From e453d78f4a5bfd1cbb3cadebfc3dde3c7a7a2377 Mon Sep 17 00:00:00 2001
From: ainsley <ginger@synadia.com>
Date: Mon, 21 May 2018 11:21:46 -0500
Subject: [PATCH 1/3] Update to gnatsd/README.md fixing authorization section
 addressing issue #662 "_INBOX.>" permission

---
 README.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 70109de0..a1a85507 100644
--- a/README.md
+++ b/README.md
@@ -555,7 +555,7 @@ authorization {
   }
   REQUESTOR = {
     publish = ["req.foo", "req.bar"]
-    subscribe = "_INBOX.*"
+    subscribe = "_INBOX.>"
   }
   DEFAULT_PERMISSIONS = {
     publish = "SANDBOX.*"
@@ -577,7 +577,7 @@ Bob is REQUESTOR and can publish requests on subjects "req.foo" or "req.bar", an
 
 Joe has no permission grant and therefore inherits the default permission set. You set the inherited default permissions by assigning them to the `default_permissions` entry inside of the `authorization` configuration block.
 
-Note that `_INBOX.*` subscribe permissions must be granted in order to use the request APIs in Apcera supported clients. If an unauthorized client publishes or attempts to subscribe to a subject, the action fails and is logged at the server, and an error message is returned to the client.
+Note that `_INBOX.>` subscribe permissions must be granted in order to use the request APIs in Synadia supported clients. If an unauthorized client publishes or attempts to subscribe to a subject, the action fails and is logged at the server, and an error message is returned to the client.
 
 ### TLS
 

From 523bddd328889e719f8fa23eadc7c03015668ed8 Mon Sep 17 00:00:00 2001
From: ainsley <ginger@synadia.com>
Date: Tue, 22 May 2018 14:41:04 -0500
Subject: [PATCH 2/3] Update to gnatsd/README.md fixing authorization section
 addressing issue #662 "_INBOX.>" permission [ci skip]

---
 README.md | 30 +++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index a1a85507..5214f7aa 100644
--- a/README.md
+++ b/README.md
@@ -521,9 +521,10 @@ For example:
 authorization {
   PASS: abcdefghijklmnopqrstuvwxwz0123456789
   users = [
-    {user: alice, password: foo, permissions: $ADMIN}
-    {user: bob,   password: bar, permissions: $REQUESTOR}
-    {user: joe,   password: $PASS}
+    {user: joe, password: foo, permissions: $ADMIN}
+    {user: alice, password: bar, permissions: $REQUESTOR}
+    {user: bob,   password: $PASS, permissions: $RESPONDER}
+    {user: charlie, password: bar}
   ]
 }
 ```
@@ -545,7 +546,7 @@ authorization {
 }
 ```
 
-Here is an example authorization configuration that defines three users, two of whom are assigned explicit permissions.
+Here is an example authorization configuration that defines four users, three of whom are assigned explicit permissions.
 
 ```
 authorization {
@@ -557,6 +558,10 @@ authorization {
     publish = ["req.foo", "req.bar"]
     subscribe = "_INBOX.>"
   }
+  RESPONDER = {
+      subscribe = ["req.foo", "req.bar"]
+      publish = "_INBOX.>"
+  }
   DEFAULT_PERMISSIONS = {
     publish = "SANDBOX.*"
     subscribe = ["PUBLIC.>", "_INBOX.>"]
@@ -564,20 +569,23 @@ authorization {
 
   PASS: abcdefghijklmnopqrstuvwxwz0123456789
   users = [
-    {user: alice, password: foo, permissions: $ADMIN}
-    {user: bob,   password: bar, permissions: $REQUESTOR}
-    {user: joe,   password: $PASS}
+        {user: joe, password: foo, permissions: $ADMIN}
+        {user: alice, password: bar, permissions: $REQUESTOR}
+        {user: bob,   password: $PASS, permissions: $RESPONDER}
+        {user: charlie, password: bar}
   ]
 }
 ```
 
-Since Alice is an ADMIN she can publish/subscribe on any subject. We use the wildcard “>” to match any subject.
+Since Joe is an ADMIN he can publish/subscribe on any subject. We use the wildcard “>” to match any subject.
 
-Bob is REQUESTOR and can publish requests on subjects "req.foo" or "req.bar", and subscribe to anything that is a response ("_INBOX.*").
+Alice is a REQUESTOR and can publish requests on subjects "req.foo" or "req.bar", and subscribe to anything that is a response ("_INBOX.>").
 
-Joe has no permission grant and therefore inherits the default permission set. You set the inherited default permissions by assigning them to the `default_permissions` entry inside of the `authorization` configuration block.
+Charlie has no permissions granted and therefore inherits the default permission set. You set the inherited default permissions by assigning them to the default_permissions entry inside of the authorization configuration block.
 
-Note that `_INBOX.>` subscribe permissions must be granted in order to use the request APIs in Synadia supported clients. If an unauthorized client publishes or attempts to subscribe to a subject, the action fails and is logged at the server, and an error message is returned to the client.
+Bob is a RESPONDER to any of Alice's requests, so Bob needs to be able to subscribe to the request subjects and respond to Alice's reply subject which will be an _INBOX.>.
+
+Important to note, NATS Authorizations are whitelist only, meaning in order to not break request/reply patterns you need to add rules as above with Alice and Bob for the _INBOX.> pattern. If an unauthorized client publishes or attempts to subscribe to a subject that has not been whitelisted, the action fails and is logged at the server, and an error message is returned to the client.
 
 ### TLS
 

From 504ae06ad64df472ac02588b8935eb2454d20f7c Mon Sep 17 00:00:00 2001
From: ainsley <ginger@synadia.com>
Date: Tue, 22 May 2018 15:39:50 -0500
Subject: [PATCH 3/3] Update to gnatsd/README.md fixing authorization section
 addressing issue #662 "_INBOX.>" permission [ci skip]

---
 README.md | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 5214f7aa..ab8aee1e 100644
--- a/README.md
+++ b/README.md
@@ -521,9 +521,9 @@ For example:
 authorization {
   PASS: abcdefghijklmnopqrstuvwxwz0123456789
   users = [
-    {user: joe, password: foo, permissions: $ADMIN}
-    {user: alice, password: bar, permissions: $REQUESTOR}
-    {user: bob,   password: $PASS, permissions: $RESPONDER}
+    {user: joe,     password: foo,   permissions: $ADMIN}
+    {user: alice,   password: bar,   permissions: $REQUESTOR}
+    {user: bob,     password: $PASS, permissions: $RESPONDER}
     {user: charlie, password: bar}
   ]
 }
@@ -559,8 +559,8 @@ authorization {
     subscribe = "_INBOX.>"
   }
   RESPONDER = {
-      subscribe = ["req.foo", "req.bar"]
-      publish = "_INBOX.>"
+    subscribe = ["req.foo", "req.bar"]
+    publish = "_INBOX.>"
   }
   DEFAULT_PERMISSIONS = {
     publish = "SANDBOX.*"
@@ -569,10 +569,10 @@ authorization {
 
   PASS: abcdefghijklmnopqrstuvwxwz0123456789
   users = [
-        {user: joe, password: foo, permissions: $ADMIN}
-        {user: alice, password: bar, permissions: $REQUESTOR}
-        {user: bob,   password: $PASS, permissions: $RESPONDER}
-        {user: charlie, password: bar}
+    {user: joe,     password: foo,   permissions: $ADMIN}
+    {user: alice,   password: bar,   permissions: $REQUESTOR}
+    {user: bob,     password: $PASS, permissions: $RESPONDER}
+    {user: charlie, password: bar}
   ]
 }
 ```