nats-io / nats-account-server Goto Github PK

Hello maintainers,
I would appreciate clarification on the primary/replica setup. From what I gather, there should be a single primary only. Any number of replicas that would download the token store from the primary on start.
Say I enable writable token store on both primary and replicas. The primary is at primary example com, and many replicas are behind a loadbalancer at replica.example.com. The loadbalancer uses simple random routing. What happens if i try to upload a token to replica.example.com? Would the primary now contain the uploaded token? In other words, is the primary's sole purpose a source for new replicas to sync up to?

nats-account-server can currently not be run as a Windows Service. Starting a nats-account-server as Windows Service currently gives the following error:
Windows could not start the MyNAS service on Local Computer.
Error 1053: The service did not respond to the start or control request in a timely fashion.

We believe this to be because "ServiceMain" is not implemented in this project.
There are workarounds for this like nssm but it would be prefered this is not needed. nats-server can currently already run as a windows service and it would be nice if nats-account-server could as well.

Hi guys,

JWT Custom folder use.
/jwt/v1/activations POST Use algorithm HS256.
Error ; [ERR] bad activation JWT in request - unexpected "HS256" algorithm
change type; ed25519
after this problem;
bad activation JWT in request - claim failed signature verification.

Have you ever faced this problem?
I am trying to create tokens via JWT with PHP.

merge may not be doable, or may be tricky but the initial pack should be doable

Is it possible to setup an official Docker Hub repo?

Hi all,

I am using the nats-account-server version 0.8.4. If the server is running while doing a revocation using nsc tool, the nats-account-server stops and throws an error:

2020/11/22 18:44:02.555349 [INF] loading configuration from "/home/ubuntu/natsaccountserver.conf"
2020/11/22 18:44:02.556384 [INF] starting NATS Account server, version 0.8.4
2020/11/22 18:44:02.558303 [INF] server time is Sun Nov 22 18:44:02 CET 2020
2020/11/22 18:44:02.559107 [INF] loading operator from /home/ubuntu/.nsc/nats/something/something.jwt
2020/11/22 18:44:02.564659 [INF] loading system account from /home/ubuntu/.nsc/nats/something/accounts/SYS/SYS.jwt
2020/11/22 18:44:02.568421 [INF] creating a read-only store for the NSC folder at /home/ubuntu/.nsc/nats/something
2020/11/22 18:44:02.569964 [INF] connecting to NATS for notifications
2020/11/22 18:44:02.604849 [INF] connected to NATS for account and activation notifications
2020/11/22 18:44:02.608459 [INF] http listening on port 9090
2020/11/22 18:44:02.609303 [INF] nats-account-server is running
2020/11/22 18:44:02.610130 [INF] configure the nats-server with:
2020/11/22 18:44:02.611052 [INF]   resolver: URL(http://localhost:9090/jwt/v1/accounts/)
2020/11/22 18:45:09.961708 [ERR] The NSC store encountered an error, shutting down ...
2020/11/22 18:45:09.961765 [INF] stopping account server
2020/11/22 18:45:09.962008 [INF] disconnected from NATS
2020/11/22 18:45:09.962037 [INF] stopping http server
2020/11/22 18:45:09.962183 [INF] http server stopped
2020/11/22 18:45:09.962219 [ERR] error closing listener: close tcp 127.0.0.1:9090: use of closed network connection
2020/11/22 18:45:09.962246 [INF] http stopped
2020/11/22 18:45:09.976430 [INF] closed JWT store
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x60 pc=0x7a69ef]

goroutine 10 [running]:
github.com/nats-io/nats-account-server/server/store.(*NSCJWTStore).startWatching.func1(0xc0000ecab0, 0xc0000582a0)
	/Users/waldemarquevedo/repos/nats-dev/src/github.com/nats-io/nats-account-server/server/store/nscstore.go:125 +0x32f
created by github.com/nats-io/nats-account-server/server/store.(*NSCJWTStore).startWatching
	/Users/waldemarquevedo/repos/nats-dev/src/github.com/nats-io/nats-account-server/server/store/nscstore.go:103 +0x2b0

The nsc command I use to do the revocation is: nsc revocations add_user --name simple

Instead of pointing to location of file which requires a volume in k8s for example

Flags that accepts a file/dir path do not resolve ~ or . or ..

The host port in the config doesn't work (port will always autogenerate)
Also there's a stutter in the configuration:

http: {
 http: {
     port: x
     host: y
 }
}

Tried embedding the HostPort struct to see if the config parser would be happy - I noticed that it parses the map correctly however the apply doesn't work likely because of other logic trying to manage the embedded struct.

I tried this:

nats-account-server -nats "nats://foo:1234" -c config.conf

With a config file that specified localhost:4222. It connected to the local NATS server running at 4222. The command line parameter is ignored. This makes the account server impossible to run from within a docker image.

