nats-server
nats-server copied to clipboard
Add creation user to stream information
It may be useful to include information about the user identity (public NKEY) that created a stream in the stream info metadata. This may need to be opt-in for conf style configuration as usernames could be leaked.
This would be useful for auditing purposes and would help track down rogue applications creating unwanted streams.
In operator mode, given the nature of public NKEYS, no PII would be held by the NATS deployment and should be safe to share to a stream info requestor.
cc/ @philpennock
Inside same account sure, we could record something but needs to be applicable to server config and operator mode, and all of our ways to identify a user.
However, in a setup where the request originates from another account, we can not force that level of sharing to be present. It's opt in. We opt an account in by default for the 1st hope from SYS to user account for JS, but its up to the importing account when user account to user account and whether they want to share or not..
It does not provide a full audit log (advisory events would need to be used for that), but now that we have metadata for streams and consumers as of 2.10, this could be managed by the client app or auto-injected by the server via a _nats
prefixed key.
cc @ripienaar @Jarema