Skip to main content
Version: 0.82

Partitioned NATS Connections

NATS forms the connective tissue that stitches together all of the wasmCloud hosts within a lattice. Each host requires two connections:

Securing these connections should be a top priority for the security of a lattice. Never rely on the zero trust behavior of other components to properly handle intrusion detection and the blocking of malicious actors.

For information on how to properly secure NATS servers, please consult the NATS documentation on authorization.

info

wasmCloud embraces the decentralized security system based on JSON Web Tokens, accounts, and users that has been part of NATS since the 2.0 release. wasmCloud only supports authentication to NATS using either an anonymous or decentralized JWT-based session.

We strongly recommend using different credentials for the RPC and control interface in production environments, as it prevents compromised credentials from one connection being applied to another.

To counteract any potential eavesdropping activity, ensure TLS is enabled on the NATS server(s).

Using Separate Credentials

wasmCloud hosts create separate connections for the control and RPC subject hierarchies. These connections can use the same server + credentials to connect, or use separate credentials to a common server, or connect to entirely different servers.

Anonymous connections to a leaf node sidecar make sense in some production deploys, but not in others. In particularly sensitive environments, or in a scenario where untrusted workloads are ran, do not use the same set of credentials. Reusing common credentials would allow an untrusted provider—which has access to the RPC subjects—to gain access to and issue commands against the control interface.

warning

Never connect anonymously or without TLS to a remote NATS installation for production uses. Anonymous connections, or those without TLS, are only secure in the sidecar/localhost scenario.

User/Password Authentication Not Supported?

While NATS supports clear text username and password authentication, wasmCloud does not support this method. Instead, wasmCloud supports only anonymous and decentralized authentication (JWT) connections.