nsc account 及user管理

从安全角度，推荐使用sign 模式进行nats account及用户管理

• 把权限放到account level 用户密码泄露可以通过快速更换用户
• 可以设置过期日期，进行安全轮换

此外通过nsc 管理用户和权限，可以统一实现全局管控，包括subject管控，避免随意增减subject。

创建operator

/nsc # nsc add operator signoperator
[ OK ] generated and stored operator key "ODV4WGUF72JEXY5TY3DG2ZIX6HYJGKF2GMWEHK4FALG6B76X7LRSEOF6"
[ OK ] added operator "signoperator"
[ OK ] When running your own nats-server, make sure they run at least version 2.2.0
/nsc # nsc generate nkey --operator --store
OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C
operator key stored /nsc/nkeys/keys/O/BP/OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C.nk
/nsc # nsc edit operator --sk OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C
[ OK ] added signing key "OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C"
[ OK ] edited operator "signoperator"
/nsc # nsc describe operator
+---------------------------------------------------------------------------------+
|                                Operator Details                                 |
+----------------------+----------------------------------------------------------+
| Name                 | signoperator                                             |
| Operator ID          | ODV4WGUF72JEXY5TY3DG2ZIX6HYJGKF2GMWEHK4FALG6B76X7LRSEOF6 |
| Issuer ID            | ODV4WGUF72JEXY5TY3DG2ZIX6HYJGKF2GMWEHK4FALG6B76X7LRSEOF6 |
| Issued               | 2025-01-26 07:10:46 UTC                                  |
| Expires              |                                                          |
| Require Signing Keys | false                                                    |
+----------------------+----------------------------------------------------------+
| Signing Keys         |  OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C
+----------------------+----------------------------------------------------------+

创建account

注意下面的-K 参数： OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C来自operator 的singing keys

/nsc # nsc add account -n signacc  -K /nsc/nkeys/keys/O/BP/OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C.nk
[ OK ] generated and stored account key "ADPERO47PU2O4VLH2H46BGFRB47J2UMEMD2SWTVAOP63XNVOCICX4MKW"
[ OK ] added account "signacc"
/nsc # nsc generate nkey --account --store
AA6IIWBGC3T7BPUUMHFSB2TNK6YAFCXUY2IFPCGKU2FWC56D4HO475VP
account key stored /nsc/nkeys/keys/A/A6/AA6IIWBGC3T7BPUUMHFSB2TNK6YAFCXUY2IFPCGKU2FWC56D4HO475VP.nk
/nsc # nsc describe account
+--------------------------------------------------------------------------------------+
|                                   Account Details                                    |
+---------------------------+----------------------------------------------------------+
| Name                      | signacc                                                  |
| Account ID                | ADPERO47PU2O4VLH2H46BGFRB47J2UMEMD2SWTVAOP63XNVOCICX4MKW |
| Issuer ID                 | OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C |
| Issued                    | 2025-01-26 07:12:52 UTC                                  |
| Expires                   |                                                          |
+---------------------------+----------------------------------------------------------+
| Max Connections           | Unlimited                                                |
| Max Leaf Node Connections | Unlimited                                                |
| Max Data                  | Unlimited                                                |
| Max Exports               | Unlimited                                                |
| Max Imports               | Unlimited                                                |
| Max Msg Payload           | Unlimited                                                |
| Max Subscriptions         | Unlimited                                                |
| Exports Allows Wildcards  | True                                                     |
| Disallow Bearer Token     | False                                                    |
| Response Permissions      | Not Set                                                  |
+---------------------------+----------------------------------------------------------+
| Jetstream                 | Disabled                                                 |
+---------------------------+----------------------------------------------------------+
| Imports                   | None                                                     |
| Exports                   | None                                                     |
+---------------------------+----------------------------------------------------------+
| Tracing Context           | Disabled                                                 |
+---------------------------+----------------------------------------------------------+/nsc # nsc edit account --sk AA6IIWBGC3T7BPUUMHFSB2TNK6YAFCXUY2IFPCGKU2FWC56D4HO475VP -K  /nsc/nkeys/keys/O/BP/OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C.nk
[ OK ] added signing key "AA6IIWBGC3T7BPUUMHFSB2TNK6YAFCXUY2IFPCGKU2FWC56D4HO475VP"
[ OK ] edited account "signacc"/nsc # nsc generate nkey --account --store
AA6IIWBGC3T7BPUUMHFSB2TNK6YAFCXUY2IFPCGKU2FWC56D4HO475VP
account key stored **/nsc/nkeys/keys/A/A6/AA6IIWBGC3T7BPUUMHFSB2TNK6YAFCXUY2IFPCGKU2FWC56D4HO475VP.nk**
/n
--
value of user 's  arg -K is account's nk 

