aricart
commented
1 year ago add user is an operation performed by the account owner - so effectively, yes they must have the account private key to issue an user. Neither the operator nor a different account can issue users.
The delegation model is operator issues accounts, accounts issue users. The nuance is that an account in self-service mode, must be self signed, the operator can then use one of its keys to re-issue the account signed by the operator key.
I think the main issue here is a workflow issue, here's the correct workflow:
# Here's the operator steps
> ~ [1]> nsc add operator O
[ OK ] generated and stored operator key "OB6ATHSVPF767UH7JQJO6YQ6CXELOKXEBLX2M4Q6VLJ4HP4A3TIJYHDR"
[ OK ] added operator "O"
[ OK ] When running your own nats-server, make sure they run at least version 2.2.0
> ~> nsc env
+----------------------------------------------------------------------------------------------------------+
| NSC Environment |
+--------------------+-----+-------------------------------------------------------------------------------+
| Setting | Set | Effective Value |
+--------------------+-----+-------------------------------------------------------------------------------+
| $NSC_CWD_ONLY | No | If set, default operator/account from cwd only |
| $NSC_NO_GIT_IGNORE | No | If set, no .gitignore files written |
| $NKEYS_PATH | No | ~/.local/share/nats/nsc/keys |
| $NSC_HOME | No | ~/.config/nats/nsc |
| $NATS_CA | No | If set, root CAs in the referenced file will be used for nats connections |
| | | If not set, will default to the system trust store |
| $NATS_KEY | No | If set, the tls key in the referenced file will be used for nats connections |
| $NATS_CERT | No | If set, the tls cert in the referenced file will be used for nats connections |
+--------------------+-----+-------------------------------------------------------------------------------+
| From CWD | | No |
| Default Stores Dir | | ~/.local/share/nats/nsc/stores |
| Current Store Dir | | ~/.local/share/nats/nsc/stores |
| Current Operator | | O |
| Current Account | | |
| Root CAs to trust | | Default: System Trust Store |
+--------------------+-----+-------------------------------------------------------------------------------+
# make the operator JWT available (an account server does this automagically)
> ~> cp ~/.local/share/nats/nsc/stores/O/O.jwt /tmp/O.jwt
# renaming the location where nsc is storing data, so that we simulate a clean environment
> ~> mv ~/.local/share/nats/nsc ~/.local/share/nats/nsc_demo
# add the operator by importing it from a file or url
> ~> nsc add operator -u /tmp/O.jwt
[ OK ] imported operator "O"
[ OK ] When running your own nats-server, make sure they run at least version 2.2.0
# now we add an account - note that the account will be self signed, because the operator was imported
# internally maked the operator (.nsc file in the directory for the operator) as being managed
# {"managed":true,"name":"O","kind":"operator","version":"1"}⏎
# managed makes nsc self-sign accounts:
> ~> nsc add account A
[ OK ] generated and stored account key "ACBUHSTCUYBTB5LP4GJSSGKBMJO53SMV5L2C5WK3ZY3NNODZCBYHIORT"
[WARN] unable to push to "O" - operator doesn't set an account server url or manual exchange necessary
[WARN] perform push/pull again or exchange self-signed JWT manually
[ OK ] added account "A"
# note the issuer ID here is the account itself:
> ~> nsc describe account A
+--------------------------------------------------------------------------------------+
| Account Details |
+---------------------------+----------------------------------------------------------+
| Name | A |
| Account ID | ACBUHSTCUYBTB5LP4GJSSGKBMJO53SMV5L2C5WK3ZY3NNODZCBYHIORT |
| Issuer ID | ACBUHSTCUYBTB5LP4GJSSGKBMJO53SMV5L2C5WK3ZY3NNODZCBYHIORT |
| Issued | 2023-04-18 14:43:25 UTC |
| Expires | |
+---------------------------+----------------------------------------------------------+
| Max Connections | Unlimited |
| Max Leaf Node Connections | Unlimited |
| Max Data | Unlimited |
| Max Exports | Unlimited |
| Max Imports | Unlimited |
| Max Msg Payload | Unlimited |
| Max Subscriptions | Unlimited |
| Exports Allows Wildcards | True |
| Disallow Bearer Token | False |
| Response Permissions | Not Set |
+---------------------------+----------------------------------------------------------+
| Jetstream | Disabled |
+---------------------------+----------------------------------------------------------+
| Imports | None |
| Exports | None |
+---------------------------+----------------------------------------------------------+
# now the user would need to provide their account JWT to the operator
# the operator would import it, the import process is effectively
# editing the account assigning limits, etc, and signing with the operator key
# to do this, import the account JWT into the operator's environment:
> ~> cp ~/.local/share/nats/nsc/stores/O/accounts/A/A.jwt /tmp/A.jwt
> ~> mv ~/.local/share/nats/nsc ~/.local/share/nats/nsc_user
> ~> mv ~/.local/share/nats/nsc_demo ~/.local/share/nats/nsc
> ~> nsc import account --file /tmp/A.jwt
[WARN] validation resulted in: self-signed account JWTs shouldn't contain operator limits
[ OK ] account A was successfully imported
1 job succeeded - 1 have warnings
# note for the operator the jwt is signed by the operator
> ~> nsc describe account A
+--------------------------------------------------------------------------------------+
| Account Details |
+---------------------------+----------------------------------------------------------+
| Name | A |
| Account ID | ACBUHSTCUYBTB5LP4GJSSGKBMJO53SMV5L2C5WK3ZY3NNODZCBYHIORT |
| Issuer ID | OB6ATHSVPF767UH7JQJO6YQ6CXELOKXEBLX2M4Q6VLJ4HP4A3TIJYHDR |
| Issued | 2023-04-18 14:45:03 UTC |
| Expires | |
+---------------------------+----------------------------------------------------------+
| Max Connections | Unlimited |
| Max Leaf Node Connections | Unlimited |
| Max Data | Unlimited |
| Max Exports | Unlimited |
| Max Imports | Unlimited |
| Max Msg Payload | Unlimited |
| Max Subscriptions | Unlimited |
| Exports Allows Wildcards | True |
| Disallow Bearer Token | False |
| Response Permissions | Not Set |
+---------------------------+----------------------------------------------------------+
| Jetstream | Disabled |
+---------------------------+----------------------------------------------------------+
| Imports | None |
| Exports | None |
+---------------------------+----------------------------------------------------------+
kimjarvis
nsc add userattempts to validate the account nkeys in the local keystore, but in the self service deployment model the local keystore does not contain the private key of the account.In the self service model, the administrator creates an account for the client to import. The client first import the operator JWT, then the account JWT. In the self service model, the account nkeys are not available in the clients's local keystore. The operator and account nkeys are private to to the administrator. The
nsc add usercommand should not attempt to validate the account nkey in the local keystore because they may not be present.The client imported the operator and the account from the administrator.
The client has only the local system user nkeys in its keystore. The operator and account nkeys are not present.
For reference, the administrator keystore contains the operator and account nkeys: