Updates/nats tenant int cont #2627
No reviewers
Labels
No labels
1week
2weeks
Failed compliance check
IP cameras
NATS
Possible security concern
Review effort 1/5
Review effort 2/5
Review effort 3/5
Review effort 4/5
Review effort 5/5
UI
aardvark
accessibility
amd64
api
arm64
auth
back-end
bgp
blog
bug
build
checkers
ci-cd
cleanup
cnpg
codex
core
dependencies
device-management
documentation
duplicate
dusk
ebpf
enhancement
eta 1d
eta 1hr
eta 3d
eta 3hr
feature
fieldsurvey
github_actions
go
good first issue
help wanted
invalid
javascript
k8s
log-collector
mapper
mtr
needs-triage
netflow
network-sweep
observability
oracle
otel
plug-in
proton
python
question
reddit
redhat
research
rperf
rperf-checker
rust
sdk
security
serviceradar-agent
serviceradar-agent-gateway
serviceradar-web
serviceradar-web-ng
siem
snmp
sysmon
topology
ubiquiti
wasm
wontfix
zen-engine
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
carverauto/serviceradar!2627
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "refs/pull/2627/head"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Imported from GitHub pull request.
Original GitHub pull request: #2219
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/2219
Original created: 2026-01-02T04:14:05Z
Original updated: 2026-01-02T21:23:14Z
Original head: carverauto/serviceradar:updates/nats-tenant-int-cont
Original base: testing
Original merged: 2026-01-02T21:23:12Z by @mfreeman451
User description
IMPORTANT: Please sign the Developer Certificate of Origin
Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:
Describe your changes
Issue ticket number and link
Code checklist before requesting a review
PR Type
Enhancement, Tests
Description
NATS tenant integration and account management: Comprehensive implementation of NATS operator bootstrap, tenant account creation, and user credential generation with JWT signing capabilities
Multi-tenant identity extraction: New tenant context propagation system extracting tenant information from mTLS certificates and injecting it into gRPC request contexts
NATS credentials file support: Added credentials file configuration across all services (Go, Rust, Elixir) for authenticated NATS connections
gRPC NATSAccountService: Stateless service providing operator bootstrap, account creation, user credential generation, and JWT signing with mTLS authorization
CLI enhancements: New
nats-bootstrapandadmin natscommands for operator initialization, tenant account management, and token generationEdge onboarding package management: Elixir-based CRUD operations for onboarding packages with tenant certificate generation, token management, and audit event tracking
Tenant-aware NATS subjects: Event publisher support for dynamic tenant prefix application to NATS subjects based on context
Comprehensive test coverage: Unit tests for account management, user credentials, operator key generation, tenant parsing, and event prefixing
Configuration updates: Added NATS operator and credentials file configuration fields across datasvc, consumers, and collector services
Diagram Walkthrough
File Walkthrough
1 files
nats_account.pb.go
NATS account management protobuf generated codeproto/nats_account.pb.go
credentials
account/user JWT operations
and JWT signing
26 files
nats_bootstrap.go
NATS bootstrap CLI implementation and account managementpkg/cli/nats_bootstrap.go
tenant account creation
operator JWT, seeds, and credentials
configurable permissions
listing
cli.go
Admin command handler and CLI registrationpkg/cli/cli.go
AdminHandlerto dispatch nested admin commands with support foradmin natssubcommandsnats-bootstrapandadminhandlers in the command parsernats_account_service.go
NATS Account Service Implementation with JWT Operationspkg/datasvc/nats_account_service.go
NATSAccountServergRPC service for stateless NATS JWT/NKeyscryptographic operations
credential generation, and JWT signing
authorizeRequest()and extracts clientidentity from peer certificates
$SYStopics
operator.go
NATS Operator Key Management and Bootstrappkg/nats/accounts/operator.go
Operatortype for managing NATS operator keys and JWTsigning operations
BootstrapOperator()function to initialize new or importexisting operator keys
key pairs
environment variables, or files
server.go
gRPC Server Tenant Context Extractionpkg/grpc/server.go
TenantInterceptor()to extract tenant information from peercertificates
available to other interceptors
tenant.go
Multi-tenant identity extraction from mTLS certificatespkg/tenant/tenant.go
CNs
format validation
utilities
files
nats_config.go
NATS server configuration generation and collector setuppkg/edgeonboarding/nats_config.go
credentials
and clustering support
(flowgger, trapd, netflow, otel)
account_manager.go
NATS tenant account creation and JWT signingpkg/nats/accounts/account_manager.go
signing
user_manager.go
NATS user credential generation with role-based permissionspkg/nats/accounts/user_manager.go
(collector, service, admin)
cases
events.go
Tenant-aware NATS event subject prefixingpkg/natsutil/events.go
variable control
context
main.go
NATS account service integration in data servicescmd/data-services/main.go
environment
capability
edge_onboarding.go
Collector package and NATS credential modelspkg/models/edge_onboarding.go
ready, etc.)
