nsc account 及user管理
从安全角度,推荐使用sign 模式进行nats account及用户管理
- 把权限放到account level 用户密码泄露可以通过快速更换用户
- 可以设置过期日期,进行安全轮换
此外通过nsc 管理用户和权限,可以统一实现全局管控,包括subject管控,避免随意增减subject。
创建operator
/nsc # nsc add operator signoperator
[ OK ] generated and stored operator key "ODV4WGUF72JEXY5TY3DG2ZIX6HYJGKF2GMWEHK4FALG6B76X7LRSEOF6"
[ OK ] added operator "signoperator"
[ OK ] When running your own nats-server, make sure they run at least version 2.2.0
/nsc # nsc generate nkey --operator --store
OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C
operator key stored /nsc/nkeys/keys/O/BP/OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C.nk
/nsc # nsc edit operator --sk OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C
[ OK ] added signing key "OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C"
[ OK ] edited operator "signoperator"
/nsc # nsc describe operator
+---------------------------------------------------------------------------------+
| Operator Details |
+----------------------+----------------------------------------------------------+
| Name | signoperator |
| Operator ID | ODV4WGUF72JEXY5TY3DG2ZIX6HYJGKF2GMWEHK4FALG6B76X7LRSEOF6 |
| Issuer ID | ODV4WGUF72JEXY5TY3DG2ZIX6HYJGKF2GMWEHK4FALG6B76X7LRSEOF6 |
| Issued | 2025-01-26 07:10:46 UTC |
| Expires | |
| Require Signing Keys | false |
+----------------------+----------------------------------------------------------+
| Signing Keys | OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C
+----------------------+----------------------------------------------------------+
创建account
注意下面的-K 参数: OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C来自operator 的singing keys
/nsc # nsc add account -n signacc -K /nsc/nkeys/keys/O/BP/OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C.nk
[ OK ] generated and stored account key "ADPERO47PU2O4VLH2H46BGFRB47J2UMEMD2SWTVAOP63XNVOCICX4MKW"
[ OK ] added account "signacc"
/nsc # nsc generate nkey --account --store
AA6IIWBGC3T7BPUUMHFSB2TNK6YAFCXUY2IFPCGKU2FWC56D4HO475VP
account key stored /nsc/nkeys/keys/A/A6/AA6IIWBGC3T7BPUUMHFSB2TNK6YAFCXUY2IFPCGKU2FWC56D4HO475VP.nk
/nsc # nsc describe account
+--------------------------------------------------------------------------------------+
| Account Details |
+---------------------------+----------------------------------------------------------+
| Name | signacc |
| Account ID | ADPERO47PU2O4VLH2H46BGFRB47J2UMEMD2SWTVAOP63XNVOCICX4MKW |
| Issuer ID | OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C |
| Issued | 2025-01-26 07:12:52 UTC |
| Expires | |
+---------------------------+----------------------------------------------------------+
| Max Connections | Unlimited |
| Max Leaf Node Connections | Unlimited |
| Max Data | Unlimited |
| Max Exports | Unlimited |
| Max Imports | Unlimited |
| Max Msg Payload | Unlimited |
| Max Subscriptions | Unlimited |
| Exports Allows Wildcards | True |
| Disallow Bearer Token | False |
| Response Permissions | Not Set |
+---------------------------+----------------------------------------------------------+
| Jetstream | Disabled |
+---------------------------+----------------------------------------------------------+
| Imports | None |
| Exports | None |
+---------------------------+----------------------------------------------------------+
| Tracing Context | Disabled |
+---------------------------+----------------------------------------------------------+
/nsc # nsc edit account --sk AA6IIWBGC3T7BPUUMHFSB2TNK6YAFCXUY2IFPCGKU2FWC56D4HO475VP -K /nsc/nkeys/keys/O/BP/OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C.nk
[ OK ] added signing key "AA6IIWBGC3T7BPUUMHFSB2TNK6YAFCXUY2IFPCGKU2FWC56D4HO475VP"
[ OK ] edited account "signacc"
/nsc # nsc generate nkey --account --store
AA6IIWBGC3T7BPUUMHFSB2TNK6YAFCXUY2IFPCGKU2FWC56D4HO475VP
account key stored **/nsc/nkeys/keys/A/A6/AA6IIWBGC3T7BPUUMHFSB2TNK6YAFCXUY2IFPCGKU2FWC56D4HO475VP.nk**
/n
--
value of user 's arg -K is account's nk
创建用户
注意key来自account
nsc add user signuser -K /nsc/nkeys/keys/A/A6/AA6IIWBGC3T7BPUUMHFSB2TNK6YAFCXUY2IFPCGKU2FWC56D4HO475VP.nk
创建System account
下面-K 参数同样来自operator
