Allow dynamic publish permissions based on reply subjects of received msgs. #1081
Conversation
|
I will add support at JWT level after this lands. |
|
Also probably need a test for duplicate reply subjects and resetting of permissions. Also a more explicit test on the pruning. |
| // dynamically, check to see if we are allowed here Avoid pcache. | ||
| // We need to acquire the lock though. | ||
| if !allowed && c.perms.resp != nil { | ||
| c.mu.Lock() |
There was a problem hiding this comment.
That is going to be a problem. pubAllowed is called by canImport that is holding the connection's lock. Let's check that.
There was a problem hiding this comment.
ok will take a closer look.
There was a problem hiding this comment.
But then this means that when invoked from a route, that won't work. That is, if we allow these kind of permissions for routes, then they won't be checked.
There was a problem hiding this comment.
instead, I would have conditionally lock/unlock since in one case we already have the lock, other we don't.
There was a problem hiding this comment.
I disallowed from cluster config.
… msgs Signed-off-by: Derek Collison <derek@nats.io>
This allows a dynamic publish permission to be granted only to subjects that were delivered as reply subjects. We also allow more detailed permission on maximum number of messages that can use the permission and maximum amount of time the permission can be active.
Signed-off-by: Derek Collison derek@nats.io
/cc @nats-io/core