sample config with leafnode and nkeys

[tvojacek]

Is it possible to add to docs sample config with leaf nodes secured by nkey? I have found ugly solution using credential file but it require pretense of JWT token. I kept JWT token from docs and put correct USER NKEY SEED there. Is there better solution?

on leafnode nats.conf

leafnodes {
    remotes = [
        {
           url: "nats-leaf://@server_url:7422"
          account: someuser
         credentials: "server.creds"
        }
    ]
}

where server.creds is copy of example creds from docs

**** this part is keept as it is in docs ****
-----BEGIN NATS USER JWT-----
eyJ0eXAiOiJqd3QiLCJhbGciOiJlZDI1NTE5In0.eyJqdGkiOiJUVlNNTEtTWkJBN01VWDNYQUxNUVQzTjRISUw1UkZGQU9YNUtaUFhEU0oyWlAzNkVMNVJBIiwiaWF0IjoxNTU4MDQ1NTYyLCJpc3MiOiJBQlZTQk0zVTQ1REdZRVVFQ0tYUVM3QkVOSFdHN0tGUVVEUlRFSEFKQVNPUlBWV0JaNEhPSUtDSCIsIm5hbWUiOiJvbWVnYSIsInN1YiI6IlVEWEIyVk1MWFBBU0FKN1pEVEtZTlE3UU9DRldTR0I0Rk9NWVFRMjVIUVdTQUY3WlFKRUJTUVNXIiwidHlwZSI6InVzZXIiLCJuYXRzIjp7InB1YiI6e30sInN1YiI6e319fQ.6TQ2ilCDb6m2ZDiJuj_D_OePGXFyN3Ap2DEm3ipcU5AhrWrNvneJryWrpgi_yuVWKo1UoD5s8bxlmwypWVGFAA
------END NATS USER JWT------

************************* IMPORTANT *************************
NKEY Seed printed below can be used to sign and prove identity.
NKEYs are sensitive and should be treated as secrets.

-----BEGIN USER NKEY SEED-----
REAL_USER_PRIVATE_KEY
------END USER NKEY SEED------

*************************************************************

Server config for reference:

leafnodes {
  port: 7422
  authorization: {
        users: [ {user: UDXU4RCSJNZOIQHZNWXHXORDPRTGNJAHAHFRGZNEEJCPQTT2M7NLCNF4,  account: someuser}]
  }
}

[tvojacek]

Is there better solution?

[derekcollison]

We would need to look at adding more formal support in the remote leaf options for soliciting servers.

[anthonyjacques20]

@derekcollison - has there been any progress on authenticating leafnode remotes using nkeys (without requiring a jwt)? I've been looking through the docs and haven't found anything on how to do this and am wondering if something changed since this was from a while ago.

[derekcollison]

Unfortunately we have not had time to properly look at it, we have been very busy with other higher priority items. Apologies.

[anthonyjacques20]

Understood, thanks for the reply. I'll add my +1 for this functionality. And it would also be nice to allow a no_auth_user type functionality with nkeys 😄

[derekcollison]

That should be possible today I believe no?

[anthonyjacques20]

I tried the following config and get nats-server: no_auth_user: "UDFZIB2HFBKTJYGHXIUFUJ3GMCXTNRNELS5BK42JPKUX6MUKHG6PRDOA" present, but users are not defined:

accounts {
    SYS: {
        users: [{nkey: UDAOQO6KTPA24Y3VO7ZCBLXIXZHZB6NRT7NGIGW3EFAED7EAXDFVHGTH}]
    },
    LEAF1: {
        users: [{nkey: UDFZIB2HFBKTJYGHXIUFUJ3GMCXTNRNELS5BK42JPKUX6MUKHG6PRDOA}]
        jetstream: enabled
    }
}
system_account: SYS
no_auth_user: UDFZIB2HFBKTJYGHXIUFUJ3GMCXTNRNELS5BK42JPKUX6MUKHG6PRDOA

And then these docs say:

Please note that the no_auth_user will not work with nkeys. The user referenced can also be part of the authorization block.

Am I configuring it incorrectly?

[derekcollison]

ok I was incorrect then.. Will be good to add, will not make it for 2.10.8, but can see for 2.10.9.

[anthonyjacques20]

Awesome! Thank you for getting this done, this really helps and is greatly appreciated! Just tested and working as expected 😄