management
nats.go
NATS credentials file support in datasvc connectionpkg/datasvc/nats.go
credsFilefield to NATSStore for credential file supportUserCredentialsoption when creds file isconfigured
loading
rbac.go
Certificate subject identity extraction improvementpkg/datasvc/rbac.go
subjectIdentityfunction for extracting identity fromcertificate subject
main.go
CLI command dispatch for NATS bootstrap and admincmd/cli/main.go
nats-bootstrapcommanddispatchAdminCommandfunction for routing admin subcommandsadmin natscommand routingservice.go
NATS credentials file support in netflow consumerpkg/consumers/netflow/service.go
events.go
NATS credentials file support in core event publisherpkg/core/events.go
kv_client.go
NATS credentials file support in KV clientpkg/config/kv_client.go
KV_NATS_CREDS_FILEis setmain.rs
NATS credentials file support in trapd servicecmd/trapd/src/main.rs
SecurityMode::Mtls
nats_output.rs
NATS credentials file support in flowgger outputcmd/flowgger/src/flowgger/output/nats_output.rs
creds_filefield to NATSConfig structurenats_output.rs
NATS credentials file support in OpenTelemetry outputcmd/otel/src/nats_output.rs
creds_filefield to NATSConfig with default Nonenats.rs
NATS credentials file support in zen NATS connectioncmd/consumers/zen/src/nats.rs
watch.rs
KV watch initial snapshot optimizationrust/config-bootstrap/src/watch.rs
notifications
bootstrap
changes
setup.rs
NATS credentials file debug loggingcmd/otel/src/setup.rs
onboarding_packages.ex
Edge onboarding package management with tenant certificateselixir/serviceradar_core/lib/serviceradar/edge/onboarding_packages.ex
CRUD operations
support
encryption
onboarding_event.ex
Edge onboarding audit event resourceelixir/serviceradar_core/lib/serviceradar/edge/onboarding_event.ex
revoked, deleted)
time-series queries
2 files
kv.pb.go
Protobuf file path normalization in KV serviceproto/kv.pb.go
proto/kv.prototokv.protofile_proto_kv_proto_*tofile_kv_proto_*changes
kv_grpc.pb.go
Proto metadata path correctionproto/kv_grpc.pb.go
proto/kv.prototokv.proto1 files
nats_account_grpc.pb.go
Generated gRPC Protocol Buffer Service Codeproto/nats_account_grpc.pb.go
NATSAccountServiceBootstrapOperator,GetOperatorInfo,CreateTenantAccount,GenerateUserCredentials,SignAccountJWT,PushAccountJWT6 files
nats_account_service_test.go
NATS Account Service Unit Testspkg/datasvc/nats_account_service_test.go
NATSAccountServerwith mocked mTLScontext
operations
inputs
expiration
user_manager_test.go
User Credentials Generation Testspkg/nats/accounts/user_manager_test.go
GenerateUserCredentials()function covering all credentialtypes (collector, service, admin)
generated
account_manager_test.go
Account Signer and Management Testspkg/nats/accounts/account_manager_test.go
AccountSignerand account creation operationstenant_test.go
Tenant Information Parsing and Context Testspkg/tenant/tenant_test.go
(CN)
ParseCN()function with various CN formats and error casesprefixing
operator_test.go
NATS operator key generation and JWT signing testspkg/nats/accounts/operator_test.go
management
environment variables
sources
events_test.go
Tenant prefixing functionality testspkg/natsutil/events_test.go
extraction
9 files
prod.exs
Production Configuration for Elixir Pollerelixir/serviceradar_poller/config/prod.exs
infofor production environmenttypes.go
NATS operator and credentials configuration in datasvcpkg/datasvc/types.go
NATSCredsFileconfiguration field to datasvc ConfigNATSOperatorconfiguration for NATS account management serviceisolation
config.go
NATS credentials file configuration for event writerpkg/consumers/db-event-writer/config.go
NATSCredsFileoptional configuration fieldtypes.go
NATS bootstrap CLI configuration fieldspkg/cli/types.go
and TLS
events.go
NATS credentials file configuration in event modelspkg/models/events.go
CredsFilefield to NATSConfig structurenetflow.go
NATS credentials file configuration in netflow modelspkg/models/netflow.go
NATSCredsFileoptional configuration fieldconfig.rs
NATS credentials file configuration in trapdcmd/trapd/src/config.rs
nats_creds_fileoptional configuration fieldnats_creds_pathmethod for resolving credentials file pathconfig.rs
NATS credentials file configuration in OpenTelemetry collectorcmd/otel/src/config.rs
creds_fileoptional field to NATSConfigTOMLconfig.rs
NATS credentials file configuration in zen consumercmd/consumers/zen/src/config.rs
nats_creds_fileoptional configuration fieldnats_creds_pathmethod for resolving credentials file with pathhandling
2 files
errors.go
NATS bootstrap and admin command error definitionspkg/cli/errors.go
ErrUnknownAdminResourcefor error wrappingerrors.go
NATS resolver and operator error definitionspkg/datasvc/errors.go
101 files
Imported GitHub PR comment.
Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2219#issuecomment-3704432680
Original created: 2026-01-02T04:15:38Z
PR Compliance Guide 🔍
Below is a summary of compliance checks for this PR:
Secret material exposure
Description: The new gRPC/proto API surfaces highly sensitive secrets (e.g.,
CreateTenantAccountResponse.account_seed,BootstrapOperatorResponse.operator_seed/system_account_seed, andGenerateUserCredentialsResponse.creds_file_contentwhich contains a JWT + seed), which canenable full account/operator impersonation if any caller is able to invoke/observe these
responses (needs verification that access is strictly mTLS-authenticated/authorized and
responses are never logged or stored unencrypted).
nats_account.pb.go [238-875]
Referred Code
Tenant isolation bypass
Description: Tenant isolation for NATS subjects is controlled by an environment flag and, when enabled,
missing tenant context falls back to
DefaultTenant("default"), which can realisticallycause cross-tenant event publication/consumption (e.g., requests without a tenant in
context publish into the shared default tenant namespace) if tenant context propagation
fails or is bypassed.
events.go [22-236]
Referred Code
🎫 No ticket provided
Codebase context is not defined
Follow the guide to enable codebase context checks.
Generic: Meaningful Naming and Self-Documenting Code
Objective: Ensure all identifiers clearly express their purpose and intent, making code
self-documenting
Status: Passed
Generic: Comprehensive Audit Trails
Objective: To create a detailed and reliable record of critical system actions for security analysis
and compliance.
Status:
Audit logging unknown: The new NATS operator/account/user management gRPC API is introduced but the diff does not
show any audit logging for these critical security actions, requiring verification in the
service implementation.
Referred Code
Generic: Robust Error Handling and Edge Case Management
Objective: Ensure comprehensive error handling that provides meaningful context and graceful
degradation
Status:
Missing error context: The new credentials-file connection path relies on
nats.Connectfailures but returns theraw error without adding operation context (e.g., which env var/creds file was used),
requiring review for actionable error reporting.
Referred Code
Generic: Secure Error Handling
Objective: To prevent the leakage of sensitive system information through error messages while
providing sufficient detail for internal debugging.
Status:
Error exposure unknown: The new credentials-file-based NATS connection may surface underlying credential/parsing
errors directly to callers, so it requires verification that user-facing layers do not
expose sensitive internal details.
Referred Code
Generic: Secure Logging Practices
Objective: To ensure logs are useful for debugging and auditing without exposing sensitive
information like PII, PHI, or cardholder data.
Status:
Secret logging risk: The new API schema includes highly sensitive fields (seeds/JWTs/creds content), so it
requires verification that no service code logs these values at any log level.
Referred Code
Generic: Security-First Input Validation and Data Handling
Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent
vulnerabilities
Status:
Sensitive data exposure: The new gRPC messages explicitly transmit secrets (
AccountSeed,OperatorSeed,SystemAccountSeed, andCredsFileContent), requiring human verification that transportsecurity, authorization (mTLS), and secure storage/handling guarantees are enforced in the
unseen service code.
Referred Code
Compliance status legend
🟢 - Fully Compliant🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label
Imported GitHub PR comment.
Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2219#issuecomment-3704433806
Original created: 2026-01-02T04:17:00Z
PR Code Suggestions ✨
Explore these optional code suggestions:
Use pem.Decode for PEM parsing
Replace the manual PEM parsing in
decodePEMwith the standard library'spem.Decodefunction for improved robustness and security.pkg/tenant/tenant.go [252-277]
[To ensure code accuracy, apply this suggestion manually]Suggestion importance[1-10]: 9
__
Why: The suggestion correctly identifies a security and maintainability risk by replacing a custom PEM parser with the robust and secure standard library equivalent, which is a critical best practice.
Return gRPC errors on failure
In
PushAccountJWT, return gRPC status errors for NATS connection and requestfailures instead of embedding error messages in the response body.
pkg/datasvc/nats_account_service.go [743-758]
[To ensure code accuracy, apply this suggestion manually]Suggestion importance[1-10]: 7
__
Why: The suggestion correctly identifies that returning errors within the response body is not idiomatic for gRPC. Adopting standard gRPC error handling improves client-side logic and API consistency.
