nats-io / nsc

Tool for creating nkey/jwt based configurations
Apache License 2.0
101 stars 44 forks source link

`nsc add export` should not attempt to validate the account signing keys in the local keystore #579

Closed kimjarvis closed 1 year ago

kimjarvis commented 1 year ago

nsc add export attempts to validate the account and operator nkeys in the local keystore, but in the self service deployment model the local keystore does not contain the private key of the account or the operator.

In this example we add a public stream on the client as described here Adding a Public Stream Export. Similar errors occur when adding a private stream and when exporting both public and private services from the account.

root@instance:/# nsc add export --name abc --subject "a.b.c.>" --account CA \
  --config-dir $HOME/client_config \
  --data-dir $HOME/client_data \
  --keystore-dir $HOME/client_keys
Error: unable to resolve any of the following signing keys in the keystore: OA4CV76DVMXIQWDEQHH4XKENDORZOXPV5ZJ6N4G7XFBBSE7AXYMBKGEX, ACM2NOGGLE7ZXYISWJFOTE3OOWBQYYMQD3V6ZSDLH6XV7UYHXPHT2DWU

In the self service model, the administrator creates an account for the client to import. The client first import the operator JWT, then the account JWT. In the self service model, the account nkeys are not available in the client's local keystore. The operator and account nkeys are private to to the administrator. The nsc add export command should not attempt to validate the account nkey in the local keystore because they may not be present.

This ticket is similar to #577.

aricart commented 1 year ago

See https://github.com/nats-io/nsc/issues/577 - the issue here is your operator at the account level should have been imported to mark it as a managed operator - when the operator is not managed, the requirement is that issuer keys at the appropriate level are available. Account CRUD require Operator Keys, User CRUD require account keys.

See https://github.com/nats-io/nsc/issues/577 for more information.