nats-rest-config-proxy icon indicating copy to clipboard operation
nats-rest-config-proxy copied to clipboard
verified publisher icon nats-io

Users with nkeys are getting merged

Open augustin4s opened this issue 2 years ago • 0 comments

When using NKeys authentication, when adding multiple users with different permissions they are being merged.

Example on how to reproduce:

  1. Create guest and admin permissions

guest

{
  "publish": {
    "allow": ["v1.organization.*.intro", "v1.organization.*.error"]
  },
  "subscribe": {
    "allow": ["_INBOX.>"]
  }
}

admin

{
  "publish": {
    "allow": [">"]
  },
  "subscribe": {
    "allow": [">"]
  }
}
  1. Create guest and admin users with NKeys authentication and bind their permissions
{
  "nkey": "UCM2BMGMMVT5O2LURJIOE6UAZDVI4CPAEDV2XMGVXPJXWHEROD4OWGM4",
  "account": "default",
  "permissions": "guest"
}

{
  "nkey": "UAQ5KSHAAN4XXL2XDEZP36S63NYS2OMVXBXBOBJR5XDKPDI2RH3Z3WX7",
  "account": "default",
  "permissions": "admin"
}
  1. Publish configuration

Resulting auth.json

$ cat config/current/auth.json
{
  "users": [
    {
      "nkey": "UCM2BMGMMVT5O2LURJIOE6UAZDVI4CPAEDV2XMGVXPJXWHEROD4OWGM4",
      "permissions": {
        "publish": {
          "allow": [
            ">",
            "v1.organization.*.intro",
            "v1.organization.*.error"
          ]
        },
        "subscribe": {
          "allow": [
            ">",
            "_INBOX.>"
          ]
        }
      }
    }
  ]
}

As you can see guest and admin permissions are merged. Admin user cannot connect as the NKey is of a guest user. Authorization Violation error seen in nats logs

I proposed a solution for this in this PR #63

@wallyqs

augustin4s avatar May 10 '23 07:05 augustin4s