`nsc add export` changes account issuer
Closed this issue · 2 comments
Adding an export to an account changes the account issuer value to that of the account signing key! The account issuer value should not be affected by this operation. This only occurs on accounts that have been imported via JWT.
root@instance:/# CLIENT=C1
CLIENT_CONFIG="--config-dir $HOME/$CLIENT/config --data-dir $HOME/$CLIENT/data --keystore-dir $HOME/$CLIENT/keys"
root@instance:/# nsc describe account -n CA1 $CLIENT_CONFIG
+--------------------------------------------------------------------------------------+
| Account Details |
+---------------------------+----------------------------------------------------------+
| Name | CA1 |
| Account ID | AAM4LGN4ZBCIV2E64C7TD52JBSN3V3N2XSW5V3K4PCWJY2Y7DDCOHBJS |
| Issuer ID | OB6GPSMQLR2T76CMOQ35OSG6DP7YDQF5Q47PVICD5IC6UPHGNCW23HTU |
| Issued | 2023-04-12 16:58:41 UTC |
| Expires | |
+---------------------------+----------------------------------------------------------+
| Signing Keys | ADA3RLYBTJJ3WE7NBL5BBXDD2PTI42XDBQTCTPXRUELNB2YBGQP5ARZB |
+---------------------------+----------------------------------------------------------+
| Max Connections | Unlimited |
| Max Leaf Node Connections | Unlimited |
| Max Data | Unlimited |
| Max Exports | Unlimited |
| Max Imports | Unlimited |
| Max Msg Payload | Unlimited |
| Max Subscriptions | Unlimited |
| Exports Allows Wildcards | True |
| Disallow Bearer Token | False |
| Response Permissions | Not Set |
+---------------------------+----------------------------------------------------------+
| Jetstream | Enabled |
| Max Disk Storage | 512 MB |
| Max Mem Storage | 1.0 GB |
| Max Streams | 10 |
| Max Consumer | 100 |
| Max Ack Pending | Consumer Setting |
| Max Ack Pending | Unlimited |
| Max Bytes | optional (Stream setting) |
| Max Memory Stream | Unlimited |
| Max Disk Stream | Unlimited |
+---------------------------+----------------------------------------------------------+
| Imports | None |
| Exports | None |
+---------------------------+----------------------------------------------------------+
root@instance:/# nsc add export -a CA1 --name manifests --subject "manifests.>" $CLIENT_CONFIG
[WARN] unable to push to "O" - operator doesn't set an account server url or manual exchange necessary
[WARN] perform push/pull again or exchange self-signed JWT manually
[ OK ] added public stream export "manifests"
root@instance:/# nsc describe account -n CA1 $CLIENT_CONFIG
+--------------------------------------------------------------------------------------+
| Account Details |
+---------------------------+----------------------------------------------------------+
| Name | CA1 |
| Account ID | AAM4LGN4ZBCIV2E64C7TD52JBSN3V3N2XSW5V3K4PCWJY2Y7DDCOHBJS |
| Issuer ID | ADA3RLYBTJJ3WE7NBL5BBXDD2PTI42XDBQTCTPXRUELNB2YBGQP5ARZB |
| Issued | 2023-04-12 17:11:43 UTC |
| Expires | |
+---------------------------+----------------------------------------------------------+
| Signing Keys | ADA3RLYBTJJ3WE7NBL5BBXDD2PTI42XDBQTCTPXRUELNB2YBGQP5ARZB |
+---------------------------+----------------------------------------------------------+
| Max Connections | Unlimited |
| Max Leaf Node Connections | Unlimited |
| Max Data | Unlimited |
| Max Exports | Unlimited |
| Max Imports | Unlimited |
| Max Msg Payload | Unlimited |
| Max Subscriptions | Unlimited |
| Exports Allows Wildcards | True |
| Disallow Bearer Token | False |
| Response Permissions | Not Set |
+---------------------------+----------------------------------------------------------+
| Jetstream | Enabled |
| Max Disk Storage | 512 MB |
| Max Mem Storage | 1.0 GB |
| Max Streams | 10 |
| Max Consumer | 100 |
| Max Ack Pending | Consumer Setting |
| Max Ack Pending | Unlimited |
| Max Bytes | optional (Stream setting) |
| Max Memory Stream | Unlimited |
| Max Disk Stream | Unlimited |
+---------------------------+----------------------------------------------------------+
| Imports | None |
+---------------------------+----------------------------------------------------------+
+--------------------------------------------------------------------+
| Exports |
+-----------+--------+-------------+--------+-------------+----------+
| Name | Type | Subject | Public | Revocations | Tracking |
+-----------+--------+-------------+--------+-------------+----------+
| manifests | Stream | manifests.> | Yes | 0 | N/A |
+-----------+--------+-------------+--------+-------------+----------+@kimjarvis this is related what was discussed in the other issues you opened. In this particular case, it looks like on this environment you imported the operator (and didn't have access to the operator key) and then you edited the account. If you check the .nsc file in the operator directory in your store, you'll see that the attribute managed is set to true. So when you edited the account, nsc did exactly what it needed to do, which is self-sign the account - note that the issuer changed from O... to A... denoting operator to account key.
If you had an account server running, and had a process handling the issuing (signing by operator), nsc would have self-signed with the account, pushed to the account server, and retrieved the operator signed account and stored that. Since the operator doesn't have an account server associated with it, it simply self-signed and issued the perhaps cryptic warnings you got.