Describe account does not enforce/indicate account token position on exports
Closed this issue · 1 comments
I was trying to import $SYS.ACCOUNT.*.> from the SYS account generated by nsc init.
As you can see nsc describe -a SYS shows the export exists and is public:
+---------------------------------------------------------------------------------------------------------+
| Exports |
+-----------------------------+------------------+----------------------+--------+-------------+----------+
| Name | Type | Subject | Public | Revocations | Tracking |
+-----------------------------+------------------+----------------------+--------+-------------+----------+
| account-monitoring-streams | Stream | $SYS.ACCOUNT.*.> | Yes | 0 | N/A |
| account-monitoring-services | Service [Stream] | $SYS.REQ.ACCOUNT.*.* | Yes | 0 | - |
+-----------------------------+------------------+----------------------+--------+-------------+----------+
Importing into a separate account worked without error:
+--------------------------------------------------------------------------------------------------------+
| Imports |
+--------------------+--------+------------------+---------------------+---------+--------------+--------+
| Name | Type | Remote | Local | Expires | From Account | Public |
+--------------------+--------+------------------+---------------------+---------+--------------+--------+
| account-monitoring | Stream | $SYS.ACCOUNT.*.> | MONITOR.ACCOUNT.*.> | | SYS | Yes |
+--------------------+--------+------------------+---------------------+---------+--------------+--------+
Any attempt to subscribe to the imported subject resulted in no messages. It was only after increasing the logging in the server that I saw the following:
[73710] 2023/08/04 10:29:53.283150 [DBG] Adding stream import AASCZ5OPU3UGCJWPPCMQKJNNXFPCIS44D7BGD7QLLL4XD4JSKUNUHLHJ/SYS:\"$SYS.ACCOUNT.*.>\" for ABDQJCVGUR2P3543AETT5E5W7DHGBMBPTOP72SSV5E4OPFK44VXKPN3W/nits:\"MONITOR.ACCOUNT.*.>\"
[73710] 2023/08/04 10:29:53.283155 [DBG] Error adding stream import to account [ABDQJCVGUR2P3543AETT5E5W7DHGBMBPTOP72SSV5E4OPFK44VXKPN3W/nits]: stream import not authorized"
After checking out and running nats-server locally with breakpoints enabled, I could discern that the import was failing because of an account position restriction on the $SYS.ACCOUNT.*.> export from the SYS account:
Lines 338 to 346 in d88edca
This was not indicated when describing the SYS account, nor was it enforced when using nsc add export.
It doesn't look like it's currently possible to enforce the presence of the account token when importing since you only have the source account's public key and not their claims.
#598 adds the account token position to the text output. The JSON output already includes the account token position.