New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does JetStream key-value store support authorization for each user? #3548
Comments
With direct gets by subject yes that is possible. You would need to suppress the other access methods to secure it. |
@derekcollison : Thanks for your suggestion and confirming that it is possible. To prove that, I created a bucket,
Although I've successfully achieved what I want, I do not feel confident in what I've done. I added those subject wildcard patterns simply because the error messages told me that I didn't have permission to access them, not because I understand how to do it. I don't know if subjects like Can the NATS team enhance the key-value store document, so that we can understand how to properly setup key-value store permission for each user? Thanks. |
@tomghuang Thanks for calling this out. Defining JS/KV-specific permissions is definitely a bit low-level as of now. Assuming you only need to put and get values from the KV, here is a minimal example that should achieve what you need: https://nats-by-example-q877a1djf-connecteverything.vercel.app/examples/auth/perms/cli (below the code shows the output) |
@bruth : Really appreciate the official clearly-explained example. It helps to complete my understanding of the key-value store feature. |
I would like to define many permissions per user, so for me it is somewhat difficult to define 3 permissions per key like this:
I would appreciate it if there was a more user-friendly way of defining key-value permissions and object store read and write. |
NATS already supports authorization using subject-level permissions on a per-user basis. However, does NATS also support such authorization mechanism for the key-value store?
For example, can I say user A can only access key A, user B can only access key B, but admin can access all keys?
We want to use JetStream key-value store in a NATS cluster, because NATS can automatically synchronize servers and make sure the key-value store is consistent in the cluster. However, we don't know if we can configure its authorization setting, so that each user can only access some of the keys. Is there anyway to achieve this? Thanks.
The text was updated successfully, but these errors were encountered: