From 0d8db1eeb11cf5748694d5bf1618d0c8f346aa3f Mon Sep 17 00:00:00 2001 From: Ginger Collison Date: Wed, 11 Dec 2019 10:56:29 -0600 Subject: [PATCH 1/4] add queue permissions to docs --- developing-with-nats/receiving/queues.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/developing-with-nats/receiving/queues.md b/developing-with-nats/receiving/queues.md index f38f71d..061e820 100644 --- a/developing-with-nats/receiving/queues.md +++ b/developing-with-nats/receiving/queues.md @@ -123,3 +123,24 @@ await nc.subscribe('updates', (err, msg) => { If you run this example with the publish examples that send to `updates`, you will see that one of the instances gets a message while the others you run won't. But the instance that receives the message will change. +## Queue Permissions + +Added in NATS Server v2.1.2, Queue Permissions allow you to express authorization for queue groups. As queue groups are integral to implementing horizontally scalable microservices, control of who is allowed to join a specific queue group is important to the overall security model. + +```text +users = [ + { + user: "foo", permissions: { + sub: { + # Allow plain subscription foo, but only v1 groups or *.dev queue groups + allow: ["foo", "foo v1", "foo v1.>", "foo *.dev"] + + # Prevent queue subscriptions on prod groups + deny: ["> *.prod"] + } + } +]t also queue group called “v1” +allow: [“foo”, “foo v1”] +``` + + From 5e4ec51a40a32cdbfae5912c70ade17870b411d8 Mon Sep 17 00:00:00 2001 From: Waldemar Quevedo Date: Wed, 11 Dec 2019 21:09:50 +0100 Subject: [PATCH 2/4] Apply suggestions from code review --- developing-with-nats/receiving/queues.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/developing-with-nats/receiving/queues.md b/developing-with-nats/receiving/queues.md index 061e820..b529e77 100644 --- a/developing-with-nats/receiving/queues.md +++ b/developing-with-nats/receiving/queues.md @@ -127,6 +127,10 @@ If you run this example with the publish examples that send to `updates`, you wi Added in NATS Server v2.1.2, Queue Permissions allow you to express authorization for queue groups. As queue groups are integral to implementing horizontally scalable microservices, control of who is allowed to join a specific queue group is important to the overall security model. +A Queue Permission can be defined with the syntax ` `, where the name of the queue can also use wildcards, for example the following would allow clients to join queue groups v1 and v2.*, but won't allow plain subscriptions: + +```hcl +allow = ["foo v1", "foo v2.*"] ```text users = [ { @@ -143,4 +147,3 @@ users = [ allow: [“foo”, “foo v1”] ``` - From ea7e6a4d5fb708dc4ec798e48e643090776021f6 Mon Sep 17 00:00:00 2001 From: Waldemar Quevedo Date: Wed, 11 Dec 2019 21:10:10 +0100 Subject: [PATCH 3/4] Update developing-with-nats/receiving/queues.md --- developing-with-nats/receiving/queues.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/developing-with-nats/receiving/queues.md b/developing-with-nats/receiving/queues.md index b529e77..5d3b6f9 100644 --- a/developing-with-nats/receiving/queues.md +++ b/developing-with-nats/receiving/queues.md @@ -143,7 +143,6 @@ users = [ deny: ["> *.prod"] } } -]t also queue group called “v1” +] allow: [“foo”, “foo v1”] ``` - From 3c119265b012e2aa3c500218a59c340f8733f6be Mon Sep 17 00:00:00 2001 From: Waldemar Quevedo Date: Wed, 11 Dec 2019 22:38:16 +0100 Subject: [PATCH 4/4] Update queues.md --- developing-with-nats/receiving/queues.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/developing-with-nats/receiving/queues.md b/developing-with-nats/receiving/queues.md index 5d3b6f9..0212f3e 100644 --- a/developing-with-nats/receiving/queues.md +++ b/developing-with-nats/receiving/queues.md @@ -131,6 +131,16 @@ A Queue Permission can be defined with the syntax ` `, where the ```hcl allow = ["foo v1", "foo v2.*"] +``` + +The full wildcard can also be used, for example the following would prevent plain subscriptions on `bar` but allow the client to join any queue: + +``` +allow = ["bar >"] +``` + +Permissions for Queue Subscriptions can be combined with plain subscriptions as well though, for example you could allow plain subscriptions on `foo` but constrain the queues to which a client can join, as well a preventing any service from using a queue subscription with the name `*.prod`: + ```text users = [ { @@ -144,5 +154,4 @@ users = [ } } ] -allow: [“foo”, “foo v1”] ```