Prevent a NATS user from creating durable consumers

[pontus4138]

Hello, I am looking at using NATS as a communication hub for sending notifications to and from browser-based clients over websocket. I want to use jetstream to allow the clients to not only get events but also have access to the event history.

However, I am worried that giving clients that I don't control access to the jetstream API will allow them to create durable consumers that will take up resources on the servers. Thus I am trying to limit a user so it can only create ephemeral consumers. I also have to be able to only allow the user to access specific subjects, my idea for that is the use consumer with a filter for a specific subject. Is this possible? Or is there a better way of managing the durable even if you dont control the client applications that are creating them?

The closest I have gotten is to only allow the user/client to publish to this subject $JS.API.CONSUMER.CREATE.<stream>.*.<subject>. This limits what subjects the user can see, however, this still allows the user to create durable consumers.

In the documentation I also found this subject $JS.API.CONSUMER.CREATE.<stream>, but that does not allow filtering on a subject.

[derekcollison]

Yes, you can add in the allow permission that create extended version you want to allow and disallow the plain $JS.API.CONSUMER.CREATE.<stream>

[pontus4138]

Thanks for the quick answer!

Does this method allow me to restrict which subject a user can consume?
For example, if I have a stream that includes the subject A.> but I want to limit users to only consuming messages from A.B.>. As was possible with the subject in $JS.API.CONSUMER.CREATE.<stream>.<consumer>.<subject>.

[derekcollison]

You can, via delivery subject restrictions for push consumers. For pull consumers, possible but a bit more involved to construct.

[0xeb-bp]

Hello, I find myself in a similar situation trying to limit end users over a websocket from creating durable consumers. I'm sorry I don't quite understand the above answer.

It would be nice if I could just set constraints during stream creation for the allowed consumer types and limits, but I don't see that as an option.

I'm using auth callout.

Based on this: https://docs.nats.io/reference/reference-protocols/nats_api_reference

I thought I could restrict $JS.API.CONSUMER.DURABLE.CREATE.<stream>.<consumer>, however the durable consumer is created like:

Received on "$JS.API.CONSUMER.CREATE.test_stream.test123" with reply "_INBOX.AAgDczL5PIUbXQEo7xqE8O.ndDgguek"
{"stream_name":"test_stream","config":{"ack_policy":"none","deliver_policy":"all","durable_name":"test123","name":"test123","max_deliver":-1,"replay_policy":"instant","num_replicas":0},"action":""}

Likewise the ephemeral consumer is created:

Received on "$JS.API.CONSUMER.CREATE.test_stream.qTVy35Ay" with reply "_INBOX.5Lqxv1m7tF6o1dPJUheQBb.xA3XD6nX"
{"stream_name":"test_stream","config":{"ack_policy":"explicit","deliver_policy":"all","name":"qTVy35Ay","max_deliver":-1,"replay_policy":"instant","num_replicas":0},"action":""}

So I am missing how I can restrict the ability for end user's to create durable consumers. Thanks for your time.