Unrelated Jetstream log messages when using auth-callout #7650
Description
Observed behavior
We use AUTH Callout feature in a setup similar to https://natsbyexample.com/examples/auth/callout-decentralized/cli.
Issue:
Every time a clients connects to NATS using auth callout we get an Info message in nats server logs "Connected Client has JetStream denied on pub: [$JSC.> $NRG.> $JS.API.> $KV.> $OBJ.>] sub: [$JSC.> $NRG.> $JS.API.> $KV.> $OBJ.>]".
The weird part is we don't use Jetstream on that particular account ( Jetstream - Disabled ) and the message seems totally unrelated, since the auth callout service works properly and the user is able use nats as expected.The log message is identical to #5002 but the auth callout service works perfectly.
I also found no options in nats-server to set log level to Warning and above just to get rid of that message.
Expected behavior
The NATS shall not complain about JetStream denied on pub: [$JSC.> $NRG.> $JS.API.> $KV.> $OBJ.>] sub: [$JSC.> $NRG.> $JS.API.> $KV.> $OBJ.>]" when clients connects to server using auth-callout.
Server and client version
Nats-server version: 2.12.2
Host environment
Kubernetes, deployment via Helm, 3 replicas
Steps to reproduce
Here are the commands I used to create and configure the account and users
ACCOUNT_NAME=abc
nsc add account $ACCOUNT_NAME
Configure auth callout
NATS_ENV=staging
nsc generate nkey --curve > ./xkeys/$NATS_ENV/$ACCOUNT_NAME.xk
XKEY_KEY=$(sed -n "2,1p" ./xkeys/$NATS_ENV/$ACCOUNT_NAME.xk)
XKEY_SEED=$(sed -n "1,1p" ./xkeys/$NATS_ENV/$ACCOUNT_NAME.xk)
nsc add user -a $ACCOUNT_NAME auth --allow-pub '$SYS._INBOX.>' --allow-sub '$SYS.REQ.USER.AUTH'
[ OK ] added pub "$SYS._INBOX.>"
[ OK ] added sub "$SYS.REQ.USER.AUTH"
[ OK ] generated and stored user key "UAKA...I7U"
...
nsc add user -a $ACCOUNT_NAME $ACCOUNT_NAME --deny-pubsub '>' # This is equivalent of sentinel user from nats example
[ OK ] added deny pub ">"
[ OK ] added deny sub ">"
[ OK ] generated and stored user key "UAC4T..3OU"
...
AUTH_USER_ID=$(nsc describe user auth -a $ACCOUNT_NAME | grep "User ID" | awk -F'|' '{print $3}' | xargs)
ACCOUNT_ID=$(nsc describe account $ACCOUNT_NAME | grep "Account ID" | awk -F'|' '{print $3}' | xargs)
nsc edit authcallout --account $ACCOUNT_NAME
--curve $XKEY_KEY
--auth-user $AUTH_USER_ID
--allowed-account $ACCOUNT_ID
[ OK ] added user "UAK...I7U"
[ OK ] added account "ABN...ID6"
[ OK ] set curve key XC3B...4RK
nsc describe account $ACCOUNT_NAME
+--------------------------------------------------------------------------------------+
| Account Details |
+---------------------------+----------------------------------------------------------+
...
| Account ID | ABN......ID6 |
| Issuer ID | ODD5G.....CSB |
| Issued | 2025-.... UTC |
| Expires | |
+---------------------------+----------------------------------------------------------+
| Auth Callout Users | UAKADMFV...GI7U |
| Allowed Accounts | ABNI...RID6 |
| Encrypt For | XC3B...W4RK |
+---------------------------+----------------------------------------------------------+
| Max Connections | Unlimited |
| Max Leaf Node Connections | Unlimited |
| Max Data | Unlimited |
| Max Exports | Unlimited |
| Max Imports | Unlimited |
| Max Msg Payload | Unlimited |
| Max Subscriptions | Unlimited |
| Exports Allows Wildcards | True |
| Disallow Bearer Token | False |
| Response Permissions | Not Set |
+---------------------------+----------------------------------------------------------+
| Jetstream | Disabled |
+---------------------------+----------------------------------------------------------+
| Imports | None |
| Exports | None |
+---------------------------+----------------------------------------------------------+
| Tracing Context | Disabled |
+---------------------------+----------------------------------------------------------+
We tested connecting to nats in .net and go (using core nats libraries, no jetstram) and each time we connect to the server - it logs INFO:
"Connected Client has JetStream denied on pub: [$JSC.> $NRG.> $JS.API.> $KV.> $OBJ.>] sub: [$JSC.> $NRG.> $JS.API.> $KV.> $OBJ.>]".
Note, we use single NATS account with 2 users. One that auth-callout service uses ("auth") and another with no permissions so clients just attach it for NATS to match the Account and send request to proper auth-callout.