
organization with a secure context within the NATS deployment, for example
a VAS system, an IT system monitoring group, a set of microservices, etc.
Account creation would likely be managed by a central group.
● Accounts define limits and may securely export and import services and
streams
○ Account managers create and manage Users with permissions
● Users have specific credentials and permissions.
Operator Mode - Decentralized
42. PKI (NKeys - encoded Ed25519) and signed JWTs create a hierarchy of Operators,
Accounts, and Users creating a scalable and flexible distributed security mechanism.
● Operators are represented by a self signed JWT and is the only thing that is
required to be configured in the server.
○ Operators will sign Account JWTs with various signing keys.
○ Accounts sign User JWTs, again with various signing keys.
● Clients or leaf nodes present User credentials and a signed nonce when
connecting.
○ The server uses resolvers to obtain JWTs and verify the client trust chain.
This allows for rapid change of permissions, authentication, limits, etc. to a secure
multi-tenant NATS system.
Decentralized Security Management
43. ╭────────────────────────────────────────────────────────────────────────╮
│ Operator Details │
├─────────────┬──────────────────────────────────────────────────────────┤
│ Name │ Synadia │
│ Operator ID │ OCDFJINL65FTXNLUB3GODXY3MTCOUFJWC23HONKXNGLZ4SCQRBSFWECQ │
│ Issuer ID │ OCDFJINL65FTXNLUB3GODXY3MTCOUFJWC23HONKXNGLZ4SCQRBSFWECQ │
│ Issued │ 2019-05-13 16:17:29 UTC │
│ Expires │ │
╰─────────────┴──────────────────────────────────────────────────────────╯
Operator JWT
44. ╭──────────────────────────────────────────────────────────────────────────────────────╮
│ Account Details │
├───────────────────────────┬──────────────────────────────────────────────────────────┤
│ Name │ Microservices-1 │
│ Account ID │ AAHC5D6GVMRI753MOVEIEV2LVR3C7GUCYLAOHQH5DL5V7M6CXSYGWZRK │
│ Issuer ID │ OCDFJINL65FTXNLUB3GODXY3MTCOUFJWC23HONKXNGLZ4SCQRBSFWECQ │
│ Issued │ 2019-05-14 01:21:19 UTC │
│ Expires │ │
├───────────────────────────┼──────────────────────────────────────────────────────────┤
│ Max Connections │ Unlimited │
│ Max Leaf Node Connections │ Unlimited │
│ Max Data │ Unlimited │
│ Max Exports │ Unlimited │
│ Max Imports │ Unlimited │
│ Max Msg Payload │ Unlimited │
│ Max Subscriptions │ Unlimited │
│ Exports Allows Wildcards │ True │
├───────────────────────────┼──────────────────────────────────────────────────────────┤
│ Exports │ None │
╰───────────────────────────┴──────────────────────────────────────────────────────────╯
╭───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│ Imports │
├───────────────┬─────────┬─────────────────┬─────────────────┬─────────┬──────────────────────────────────────────────────────────┬────────┤
│ Name │ Type │ Remote │ Local │ Expires │ From Account │ Public │
├───────────────┼─────────┼─────────────────┼─────────────────┼─────────┼──────────────────────────────────────────────────────────┼────────┤
│ SvcControl │ Service │ svc.control │ svc.control.1 │ │ ACOAYG5E4EWOE3VJ26RTQFD3QNOL2JA5EMEWHVM5RDKHYQAOEAIO35PS │ Yes │
╰───────────────┴─────────┴─────────────────┴─────────────────┴─────────┴──────────────────────────────────────────────────────────┴────────╯
Account JWT
51. Roadmap 2019-2020
Our roadmap represents coming features lined up for the future of NATS. We are excited to bring these advances to the NATS
community and look forward to your valuable input. Please contact us at info@nats.io or join our Slack channel with any
questions, comments, or requests.