Skip to main content
Version: v1.6.1

NATS User Rule

A NATS User Rule is an authorization policy that applies to a NATS user (e.g. a microservice). It defines connection limits, allowed connection types, source restrictions, and which subjects the user can publish to or subscribe to. When a Microservice has NATS access enabled via natsConfig.natsAccess: true and natsConfig.natsRule set to this rule's name, the Controller uses this rule to generate the user's NATS credentials (e.g. JWT or creds file).

For the YAML spec and a short example, see NatsUserRule YAML Specification.

Relation to Applications and microservices

The Application sets spec.natsConfig.natsRule to a NATs Account Rule name (the account). Each Microservice sets natsConfig.natsRule to a NATs User Rule name (the user within that account):

apiVersion: datasance.com/v3
kind: Application
metadata:
  name: foo
spec:
  natsConfig:
    natsAccess: true
    natsRule: test-export   # NATs Account Rule name
  microservices:
    - name: bar-1
      ...
      natsConfig:
        natsAccess: true
        natsRule: default-user   # NATs User Rule name
apiVersion: datasance.com/v3
kind: Microservice
metadata:
  name: box-2
spec:
  agent:
    name: agent-2
  images:
  ...
  container:
  ...
  natsConfig:
    natsAccess: true
    natsRule: default-user
  config: {}
  application: foo

When you deploy an application with spec.natsConfig.natsAccess: true, the Controller automatically generates Account JWTs and puts them into JWT bundle ConfigMaps for NATs instances running on Agents. By default, NATs instances in server mode receive all Account JWTs; NATs instances in leaf mode receive only the JWTs for the application microservices they are running.

The Controller provisions NATs credentials for each microservice using the referenced NATs User Rule; the account is determined by the application's NATs Account Rule. Together, Account Rules and User Rules make it easy to deploy microservices with NATs access without manually managing JWTs.

Main fields

FieldDescription
nameUnique name for the rule (1–255 characters). This is the name you use in natsConfig.natsRule.
descriptionOptional description.

Limits

FieldDescription
maxSubscriptionsMax subscriptions (-1 = unlimited).
maxPayloadMax payload size (-1 = unlimited).
maxDataMax data (-1 = unlimited).

Connection behaviour

FieldDescription
bearerTokenWhether bearer token auth is allowed.
proxyRequiredWhether connection via proxy is required.
allowedConnectionTypesAllowed connection types: STANDARD, WEBSOCKET, LEAFNODE, LEAFNODE_WS, MQTT, MQTT_WS, IN_PROCESS.

Source and time restrictions

FieldDescription
srcList of allowed client connection source IPs or CIDRs.
timesOptional list of { start, end } time windows when connections are allowed.
timesLocationTimezone for time windows.

Response and publish/subscribe

FieldDescription
respMaxResponse max (≥ 0).
respTtlResponse TTL (≥ 0).
pubAllowSubject patterns the user is allowed to publish to.
pubDenySubject patterns the user is denied from publishing to.
subAllowSubject patterns the user is allowed to subscribe to.
subDenySubject patterns the user is denied from subscribing to.
tagsOptional list of tags.

Predefined user rules

The Controller ships with three predefined NATs User Rules: default-user, default-leaf-user, and default-mqtt-user. You cannot edit or delete them.

  • default-user: Used for microservices or external users when no rule is specified.
  • default-leaf-user: Used for NATs instances in leaf mode that connect remotely to NATs servers by default.
  • default-mqtt-user: Used for microservices or external users connecting via MQTT to NATs instances. MQTT users do not receive a creds file; they authenticate to the NATs MQTT port using the user JWT.
apiVersion: datasance.com/v3
kind: NatsUserRule
metadata:
  name: default-user
spec:
  description: Default microservice user rule
  maxSubscriptions: -1
  maxPayload: -1
  maxData: -1
  bearerToken: false
  allowedConnectionTypes:
    - STANDARD
    - WEBSOCKET
apiVersion: datasance.com/v3
kind: NatsUserRule
metadata:
  name: default-leaf-user
spec:
  description: Default leaf node user rule for remote connection from leaf to server
  maxSubscriptions: -1
  maxPayload: -1
  maxData: -1
  bearerToken: false
  allowedConnectionTypes:
    - LEAFNODE
    - WEBSOCKET
apiVersion: datasance.com/v3
kind: NatsUserRule
metadata:
  name: default-mqtt-user
spec:
  description: Default MQTT bearer user rule
  maxSubscriptions: -1
  maxPayload: -1
  maxData: -1
  bearerToken: true
  allowedConnectionTypes:
    - MQTT
    - STANDARD

Example (NatsUserRule YAML)

apiVersion: datasance.com/v3
kind: NatsUserRule
metadata:
  name: test-mqtt-user
spec:
  description: Test MQTT bearer user rule
  maxSubscriptions: -1
  maxPayload: -1
  maxData: -1
  bearerToken: true
  allowedConnectionTypes:
    - MQTT
    - STANDARD
  pubAllow:
    - foo.>
    - bar.>
  pubDeny:
    - barz.>
  subAllow:
    - fooz.>
  subDeny:
    - barz.>

apiVersion: datasance.com/v3
kind: NatsUserRule
metadata:
  name: test-user-rule
spec:
  description: User-level permissions for orders microservices.
  maxSubscriptions: 1000
  maxPayload: 262144
  maxData: -1
  bearerToken: false
  allowedConnectionTypes:
    - STANDARD
    - WEBSOCKET
  pubAllow:
    - orders.commands.>
  pubDeny:
    - private.admin.>
  subAllow:
    - orders.events.>
    - shared.events.>
  subDeny:
    - internal.audit.>
apiVersion: datasance.com/v3
kind: NatsUserRule
metadata:
  name: test-user
spec:
  description: Test microservice user rule
  maxSubscriptions: -1
  maxPayload: -1
  maxData: -1
  bearerToken: false
  allowedConnectionTypes:
    - STANDARD
    - WEBSOCKET
    - LEAFNODE
    - MQTT

Create a NATs User Rule with the desired permissions and limits, then reference it in your Microservice spec with natsConfig.natsRule. See NATs JWT Authentication for how the Controller issues credentials.

Group 3See anything wrong with the document? Help us improve it!

Edit this page on GitHub!