Describe account does not enforce/indicate account token position on exports
Closed this issue · 1 comments
I was trying to import $SYS.ACCOUNT.*.>
from the SYS
account generated by nsc init
.
As you can see nsc describe -a SYS
shows the export exists and is public:
+---------------------------------------------------------------------------------------------------------+
| Exports |
+-----------------------------+------------------+----------------------+--------+-------------+----------+
| Name | Type | Subject | Public | Revocations | Tracking |
+-----------------------------+------------------+----------------------+--------+-------------+----------+
| account-monitoring-streams | Stream | $SYS.ACCOUNT.*.> | Yes | 0 | N/A |
| account-monitoring-services | Service [Stream] | $SYS.REQ.ACCOUNT.*.* | Yes | 0 | - |
+-----------------------------+------------------+----------------------+--------+-------------+----------+
Importing into a separate account worked without error:
+--------------------------------------------------------------------------------------------------------+
| Imports |
+--------------------+--------+------------------+---------------------+---------+--------------+--------+
| Name | Type | Remote | Local | Expires | From Account | Public |
+--------------------+--------+------------------+---------------------+---------+--------------+--------+
| account-monitoring | Stream | $SYS.ACCOUNT.*.> | MONITOR.ACCOUNT.*.> | | SYS | Yes |
+--------------------+--------+------------------+---------------------+---------+--------------+--------+
Any attempt to subscribe to the imported subject resulted in no messages. It was only after increasing the logging in the server that I saw the following:
[73710] 2023/08/04 10:29:53.283150 [DBG] Adding stream import AASCZ5OPU3UGCJWPPCMQKJNNXFPCIS44D7BGD7QLLL4XD4JSKUNUHLHJ/SYS:\"$SYS.ACCOUNT.*.>\" for ABDQJCVGUR2P3543AETT5E5W7DHGBMBPTOP72SSV5E4OPFK44VXKPN3W/nits:\"MONITOR.ACCOUNT.*.>\"
[73710] 2023/08/04 10:29:53.283155 [DBG] Error adding stream import to account [ABDQJCVGUR2P3543AETT5E5W7DHGBMBPTOP72SSV5E4OPFK44VXKPN3W/nits]: stream import not authorized"
After checking out and running nats-server
locally with breakpoints enabled, I could discern that the import was failing because of an account position restriction on the $SYS.ACCOUNT.*.>
export from the SYS
account:
Lines 338 to 346 in d88edca
This was not indicated when describing the SYS
account, nor was it enforced when using nsc add export
.
It doesn't look like it's currently possible to enforce the presence of the account token when importing since you only have the source account's public key and not their claims.
#598 adds the account token position to the text output. The JSON output already includes the account token position.