search

nats-io / nsc

Tool for creating nkey/jwt based configurations
Apache License 2.0
101 stars 44 forks source link

Operator key is not needed to create user, but is needed to delete user #652

Closed mikehardenize closed 5 months ago

mikehardenize commented 5 months ago

What version were you using?

nsc version 2.8.6

What environment was the server running in?

OSX and Linux

Is this defect reproducible?

I am trying to deploy the minimum needed keys and creds to a server from my nsc keystore directory in order to manage one of my nats Accounts. I can successfully create and edit users without the Operator nkey being available. Which makes sense to me, as the Account key is there, and that should be the only thing involved in signing.

So why does the Operator key need to be available in order to simply delete a user?

mikecardwell@redbook foo % nsc --config-dir . --data-dir . --keystore-dir . create operator MyOperator
[ OK ] generated and stored operator key "OCEZHYYC3Z4ZIWOHVOEAAMPMAEX6YU23ZFAUAQL6U3GY7V2IIGJR4IDR"
[ OK ] added operator "MyOperator"
[ OK ] When running your own nats-server, make sure they run at least version 2.2.0
mikecardwell@redbook foo % nsc --config-dir . --data-dir . --keystore-dir . create account MyAccount
[ OK ] generated and stored account key "AA67W2ZURE47JVR4HSMTCQMZEBIGMWGHCNRBXWLJNYMP5D5C2KYQYXYJ"
[ OK ] added account "MyAccount"
mikecardwell@redbook foo % mv keys/O/CE/OCEZHYYC3Z4ZIWOHVOEAAMPMAEX6YU23ZFAUAQL6U3GY7V2IIGJR4IDR.nk OCEZHYYC3Z4ZIWOHVOEAAMPMAEX6YU23ZFAUAQL6U3GY7V2IIGJR4IDR.nk.bak
mikecardwell@redbook foo % nsc --config-dir . --data-dir . --keystore-dir . create user -a MyAccount MyUser
[ OK ] generated and stored user key "UDMS746YTEJMVXLCKI6TOM6YOBVCZX726NKWDSU6LGHCX2ZAI7WFRNPR"
[ OK ] generated user creds file `~/foo/creds/MyOperator/MyAccount/MyUser.creds`
[ OK ] added user "MyUser" to account "MyAccount"
mikecardwell@redbook foo % nsc --config-dir . --data-dir . --keystore-dir . delete user -C -D -a MyAccount MyUser
Error: unable to resolve any of the following signing keys in the keystore: OCEZHYYC3Z4ZIWOHVOEAAMPMAEX6YU23ZFAUAQL6U3GY7V2IIGJR4IDR
Usage:
  nsc delete user [flags]

Examples:
nsc delete user -n name
nsc delete user -i

Flags:
  -a, --account string   account name
  -h, --help             help for user
  -n, --name strings     name of user(s) to delete
  -R, --revoke           revoke user before deleting
  -C, --rm-creds         delete the user creds
  -D, --rm-nkey          delete the user key

Global Flags:
  -H, --all-dirs string       sets --config-dir, --data-dir, and --keystore-dir to the same value
      --config-dir string     nsc config directory
      --data-dir string       nsc data store directory
  -i, --interactive           ask questions for various settings
      --keystore-dir string   nsc keystore directory
  -K, --private-key string    Key used to sign. Can be specified as role (where applicable),
                              public key (private portion is retrieved)
                              or file path to a private key or private key

Given the capability you are leveraging, describe your expectation?

My expectation is that I should be able to manage users in a nats Account without need access to the Operator nkey.

Given the expectation, what is the defect you are observing?

I am observing that access to the Operator nkey is needed in order to delete a user. I'm not even trying to revoke the user, I just want to delete the files. However, even if I was trying to revoke the user, surely only the Account nkey would be needed?

aricart commented 5 months ago

The operator key shouldn't be required unless you specify the --revoke key