At the start of 2018, the team set a course to provide additional security options, secure multi-tenancy, and larger network options for NATS to name just a few. The team succeeded in delivering all of these and more.
Nkeys, an encoded Ed25519 key pair allows for the NATS system to have no knowledge whatsoever of a user’s private keys. The NATS client libraries sign a challenge nonce from the server to provide identity and wipe the secret key from the client’s memory. The private key is never exposed or even transmitted to the NATS servers.
JWTs are now supported to allow decentralized management for authentication and authorization. This means you no longer have to change a NATS server’s configuration file to add or delete users or change their individual permissions. These can all be represented in the JWTs.
Think of Accounts as containers for messaging. Accounts provide a secure context to communicate among multiple users of the same Account without having messages travel outside of the Account domain. This allows multiple organizations, users, or companies to utilize a shared infrastructure while remaining isolated and secure, greatly reducing operational costs.
Operators and Users accompany Accounts and can be represented through signed JWTs and be managed decentrally, with the NATS servers only needing to be configured with the Operators they should trust. Operators can have multiple signing keys, therefore never exposing the master Operator private key. Operators sign for Accounts, and Accounts sign for Users.
While Accounts default to create isolated communication contexts, we believe the real power of Accounts is when you can securely and selectively share between Accounts. This led the team to introduce streams and services.
Streams and Services can be shared among Accounts and can be public, or require authorization from the source Account owner. We feel these will open up a tremendous opportunity for future collaboration and are one of the key tenants to utilizing very large and shared NATS infrastructures. These are also a key tenant to Synadia’s global offering, NGS. With a broad range of streams and services available for new customers, NGS will become a needed global communication tool for modern architectures.
To form even larger networks we needed to develop and offer additional topologies beyond what we had at the beginning of 2018. We have delivered on one new topology, internally called gateways, that allow for superclusters to be formed. Think of these as clusters of clusters. These are highly resilient, self-healing, and take a different approach to interest graph and data propagation. We will follow up with more information and details on superclusters in a future newsletter.
2018 was a great year, and we ask for a bit of patience as we try to catch up on the documentation for all of these new features. Rest assured it is a top priority for us for the beginning of 2019.
Speaking of 2019, we have some ambitious goals entering the new year. We believe NATS will be the technology to connect all of the world’s digital systems, services, and devices. From the Cloud, to Edge, and IoT.
Our goals for 2019 include expanding NATS while maintaining its core philosophy. NATS will continue to be easy to use and operate, will remain secure by default, be extremely performant, self-healing, and be ubiquitous across different platforms from Cloud, to Edge to IoT.
In 2019 you will see several major additions and changes to the NATS.io ecosystem
We are honored to have expanded the NATS maintainer team to include Brian Shannan @brianshannan, Charlie Strawn @charliestrawn, Lev Brouk @levb, Paulo Pires @pires, and R.I. Pienaar @ripienaar. It is an amazing community to be a part of and we expect that to become even better. The world of OSS is changing and evolving and we are committed to having NATS be one of the best OSS projects and ecosystems around, providing tremendous value to our users.
We are beyond thrilled for what we have achieved together in 2018, and even more excited about what 2019 has in store for us!