The v1.0.0 release has some issues, some are fixed in master, e.g.

• wrong golang version in Dockerfile FROM golang:1.12.4 AS builder, should be >= 1.16, fixed in master
• staticcheck fails (PR approved, but not merged)

This means the 1.0.0 release was never fully tested and since Mar 18 nobody has tried to fire up make in CI.

Could you please add some info to the repo release page to tell users to avoid the v1.0.0 release and use master?
And could you please merge #80 soon?

I am not sure if this 1.0.0 release is as embarrassing as i feel it is or if i am just angry to have wasted my time on this.

so when viewing decoded entries we get:

        "exports": [
            {
                "name": "abc",
                "subject": "a.b.c.\u003e",
                "type": "stream"
            }

go fix:

 buf := &bytes.Buffer{}
    encoder := json.NewEncoder(buf)
    encoder.SetEscapeHTML(false)
    err := encoder.Encode(conf)```

One question raised by the #48 is the extra complexity involving the need for https://github.com/fsnotify/fsnotify, and whether nsc and read-only functionality is needed.

The server provides two kinds of stores, nsc and dir where it watches for modifications and performs a reload (need verification for the dir case). Filesystem initiated reloads are developer use-cases.

If nas is relying on filesystem notifications for internal reloads, that functionality arguably should be dropped, as any CDN caching, should be performed by a proper CDN. This means that the nas server should respond correctly to http HEAD requests, and allow the CDN to operate as it normally does. Invalidation of the CDN and nas integration is a separate topic.

The nsc option allows easier developer experience, save that it requires the user to specify the directory for the operator JWT. While technically this is useful, it would be more seamless from the user's perspective to have nsc start the nats-account-server and supplying all the required information. More importantly, it would be more useful for nsc to supply a skeleton configuration for the nats-account-server and then push the account configurations to it. This more closely models the actual usage of the product.

version: NATS account server v1.0.0
golang: 1.16.6
staticcheck: v0.2.0

Following the recommended steps to build nats-account-server, i used the cmds

git clone --depth 1 --branch v1.0.0 https://github.com/nats-io/nats-account-server.git
cd nats-account-server
make

Make bails out of the staticcheck ./... part, crying out loud:

server/core/server.go:370:2: should replace this if statement with an unconditional strings.TrimSuffix (S1017)

This translates to line 376 in master:

	if strings.HasSuffix(primary, "/") {
		primary = primary[:len(primary)-1]
	}

What version of staticcheck are you using in your environment, that does not choke on the mentioned line?

Thank you for your feedback!

When the Account Server is connecting to Nats there is no clear log statement that says it connected to Nats. However, when I delete / recreate the Nats Server it shows that it disconnects and reconnects.

2019/11/14 03:45:07.947756 [�[32mINF�[0m] connecting to NATS for notifications
2019/11/14 03:45:07.992676 [�[31mERR�[0m] failed to connect to NATS, nats: no servers available for connection
2019/11/14 03:45:07.992694 [�[31mERR�[0m] will try to connect again in 5000 milliseconds
2019/11/14 03:45:12.992832 [�[32mINF�[0m] connecting to NATS for notifications
2019/11/14 03:47:44.128313 [�[0;93mWRN�[0m] nats disconnected
2019/11/14 03:48:14.622499 [�[0;93mWRN�[0m] nats reconnected

https://github.com/nats-io/nats-account-server#tlsconfig

Currently it starts and creates an in-memory store:

ls /tmp/bar.conf
ls: /tmp/bar.conf: No such file or directory

nats-account-server -c /tmp/bar.conf
2019/08/09 14:44:36.843171 [INF] loading configuration from "/tmp/bar.conf"
2019/08/09 14:44:36.843331 [INF] starting NATS Account server, version 0.8.0
2019/08/09 14:44:36.843354 [INF] server time is Fri Aug  9 14:44:36 PDT 2019
2019/08/09 14:44:36.843373 [INF] creating an in-memory store

If you use a configuration file, the default port of 9090 is not used.

To reproduce, just run with an empty config file.

$ touch oo.conf
$ nats-account-server -c oo.conf
2019/05/13 14:18:42.583273 [INF] loading configuration from "/Users/colinsullivan/go/src/github.com/nats-io/nats-account-server/oo.conf"
2019/05/13 14:18:42.583546 [INF] starting NATS Account server, version 0.0-dev
2019/05/13 14:18:42.583572 [INF] server time is Mon May 13 14:18:42 MDT 2019
2019/05/13 14:18:42.583583 [INF] creating an in-memory store
2019/05/13 14:18:42.583612 [INF] NATS is not configured, server will not fire notifications on update
2019/05/13 14:18:42.583961 [INF] http listening on port 61787
2019/05/13 14:18:42.583975 [INF] nats-account-server is running
2019/05/13 14:18:42.583980 [INF] configure the nats-server with:
2019/05/13 14:18:42.583992 [INF]   resolver: URL(http://127.0.0.1:61787/jwt/v1/accounts/)

When using the latest nsc against the latest nats-account-server release, nsc push -A returns that it failed to push to the remote server due to a 404 page error.