nsc add account -n SIGNSYS -K /nsc/nkeys/keys/O/BP/OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C.nk
nsc edit operator --system-account SIGNSYS
/nsc # nsc add account -n SIGNSYS -K /nsc/nkeys/keys/O/BP/OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C.nk
[ OK ] generated and stored account key "ABVV7MCJSIL3NXOICTHWFVCXRHHJMBNTORTH2LITJC6CZASFAVMW2K6X"
[ OK ] added account "SIGNSYS"
/nsc # nsc edit operator --system-account SIGNSYS
[ OK ] set system account "ABVV7MCJSIL3NXOICTHWFVCXRHHJMBNTORTH2LITJC6CZASFAVMW2K6X"
[ OK ] edited operator "signoperator"
/nsc # nsc edit account --sk ABVV7MCJSIL3NXOICTHWFVCXRHHJMBNTORTH2LITJC6CZASFAVMW2K6X -K /nsc/nkeys/keys/O/BP/OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C.nk
[ OK ] added signing key "ABVV7MCJSIL3NXOICTHWFVCXRHHJMBNTORTH2LITJC6CZASFAVMW2K6X"
[ OK ] edited account "SIGNSYS"
/nsc # nsc describe account
+--------------------------------------------------------------------------------------+
| Account Details |
+---------------------------+----------------------------------------------------------+
| Name | SIGNSYS |
| Account ID | ABVV7MCJSIL3NXOICTHWFVCXRHHJMBNTORTH2LITJC6CZASFAVMW2K6X |
| Issuer ID | OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C |
| Issued | 2025-01-26 07:27:05 UTC |
| Expires | |
+---------------------------+----------------------------------------------------------+
| Signing Keys | ABVV7MCJSIL3NXOICTHWFVCXRHHJMBNTORTH2LITJC6CZASFAVMW2K6X |
+---------------------------+----------------------------------------------------------+
| Max Connections | Unlimited |
| Max Leaf Node Connections | Unlimited |
| Max Data | Unlimited |
| Max Exports | Unlimited |
| Max Imports | Unlimited |
| Max Msg Payload | Unlimited |
| Max Subscriptions | Unlimited |
| Exports Allows Wildcards | True |
| Disallow Bearer Token | False |
| Response Permissions | Not Set |
+---------------------------+----------------------------------------------------------+
| Jetstream | Disabled |
+---------------------------+----------------------------------------------------------+
| Imports | None |
| Exports | None |
+---------------------------+----------------------------------------------------------+
| Tracing Context | Disabled |
+---------------------------+----------------------------------------------------------+
创建resolver 供server启动
这个resolve文件非常重要,不能泄露
/nsc # nsc generate config --nats-resolver > ./resolver.conf
/nsc # cat ./resolver.conf
Operator named signoperator
operator: eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJHQU9BQkVCTUJXUEI3U1BBWjNNVVFaV0FUM1FXMkJGSzdOUk1EUVJDTFdGRTQ1U0E2SEdRIiwiaWF0IjoxNzM3ODc2MzUxLCJpc3MiOiJPRFY0V0dVRjcySkVYWTVUWTNERzJaSVg2SFlKR0tGMkdNV0VISzRGQUxHNkI3Nlg3TFJTRU9GNiIsIm5hbWUiOiJzaWdub3BlcmF0b3IiLCJzdWIiOiJPRFY0V0dVRjcySkVYWTVUWTNERzJaSVg2SFlKR0tGMkdNV0VISzRGQUxHNkI3Nlg3TFJTRU9GNiIsIm5hdHMiOnsic2lnbmluZ19rZXlzIjpbIk9CUEFUS0NDVlpITTJDU01HNU9HREM1RDNKRU5IR0hEUkQ0TFA3QVRGNkI3TlE3TFRDUlJYTjNDIl0sInN5c3RlbV9hY2NvdW50IjoiQUJWVjdNQ0pTSUwzTlhPSUNUSFdGVkNYUkhISk1CTlRPUlRIMkxJVEpDNkNaQVNGQVZNVzJLNlgiLCJ0eXBlIjoib3BlcmF0b3IiLCJ2ZXJzaW9uIjoyfX0.IX4oshelXMAv2yiL7tgUt75WgNYiE2OKPqNVRxl1gVtDO3SEDpIQKjYroAngJ8BSc2wTsISesQhHf2SoNHISBA
System Account named SIGNSYS
system_account: ABVV7MCJSIL3NXOICTHWFVCXRHHJMBNTORTH2LITJC6CZASFAVMW2K6X
configuration of the nats based resolver
resolver {
type: full
# Directory in which the account jwt will be stored
dir: './jwt'
# In order to support jwt deletion, set to true
# If the resolver type is full delete will rename the jwt.
# This is to allow manual restoration in case of inadvertent deletion.
# To restore a jwt, remove the added suffix .delete and restart or send a reload signal.
# To free up storage you must manually delete files with the suffix .delete.
allow_delete: false
# Interval at which a nats-server with a nats based account resolver will compare
# it's state with one random nats based account resolver in the cluster and if needed,
# exchange jwt and converge on the same set of jwt.
interval: "2m"
# Timeout for lookup requests in case an account does not exist locally.
timeout: "1.9s"
}
Preload the nats based resolver with the system account jwt.
This is not necessary but avoids a bootstrapping system account.
This only applies to the system account. Therefore other account jwt are not included here.
To populate the resolver:
1) make sure that your operator has the account server URL pointing at your nats servers.
The url must start with: "nats://"
nsc edit operator --account-jwt-server-url nats://localhost:4222
2) push your accounts using: nsc push --all
The argument to push -u is optional if your account server url is set as described.
3) to prune accounts use: nsc push --prune
In order to enable prune you must set above allow_delete to true
Later changes to the system account take precedence over the system account jwt listed here.
resolver_preload: {
ABVV7MCJSIL3NXOICTHWFVCXRHHJMBNTORTH2LITJC6CZASFAVMW2K6X: eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiI3T1NSQlRLUVNJN1FNTDRORTdRWDIyUzJYS0s2UUhNSDM1QzdaT0dHNDQyT0NPTjVQUEhBIiwiaWF0IjoxNzM3ODc2NDI1LCJpc3MiOiJPQlBBVEtDQ1ZaSE0yQ1NNRzVPR0RDNUQzSkVOSEdIRFJENExQN0FURjZCN05RN0xUQ1JSWE4zQyIsIm5hbWUiOiJTSUdOU1lTIiwic3ViIjoiQUJWVjdNQ0pTSUwzTlhPSUNUSFdGVkNYUkhISk1CTlRPUlRIMkxJVEpDNkNaQVNGQVZNVzJLNlgiLCJuYXRzIjp7ImxpbWl0cyI6eyJzdWJzIjotMSwiZGF0YSI6LTEsInBheWxvYWQiOi0xLCJpbXBvcnRzIjotMSwiZXhwb3J0cyI6LTEsIndpbGRjYXJkcyI6dHJ1ZSwiY29ubiI6LTEsImxlYWYiOi0xfSwic2lnbmluZ19rZXlzIjpbIkFCVlY3TUNKU0lMM05YT0lDVEhXRlZDWFJISEpNQk5UT1JUSDJMSVRKQzZDWkFTRkFWTVcySzZYIl0sImRlZmF1bHRfcGVybWlzc2lvbnMiOnsicHViIjp7fSwic3ViIjp7fX0sImF1dGhvcml6YXRpb24iOnt9LCJ0eXBlIjoiYWNjb3VudCIsInZlcnNpb24iOjJ9fQ.CRIjJzoFKwwkyeZpY-c5dlAGOTE32IttKziPM54lwt5hbxPd_Wn7K_U-NdIepWaOTgQeiq6CFg48V1wicwAwDA,
}
push account
/nsc # nsc push --account signacc -u nats://192.168.157.130
[ OK ] push to nats-server "nats://192.168.157.130" using system account "SIGNSYS":
[ OK ] push signacc to nats-server with nats account resolver:
[ OK ] pushed "signacc" to nats-server ubuntu22-1: jwt updated
[ OK ] pushed "signacc" to nats-server ubuntu22-2: jwt updated
[ OK ] pushed to a total of 2 nats-server
/
创建用户并push
/nsc # nsc add user signsysuser -K ./nkeys/keys/A/BV/ABVV7MCJSIL3NXOICTHWFVCXRHHJMBNTORTH2LITJC6CZASFAVMW2K6X.nk
[ OK ] generated and stored user key "UCRW5B3ZBOQQZVA4P4IP4ZL2NCVMFCFQP7V77UZDITNG7TISIEDF66TG"
[ OK ] generated user creds file /nsc/nkeys/creds/signoperator/SIGNSYS/signsysuser.creds
[ OK ] added user "signsysuser" to account "SIGNSYS"
nsc push --account SIGNSYS -u nats://192.168.157.130
[ OK ] push to nats-server "nats://192.168.157.130" using system account "SIGNSYS":
[ OK ] push SIGNSYS to nats-server with nats account resolver:
[ OK ] pushed "SIGNSYS" to nats-server ubuntu22-1: jwt updated
[ OK ] pushed "SIGNSYS" to nats-server ubuntu22-2: jwt updated
[ OK ] pushed to a total of 2 nats-server
/nsc # find . -name "*.creds"
./nkeys/creds/signoperator/signacc/signuser.creds
./nkeys/creds/signoperator/SIGNSYS/signsysuser.creds
/nsc # nats server list --server=192.168.157.130 --creds=./nkeys/creds/signoperator/SIGNSYS/signsysuser.creds
修改权限并push
nsc edit account --allow-sub ‘*.>’
nsc push --account signacc -u nats://192.168.157.130