Nats Authorization -- block node.*, but allow node.id

[cbrake]

Is there any in NATS permissions that would allow blocking subscribers from doing wildcard subscriptions:

node.*

But allow them to subscribe to specific IDs:

node.ID

Obviously, the ID would have to be "secure" (like a token). Not sure if this is a good idea, but might simplify a use case I'm considering.

[joaquinrovira]

You could apply a default permission for your users like so:

authorization {
  default_permissions = {
    subscribe = "node.ID"
  }
  ...
}

Taken from https://docs.nats.io/running-a-nats-service/configuration/securing_nats/authorization. Under the Permission Map section, an important note describes the following:

If an unauthorized client publishes or attempts to subscribe to a subject that has not been allow listed, the action fails and is logged at the server, and an error message is returned to the client.

Therefore by only including node.ID in the allow list you are implicitly excluding all other routes. Careful with this because it also disables request/reply style messages. To maintain the ability to respond to messages, read up on the allow_responses option.