Struggling with source JetStream on leaf nodes
44 views
Skip to first unread message
Mike Cardwell
Nov 22, 2023, 3:38:40 PM11/22/23
to nats
I'm trying to get JetStream working with Leaf nodes. I'm new to NATS. Please point out my various misunderstandings/misconfigurations:
My test environment is as follows:
1. A master NATS node
```
server_name: hzmaster
listen: 127.0.0.1:4222
http: 8222
jetstream: {
domain: hzmaster
store_dir: "js"
}
include resolver.conf
leafnodes {
port: 7422;
}
```
2. A leaf NATS node
```
server_name: demo_1
listen: 127.0.0.1:4223
http: 8223
jetstream: {
domain: demo_1
store_dir: "js"
}
leafnodes {
remotes = [
{
url = "nats://127.0.0.1:7422"
credentials = "~/.local/share/nats/nsc/keys/creds/Hardenize/Appliance/demo_1.creds"
}
]
}
```
I set up an Operator, Account and a user named demo_1, all using nsc. I create another user named "app" which I use for connecting to the master node to do the following:
1. Create a jetstream named 'to_leaf' catching messages matching subjects 'appliance.>'
2. Publish two messages. One to 'appliance.demo_1' and one to 'appliance.demo_2'. A 'nats stream ls' shows the stream has 2 messages in it.
I then connect to the leaf NATS node and create a source stream named 'from_app', with --source 'to_leaf'. When asked about domain, I set the domain to 'hzmaster'
Now, what I am trying to do is make it so that messages published to `appliance.demo_1` on the master node, are replicated to a stream on the leaf node. So if I give user `demo_1` --allow-sub `appliance.demo_1`, I expected the source stream to contain one message. The one that was published on the master to `appliance.demo_1`. What I am getting though is zero messages. I've tried giving demo_1 permission to pubsub `$JS.>` and `_INBOX.>` and that didn't help. Still no messages in the source stream. *however*. If I give `--allow-pubsub '>'` to demo_1, then the source stream finally gets populated. But with *all* messages. I only want messages for `appliance.demo_1` in there.
I tried making it so that the master node only captures `appliance.demo_1` messages instead of `appliance.>`, but it's still the case that no messages arrive at the source stream unless I `--allow-pubsub '>'`.
Have I misunderstood something about how source streams work? Permissions? Authentication? Domains? Jetstream?
My test environment is as follows:
1. A master NATS node
```
server_name: hzmaster
listen: 127.0.0.1:4222
http: 8222
jetstream: {
domain: hzmaster
store_dir: "js"
}
include resolver.conf
leafnodes {
port: 7422;
}
```
2. A leaf NATS node
```
server_name: demo_1
listen: 127.0.0.1:4223
http: 8223
jetstream: {
domain: demo_1
store_dir: "js"
}
leafnodes {
remotes = [
{
url = "nats://127.0.0.1:7422"
credentials = "~/.local/share/nats/nsc/keys/creds/Hardenize/Appliance/demo_1.creds"
}
]
}
```
I set up an Operator, Account and a user named demo_1, all using nsc. I create another user named "app" which I use for connecting to the master node to do the following:
1. Create a jetstream named 'to_leaf' catching messages matching subjects 'appliance.>'
2. Publish two messages. One to 'appliance.demo_1' and one to 'appliance.demo_2'. A 'nats stream ls' shows the stream has 2 messages in it.
I then connect to the leaf NATS node and create a source stream named 'from_app', with --source 'to_leaf'. When asked about domain, I set the domain to 'hzmaster'
Now, what I am trying to do is make it so that messages published to `appliance.demo_1` on the master node, are replicated to a stream on the leaf node. So if I give user `demo_1` --allow-sub `appliance.demo_1`, I expected the source stream to contain one message. The one that was published on the master to `appliance.demo_1`. What I am getting though is zero messages. I've tried giving demo_1 permission to pubsub `$JS.>` and `_INBOX.>` and that didn't help. Still no messages in the source stream. *however*. If I give `--allow-pubsub '>'` to demo_1, then the source stream finally gets populated. But with *all* messages. I only want messages for `appliance.demo_1` in there.
I tried making it so that the master node only captures `appliance.demo_1` messages instead of `appliance.>`, but it's still the case that no messages arrive at the source stream unless I `--allow-pubsub '>'`.
Have I misunderstood something about how source streams work? Permissions? Authentication? Domains? Jetstream?
Red Sift's Digital Resilience Platform solves for the greatest vulnerabilities across the complete attack surface. Products on the platform include OnDMARC, OnDOMAIN and Hardenize, providing comprehensive coverage of an organization’s digital footprint through best-in-class discovery and monitoring and enabling users to proactively uncover threats within email, domains, brand, and the network perimeter.
Red Sift is a limited company registered in England and Wales. Registered number: 09240956. Registered office: 3rd Floor, 1 Ashley Road, Altrincham, Cheshire, WA14 2DT.
Reply all
Reply to author
Forward
0 new messages