Enhance ACL Flexibility for JetStream filter_subjects Permissions
Opened this issue · 0 comments
Proposed change
The current ACL system for NATS JetStream lacks the ability to enforce granular restrictions on filter_subjects in consumer configurations. While filter_subject can be controlled via specific permission patterns, there is no equivalent mechanism for filter_subjects. This limitation exposes a potential security gap for users attempting to enforce strict subject-level access controls.
Current Behavior
- Permissions such as
$JS.API.CONSUMER.CREATE.my_stream.*.my_stream.123.>work effectively for filter_subject. - The equivalent does not apply to
filter_subjects, leaving users unable to block or enforce restrictions when multiple subjects are provided.
Expected Behavior
- Deny specific filter_subjects patterns in JetStream consumer creation permissions.
- Allow granular ACLs to restrict or allow filter_subjects configurations similar to filter_subject.
Use case
This feature is critical for setups where external clients should be restricted to subscribing only to specific subjects based on their ID or other identifying patterns, ensuring unauthorized access to other subjects is fully blocked.
This enhancement would greatly benefit users relying on precise access controls in multi-tenant environments.