Use double-checked locking for efficiency
Refactor
BootstrapOperatorto use a double-checked locking pattern. First, use aread lock to check if the operator is initialized, and only acquire a write lock
if it is not.
pkg/datasvc/nats_account_service.go [348-362]
[To ensure code accuracy, apply this suggestion manually]Suggestion importance[1-10]: 6
__
Why: The suggestion correctly proposes using a double-checked locking pattern to improve concurrency by avoiding an exclusive lock for a read-only check, which is a good performance optimization.
Make env check case-insensitive
Make the environment variable check in
IsTenantPrefixEnabledcase-insensitive tocorrectly handle values like "True" or "YES".
pkg/natsutil/events.go [39-42]
[To ensure code accuracy, apply this suggestion manually]Suggestion importance[1-10]: 4
__
Why: The suggestion improves the robustness of environment variable parsing by making it case-insensitive, which is a good practice for user-provided configuration.
Guard against empty config writes
In
WriteOperatorConfig, add a check to ensure theconfigstring is not emptybefore writing it to a file, returning an error if it is.
pkg/datasvc/nats_account_service.go [260-296]
[To ensure code accuracy, apply this suggestion manually]Suggestion importance[1-10]: 2
__
Why: The suggestion adds a defensive check to prevent writing an empty configuration file. While this is a minor improvement for robustness, the current logic makes it unlikely for the
configvariable to be empty ifoperatorJWTis present.Sanitize file name for JWT writes
In
WriteAccountJWT, sanitizeaccountPublicKeyusingfilepath.Basebefore usingit to construct a file path to prevent path traversal vulnerabilities.
pkg/datasvc/nats_account_service.go [315-339]
[To ensure code accuracy, apply this suggestion manually]Suggestion importance[1-10]: 8
__
Why: This suggestion addresses a potential path traversal vulnerability by sanitizing user-controllable input used in a file path. Using
filepath.Baseis a correct and important security measure.Use more restrictive directory permissions
Change the permissions for directories created with
os.MkdirAllfrom0755to amore restrictive
0750to enhance security.pkg/cli/nats_bootstrap.go [318-325]
[To ensure code accuracy, apply this suggestion manually]Suggestion importance[1-10]: 7
__
Why: This is a valid security hardening suggestion to restrict directory permissions from
0755to0750, reducing the risk of information leakage to other users on the system.Fix format string vulnerability in URL construction
To prevent a format string vulnerability, refactor the URL construction at
endpointto use simple string concatenation instead offmt.Sprintfwith auser-controlled format string.
pkg/cli/nats_bootstrap.go [907]
[To ensure code accuracy, apply this suggestion manually]Suggestion importance[1-10]: 5
__
Why: The suggestion correctly identifies a potential format string vulnerability, but the provided
improved_codeis identical to theexisting_codeand does not implement the recommended fix.Validate operator JWT path
Add a validation check in
GenerateNATSConfigto ensureOperatorJWTPathis notempty, returning
ErrOperatorJWTRequiredif it is.pkg/edgeonboarding/nats_config.go [211-218]
[To ensure code accuracy, apply this suggestion manually]Suggestion importance[1-10]: 7
__
Why: The suggestion improves robustness by adding a missing validation check for
OperatorJWTPath, ensuring the function fails early with a clear error.Write platform public key file
In
writePlatformAccountFiles, write the platform account's public key to a.pubfile for consistency with how the system account key is handled.
pkg/cli/nats_bootstrap.go [381-429]
[To ensure code accuracy, apply this suggestion manually]Suggestion importance[1-10]: 6
__
Why: The suggestion improves consistency by writing a
.pubfile for the platform account, similar to the system account, which aids downstream tooling and maintainability.Imported GitHub PR comment.
Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2219#issuecomment-3704675074
Original created: 2026-01-02T07:34:49Z
CI Feedback 🧐
A test triggered by this PR failed. Here is an AI-generated analysis of the failure:
Action: build
Failed stage: Test [❌]
Failed test name: //web-ng:precommit
Failure summary:
The GitHub Action failed because the Bazel test target
//web-ng:precommitfailed (Exit 1), causingthe overall Bazel run to exit with code 3.
The
//web-ng:precommitfailure was due to Elixir formatting checks:mix formatwas run with--check-formattedand reported unformatted code.- Error:
** (Mix) mix format failed due to--check-formatted. The following files are not formatted:- Offending file shown in the log:
-
src/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex- Example formatting issue
around line ~537 (function head wrapping/indentation):
-
defp edge_site_nats_url(%{edge_site:%EdgeSite{nats_leaf_url: url}}) when is_binary(url) and url != "" do- should be split across
lines as shown in the diff.
Relevant error logs: