`nsc pull` does not sign a self signed account
kimjarvis opened this issue · 1 comments
I was expecting nsc pull
to sign a self signed account, in a similar way to nsc import
. When a self signed account JWT is imported it is signed by the operator with either the Operator ID or the first operator signing key (why no control over which signing key to use?). However, when a self signed account is pulled no such signing occurs.
That is, the following actions cause the account A, which is self signed in $HOME/A to be signed in $HOME/O:
nsc describe account -n A --raw --output-file A.jwt -H $HOME/A
nsc import account --file A.jwt -H $HOME/O
There is an example and explanation of this process in the comments of #577.
However, the following actions do not cause the self signed account to be signed. The account JWT is simply pushed to the server via $SYS.REQ.CLAIMS.UPDATE and pulled again unchanged:
root@instance:/# nsc describe account A -H $HOME/C
+--------------------------------------------------------------------------------------+
| Account Details |
+---------------------------+----------------------------------------------------------+
| Name | A |
| Account ID | ADF2HJ5KHYFLBEAOBXRUBEW5I4OBZUN3PTWE3I3NDSI34OXUT76YSC2T |
| Issuer ID | ADF2HJ5KHYFLBEAOBXRUBEW5I4OBZUN3PTWE3I3NDSI34OXUT76YSC2T |
| Issued | 2023-04-22 22:36:07 UTC |
| Expires | |
+---------------------------+----------------------------------------------------------+
| Max Connections | Unlimited |
| Max Leaf Node Connections | Unlimited |
| Max Data | Unlimited |
| Max Exports | Unlimited |
| Max Imports | Unlimited |
| Max Msg Payload | Unlimited |
| Max Subscriptions | Unlimited |
| Exports Allows Wildcards | True |
| Disallow Bearer Token | False |
| Response Permissions | Not Set |
+---------------------------+----------------------------------------------------------+
| Jetstream | Disabled |
+---------------------------+----------------------------------------------------------+
| Imports | None |
| Exports | None |
+---------------------------+----------------------------------------------------------+
root@instance:/# nsc push -A -u nats://localhost:4222 -H $HOME/C
[ OK ] push to nats-server "nats://localhost:4222" using system account "SYS":
[ OK ] push A to nats-server with nats account resolver:
[ OK ] pushed "A" to nats-server ND7LQRS4JQ55RWVETLAMLHSNB6NXA7SGRNWZJEB23ETHPQ3347D4KWUQ: jwt updated
[ OK ] pushed to a total of 1 nats-server
[ OK ] push SYS to nats-server with nats account resolver:
[ OK ] pushed "SYS" to nats-server ND7LQRS4JQ55RWVETLAMLHSNB6NXA7SGRNWZJEB23ETHPQ3347D4KWUQ: jwt updated
[ OK ] pushed to a total of 1 nats-server
root@instance:/# nsc pull -A -H $HOME/O
[ OK ] pulled "A" from the account server:
[ OK ] stored account "SYS"
[ OK ] stored account "A"
root@instance:/# nsc describe account A -H $HOME/O
+--------------------------------------------------------------------------------------+
| Account Details |
+---------------------------+----------------------------------------------------------+
| Name | A |
| Account ID | ADF2HJ5KHYFLBEAOBXRUBEW5I4OBZUN3PTWE3I3NDSI34OXUT76YSC2T |
| Issuer ID | ADF2HJ5KHYFLBEAOBXRUBEW5I4OBZUN3PTWE3I3NDSI34OXUT76YSC2T |
| Issued | 2023-04-22 22:36:07 UTC |
| Expires | |
+---------------------------+----------------------------------------------------------+
| Max Connections | Unlimited |
| Max Leaf Node Connections | Unlimited |
| Max Data | Unlimited |
| Max Exports | Unlimited |
| Max Imports | Unlimited |
| Max Msg Payload | Unlimited |
| Max Subscriptions | Unlimited |
| Exports Allows Wildcards | True |
| Disallow Bearer Token | False |
| Response Permissions | Not Set |
+---------------------------+----------------------------------------------------------+
| Jetstream | Disabled |
+---------------------------+----------------------------------------------------------+
| Imports | None |
| Exports | None |
+---------------------------+----------------------------------------------------------+
I was expecting nsc pull
to sign the self signed account but it did not. I was expecting this because the documentation for import Operator - Self Service Deployment Modes describes how to set up a system account on the client. I presumed that the reason for having a system account on the client was to push changes to accounts created on the client. In the self service model accounts created on the client are necessarily self signed. While it is possible to push changes to the accounts created on the clients the process serves no purpose as the accounts are still unsigned when pulled by the administrator.
@kimjarvis the nats-server (nor the system account) do any kind of signing, this requires an external process to generate issue the JWT, which could be as simple as emailing the self-signed JWT, and the operator signing it - in the case where there's an account server involved, then the sign-in request would be sent via HTTP, and the service would on-board the account.