Query regarding "nats edit user --allow-sub"

[Kavish Mehta]

Hi All,

I have a query for the Authorization on subject level

I have 2 users b1 and b2 in same account, and a stream created named "orders"

I want to allow subscription only to a specific subject say "orders.us" for user b2.

I did the following 

$ nsc edit user b1 --allow-sub "orders.us"

Now when I do(nats context is set to user b1)

$ nats sub --stream orders orders.us

10:48:35 Unexpected NATS error from server nats://0.0.0.0:4222: nats: Permissions Violation for Subscription to "_INBOX.t5lymRwE6cfKOPFVpWsxzj"
10:48:35 Unexpected NATS error from server nats://0.0.0.0:4222: nats: Permissions Violation for Subscription to "_INBOX.t5lymRwE6cfKOPFVpWsy3F.*"

And when I do

$ nsc edit user b1 --deny-sub "orders.us"

I am still able to subscribe to the above subject,

Can anyone please help me and let me know what I am doing wrong

Thanks 

Kavish Mehta

[Kavish Mehta]

For the --allow-sub subscription, If I add

$ nsc edit user b1 --allow-sub "_INBOX.>"

I am able to receive messages on orders.us, but it allows every other subject as well that i can subscribe to, say orders.ab

[Alberto Ricart]

That is because you correctly enabled permissions for responses, but the subtlety here is that JetStream messages are not delivered on the subject that they were published, so the permisioning mechanism you are  trying to impose won't do it. Messages for JetStream are delivered to the inbox subscription even if when the subject is set to something else - only protocol messages from JetStream will have a subject that matches the inbox.

What you need to do is specify a filter on each of the consumers for the subject hierarchy you want - note current versions of nats-server only allow a single filter (2.10? will enable multiple filters per consumer).

As for preventing subjects on a stream to NOT be process by one of the consumers, the permissions bit won't help, might need to do segregate into a different stream, or have permissions where the client doesn't have permission for jetstream apis, so it can only bind to the consumer, etc.