Shows up in server_test.go

creds := nsc.FormatConfig("User", userJWT, string(seed))

I was following the steps mentioned in the readme. I built the Docker image (after figuring out the missing steps of needing to cd into the folder) and ran docker run -v ~/.nsc/nats/<op name>:/<op name> -p 9090:9090 "nats-io/nats-account-server:0.5" -nsc /<op name> -nats docker.for.mac.host.internal:4222 -hp 0.0.0.0:9090 after taking quite a while to figure out that op is meant to be "operator". I'm then shown this error:
[ERR] Support for direct access of the nsc folder has been removed.

Guys, you've created a good software. But using it and figuring out the concepts is a nightmare. Please do a "hallway testing" of your documentation and tutorials to see how difficult it it is for someone to understand it. Also, there is a lot about the commands and the way components interact with each other that can be massively simplified.

For now, how does one get past this error and yet retain the ability to push JWT's to this server? My NSC is installed on my PC, with an operator and users configured. NATS is active as a Docker container with port 4222 exposed. Am only facing this issue with NAS.

I created an operator using nats-io/jwt/v2 library. Then I used that as operatorjwtpath in config file.
But when I started nats-account-server, it's showing unexpected "ed25519-nkey" algorithm for operator jwt.

$ cat nats-account-server.conf
operatorjwtpath: "/home/masud/go/src/github.com/masudur-rahman/demo-cloudevents/nats/confs/KO.jwt"
http {
    port: 9090
}
store {
    dir: "/tmp/as_store",
    readonly: false,
    shard: true
}

$ nats-account-server -c nats-account-server.conf
2020/09/14 16:34:16.412009 [INF] loading configuration from "/home/masud/nats-account-server.conf"
2020/09/14 16:34:16.412332 [INF] starting NATS Account server, version 0.8.4
2020/09/14 16:34:16.412378 [INF] server time is Mon Sep 14 16:34:16 +06 2020
2020/09/14 16:34:16.412409 [INF] loading operator from /home/masud/go/src/github.com/masudur-rahman/demo-cloudevents/nats/confs/KO.jwt
2020/09/14 16:34:16.412612 [ERR] unexpected "ed25519-nkey" algorithm
2020/09/14 16:34:16.412632 [INF] stopping account server
2020/09/14 16:34:16.412644 [INF] http stopped

NATS Account server, version 0.8.6

"-nsc" is missing: flag provided but not defined: -nsc

"-c" doesn't appear to read the config file.

The host and port setting in config file is still ignored. The standard host and port will be used.
When using the commandline parameter -hp everything works as expected.

nsc create operator -n X
nsc create account -n A
nsc create account -n SYS
nsc create user -n sys

Create a nats-account-server config nas.conf:

systemaccountjwtpath: "/users/synadia/.nsc/nats/X/accounts/SYS/SYS.jwt"
http {
	port: 9090
},
store {
	dir: "/tmp/as_store",
	readonly: false,
	shard: true
}
nats {
  servers: [nats://localhost:4222]
  usercredentials: "/Users/synadia/.nkeys/X/accounts/SYS/users/sys.creds"
}

Create a nats-server config server.conf:

operator: /users/synadia/.nsc/nats/X/X.jwt
resolver: URL(http://localhost:9090/jwt/v1/accounts/)
system_account: AAUR7CJU5WTR2RROXOJJFTJFJQPZ6B4VF2NOX6OQ6SQMPIKLQYQ7T37U

Start the various processes

> nats-account-server -c nas.conf
> nats-server -c server.conf

Use nsc to seed the account server

nsc push -A

<ctrl+z> the nats-server

The nats-account-server disconnects:

2019/05/31 16:37:28.631941 [WRN] nats disconnected
2019/05/31 16:37:28.632019 [ERR] nats connection closed, shutting down bridge
2019/05/31 16:37:28.632029 [INF] stopping account server
2019/05/31 16:37:28.632032 [INF] disconnected from NATS
2019/05/31 16:37:28.632035 [INF] stopping http server
2019/05/31 16:37:28.632090 [INF] http server stopped
2019/05/31 16:37:28.632100 [INF] http stopped
2019/05/31 16:37:28.632105 [INF] closed JWT store

Make these consistent. Current NATS Account Server:

operatorjwtpath: "./nsc/accounts/nats/KO/KO.jwt"
systemaccountjwtpath: "./nsc/accounts/nats/KO/accounts/SYS/SYS.jwt"

