`nsc generate creds` produces invalid creds file.
ebusto opened this issue · 3 comments
ebusto commented
I encountered this after importing a user's key and corresponding JWT file. After the import, I ran nsc generate creds, and attempting to use the creds file was met with nats: error: nats: Authorization Violation.
Looking at the creds file, it includes an empty line after the valid JWT.
-----BEGIN NATS USER JWT-----
<valid jwt>
------END NATS USER JWT------
aricart commented
@ebusto not able to reproduce - here's what I tried:
> /tmp> set -x XDG_CONFIG_HOME /tmp/nsc
> /tmp> set -x XDG_DATA_HOME /tmp/nsc
> /tmp> nsc add operator O
[ OK ] generated and stored operator key "OATASVGV7Y22NKGDOVO7DIGYV427FYCO2DDP6XL3JGSTQ6BH2V7C7SI4"
[ OK ] added operator "O"
[ OK ] When running your own nats-server, make sure they run at least version 2.2.0
> /tmp> nsc add account A
[ OK ] generated and stored account key "AB7KJIIXDSH4R6HG3K7FY5CCUC4FRAVJWZARRBI5PHHKU3BZSZOGAEWL"
[ OK ] added account "A"
> /tmp> nsc add user U
[ OK ] generated and stored user key "UD4EOMTFERHBF2NYP7O5QKBIK7POVSC7AWZJBKHWJE2C75UNK4O2XZ7D"
[ OK ] generated user creds file `/tmp/nsc/nats/nsc/keys/creds/O/A/U.creds`
[ OK ] added user "U" to account "A"
> /tmp> cp /tmp/nsc/nats/nsc/keys/keys/U/D4/UD4EOMTFERHBF2NYP7O5QKBIK7POVSC7AWZJBKHWJE2C75UNK4O2XZ7D.nk /tmp/key.nk
> /tmp> cp /tmp/nsc/nats/nsc/stores/O/accounts/A/users/U.jwt /tmp/u.jwt
> /tmp> mkdir import
> /tmp> mv u.jwt import/
> /tmp> mv key.nk import/
> /tmp> nsc delete user -n U -C -D
[ OK ] delete users:
[ OK ] user U [UD4EOMTFERHBF2NYP7O5QKBIK7POVSC7AWZJBKHWJE2C75UNK4O2XZ7D]:
[ OK ] user deleted
[ OK ] deleted private key
[ OK ] removed creds file
> /tmp> nsc import user -f import/u.jwt
[ OK ] user U was successfully imported
> /tmp> nsc import keys -d import/
[ OK ] UD4EOMTFERHBF2NYP7O5QKBIK7POVSC7AWZJBKHWJE2C75UNK4O2XZ7D was added to the keystore
> /tmp> nsc generate creds
-----BEGIN NATS USER JWT-----
eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJBRk9GNjNEWjY3SzUyVlk3VTQ1UUVDMzJRMlNZTldDNU5SM1AzM1dFSFVVVktXVE01R0tRIiwiaWF0IjoxNjgzMTIyMDgzLCJpc3MiOiJBQjdLSklJWERTSDRSNkhHM0s3Rlk1Q0NVQzRGUkFWSldaQVJSQkk1UEhIS1UzQlpTWk9HQUVXTCIsIm5hbWUiOiJVIiwic3ViIjoiVUQ0RU9NVEZFUkhCRjJOWVA3TzVRS0JJSzdQT1ZTQzdBV1pKQktIV0pFMkM3NVVOSzRPMlhaN0QiLCJuYXRzIjp7InB1YiI6e30sInN1YiI6e30sInN1YnMiOi0xLCJkYXRhIjotMSwicGF5bG9hZCI6LTEsInR5cGUiOiJ1c2VyIiwidmVyc2lvbiI6Mn19.FAszmPWQ8Cb2K_nE5bUKqOuAZwWAK_ZCQ3-XMoRrPd7eDYljL9YbW7ugr-85gGYeK8pSiOLwkYiTY9bpLR-sDA
------END NATS USER JWT------
************************* IMPORTANT *************************
NKEY Seed printed below can be used to sign and prove identity.
NKEYs are sensitive and should be treated as secrets.
-----BEGIN USER NKEY SEED-----
SUABGKLRRIOWEX7HRYQO4PZW6TZ2VK67EIX4YGGYFGXOBI4T5JQWC5NPYY
------END USER NKEY SEED------
*************************************************************
> /tmp> nsc generate creds -a A -n U -o /tmp/u.creds
[ OK ] wrote credentials to `/tmp/u.creds`
Success!! - generated `/tmp/u.creds`
> /tmp> nsc generate config --mem-resolver --config-file /tmp/server.conf
[ OK ] wrote server configuration to `/tmp/server.conf`
Success!! - generated `/tmp/server.conf`
> /tmp> nats-server -c /tmp/server.conf &
> /tmp> [14558] 2023/05/03 09:07:58.881890 [INF] Starting nats-server
[14558] 2023/05/03 09:07:58.882005 [INF] Version: 2.10.0-beta.34
[14558] 2023/05/03 09:07:58.882008 [INF] Git: [not set]
[14558] 2023/05/03 09:07:58.882010 [INF] Name: NCIVAEN43YKVZKCTZYHZASORBJMP4GNXKWMN7XTMPEWUWSYGKG2LVS3G
[14558] 2023/05/03 09:07:58.882013 [INF] ID: NCIVAEN43YKVZKCTZYHZASORBJMP4GNXKWMN7XTMPEWUWSYGKG2LVS3G
[14558] 2023/05/03 09:07:58.882029 [INF] Using configuration file: /tmp/server.conf
[14558] 2023/05/03 09:07:58.882031 [INF] Trusted Operators
[14558] 2023/05/03 09:07:58.882035 [INF] System : ""
[14558] 2023/05/03 09:07:58.882038 [INF] Operator: "O"
[14558] 2023/05/03 09:07:58.882056 [INF] Issued : 2023-05-03 08:54:30 -0500 CDT
[14558] 2023/05/03 09:07:58.882058 [INF] Expires : Never
[14558] 2023/05/03 09:07:58.882063 [WRN] Trusted Operators should utilize a System Account
[14558] 2023/05/03 09:07:58.883765 [INF] Listening for client connections on 0.0.0.0:4222
[14558] 2023/05/03 09:07:58.883990 [INF] Server is ready
> /tmp> nats-pub -creds /tmp/u.creds hello world
Published [hello] : 'world'aricart commented
Note in my case, I did import the key and the jwt (as you say you did) but in my case the key also printed in the creds.
Is it possible the key was not imported?