search

nats-io / nats-server

High-Performance server for NATS.io, the cloud and edge native messaging system.
https://nats.io
Apache License 2.0
15.53k stars 1.39k forks source link

dynamic url-based permissions #5184

Open tarasglek opened 6 months ago

tarasglek commented 6 months ago

Proposed change

In web service world it's easy to write a proxy that does url-based rules to enforce authorization in a single place. Eg user joe can only access ws://myservice/r/parent.topic. or ws://myservice/[rw]+/.topic.*

would be great that if nats server could offer a feature for dynamic url-based permissions. Eg a url that nats server receives would define rw access and topic pattern.

We specced out a similar feature in wsbroad https://github.com/vi/wsbroad/issues/2#issuecomment-1681153966

This would allow defining who can subscribe/write to a topic entirely outside of nats

Use case

Contribution

no

ripienaar commented 6 months ago

I suspect we're unlikely to support such a scheme in the server itself - there are always more to support! - we have created a way to externalize authentication to your own code that could solve this.

https://docs.nats.io/running-a-nats-service/configuration/securing_nats/auth_callout