In NATS Server:

operator: eyJ0eXAiOiJqd3QiLCJhbGciOiJlZDI1NTE5In0.eyJqdGkiOiJI...
resolver: URL(http://external-nats-account-server:9090/jwt/v1/accounts/)
system_account: ABWYO322B3VDCKEFRVXWSIXXK6NZLY63XBAIZ34Q5HDU3VTDVVVPWCEV

when deploying the nats-account-server on kubernetes, we should make sure we don't lose accounts though we have three replicas and PVC setup.

it's not easy to setup a backup-restore strategy on pvc with low RPO and RTO, i wonder would it be possible to add a new db store like postgresql, as a result, it would be much easier for recovery.

Hello guys !
I'm sharing my experience with the Nats account server, hope we can find a solution.

The documentation says we should spawn the Account Server before the Nats cluster.

When we do so, the Account Server tries to talk with the not yet available Nats Cluster, and retries until it's ready
(that make sense to me so far).

However, until the communication is ready, the Account Server doesn't seem to expose it's port 9090, that's where it breaks for me.
The Account Server is stalled there, trying to talk to nats, without exposing it's port.

On the other end, the Nats Cluster tries to boot, but cannot boot because it can't reach the Account Server.

Account Server error message:

2020/01/31 15:49:48.373407 [ERR] failed to connect to NATS, nats: no servers available for connection
2020/01/31 15:49:48.373422 [ERR] will try to connect again in 5000 milliseconds

Cluster error message:
nats-server: /etc/nats-config/nats.conf:29:1: could not fetch <"http://nats-account-server.default.svc.cluster.local:9090/jwt/v1/accounts/">: Get http://nats-account-server.default.svc.cluster.local:9090/jwt/v1/accounts/: dial tcp 172.20.237.239:9090: connect: connection refused

In the documentation here, it seems to be explained as the "Chicken and egg" issue lol.
https://github.com/nats-io/nats-account-server#run

Documentation says : "The account server can be started with or without a NATS configuration, and will try to connect on a regular timer if it is configured to talk to NATS but can't find a server. This reconnect strategy allows us to avoid the chicken and egg problem where the NATS server requires its account resolver to be running but the account server can't find a valid nats-server to connect to."

If the Account Server would expose it's 9090 port first, and then tries to communicate with the Cluster, that issue would probably not happen ?

R.I Piennar found this "sequential order" that seems to be reflecting my issue :

Currently, seems the only way to work around this would be :

1. Start account server without config (so it will exposed 9090)
2. Start nats cluster
3. Shutdown account server, edit config to add nats cluster endpoint and start again.

Doesn't really make sense right ?
What you guys think, should we invert the order ? Will it break something ?

Thanks !
--jm

Resign JWT if self signed

trying out the replica mode for the nats-account-server and there seems to be an issue with 0.8.2 version
When starting the replica nats-account-server (0.8.2), it gives the following error

./go/bin/nats-account-server -c natsAccRepl.conf -DV -primary http://localhost:9090
2019/11/06 17:54:57.955890 [INF] loading configuration from "/Users/m0s00tx/natsAccRepl.conf"
2019/11/06 17:54:57.956159 [INF] starting NATS Account server, version 0.8.2
2019/11/06 17:54:57.956179 [INF] server time is Wed Nov 6 17:54:57 CST 2019
2019/11/06 17:54:57.956188 [INF] starting in replicated mode, with primary at http://localhost:9090
2019/11/06 17:54:57.956197 [INF] running in replicated mode without NATS notifications can result in delayed updates
2019/11/06 17:54:57.956201 [INF] loading operator from /Users/m0s00tx/nn/.nsc/nats/O/O.jwt
2019/11/06 17:54:57.957054 [INF] creating a store at /tmp/jwts
2019/11/06 17:54:57.957084 [INF] NATS is not configured, server will not fire notifications on update
2019/11/06 17:54:57.957091 [INF] grabbing initial JWT pack from primary http://localhost:9090
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x1406d73]

goroutine 1 [running]:
github.com/nats-io/nats-account-server/server/core.(*AccountServer).initializeFromPrimary(0xc0000b2ea0, 0x0, 0x0)
/Users/m0s00tx/go/src/github.com/nats-io/nats-account-server/server/core/server.go:449 +0x283
github.com/nats-io/nats-account-server/server/core.(*AccountServer).Start(0xc0000b2ea0, 0x0, 0x0)
/Users/m0s00tx/go/src/github.com/nats-io/nats-account-server/server/core/server.go:233 +0x72f
main.main()
/Users/m0s00tx/go/src/github.com/nats-io/nats-account-server/main.go:134 +0x855

Downgraded nats-account-server to 0.8.0, and everything runs as it should
Let me know if more details are required