创建用户

注意key来自account

nsc add user signuser -K  /nsc/nkeys/keys/A/A6/AA6IIWBGC3T7BPUUMHFSB2TNK6YAFCXUY2IFPCGKU2FWC56D4HO475VP.nk

创建System account

下面-K 参数同样来自operator

nsc add account -n SIGNSYS  -K /nsc/nkeys/keys/O/BP/OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C.nk
nsc edit operator --system-account SIGNSYS/nsc # nsc add account -n SIGNSYS  -K /nsc/nkeys/keys/O/BP/OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C.nk
[ OK ] generated and stored account key "ABVV7MCJSIL3NXOICTHWFVCXRHHJMBNTORTH2LITJC6CZASFAVMW2K6X"
[ OK ] added account "SIGNSYS"
/nsc # nsc edit operator --system-account SIGNSYS
[ OK ] set system account "ABVV7MCJSIL3NXOICTHWFVCXRHHJMBNTORTH2LITJC6CZASFAVMW2K6X"
[ OK ] edited operator "signoperator"/nsc # nsc edit account --sk ABVV7MCJSIL3NXOICTHWFVCXRHHJMBNTORTH2LITJC6CZASFAVMW2K6X  -K /nsc/nkeys/keys/O/BP/OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C.nk
[ OK ] added signing key "ABVV7MCJSIL3NXOICTHWFVCXRHHJMBNTORTH2LITJC6CZASFAVMW2K6X"
[ OK ] edited account "SIGNSYS"
/nsc #  nsc describe account
+--------------------------------------------------------------------------------------+
|                                   Account Details                                    |
+---------------------------+----------------------------------------------------------+
| Name                      | SIGNSYS                                                  |
| Account ID                | ABVV7MCJSIL3NXOICTHWFVCXRHHJMBNTORTH2LITJC6CZASFAVMW2K6X |
| Issuer ID                 | OBPATKCCVZHM2CSMG5OGDC5D3JENHGHDRD4LP7ATF6B7NQ7LTCRRXN3C |
| Issued                    | 2025-01-26 07:27:05 UTC                                  |
| Expires                   |                                                          |
+---------------------------+----------------------------------------------------------+
| Signing Keys              | ABVV7MCJSIL3NXOICTHWFVCXRHHJMBNTORTH2LITJC6CZASFAVMW2K6X |
+---------------------------+----------------------------------------------------------+
| Max Connections           | Unlimited                                                |
| Max Leaf Node Connections | Unlimited                                                |
| Max Data                  | Unlimited                                                |
| Max Exports               | Unlimited                                                |
| Max Imports               | Unlimited                                                |
| Max Msg Payload           | Unlimited                                                |
| Max Subscriptions         | Unlimited                                                |
| Exports Allows Wildcards  | True                                                     |
| Disallow Bearer Token     | False                                                    |
| Response Permissions      | Not Set                                                  |
+---------------------------+----------------------------------------------------------+
| Jetstream                 | Disabled                                                 |
+---------------------------+----------------------------------------------------------+
| Imports                   | None                                                     |
| Exports                   | None                                                     |
+---------------------------+----------------------------------------------------------+
| Tracing Context           | Disabled                                                 |
+---------------------------+----------------------------------------------------------+

创建resolver 供server启动

这个resolve文件非常重要，不能泄露

/nsc # nsc generate config --nats-resolver > ./resolver.conf
/nsc # cat ./resolver.conf
Operator named signoperator
operator: eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJHQU9BQkVCTUJXUEI3U1BBWjNNVVFaV0FUM1FXMkJGSzdOUk1EUVJDTFdGRTQ1U0E2SEdRIiwiaWF0IjoxNzM3ODc2MzUxLCJpc3MiOiJPRFY0V0dVRjcySkVYWTVUWTNERzJaSVg2SFlKR0tGMkdNV0VISzRGQUxHNkI3Nlg3TFJTRU9GNiIsIm5hbWUiOiJzaWdub3BlcmF0b3IiLCJzdWIiOiJPRFY0V0dVRjcySkVYWTVUWTNERzJaSVg2SFlKR0tGMkdNV0VISzRGQUxHNkI3Nlg3TFJTRU9GNiIsIm5hdHMiOnsic2lnbmluZ19rZXlzIjpbIk9CUEFUS0NDVlpITTJDU01HNU9HREM1RDNKRU5IR0hEUkQ0TFA3QVRGNkI3TlE3TFRDUlJYTjNDIl0sInN5c3RlbV9hY2NvdW50IjoiQUJWVjdNQ0pTSUwzTlhPSUNUSFdGVkNYUkhISk1CTlRPUlRIMkxJVEpDNkNaQVNGQVZNVzJLNlgiLCJ0eXBlIjoib3BlcmF0b3IiLCJ2ZXJzaW9uIjoyfX0.IX4oshelXMAv2yiL7tgUt75WgNYiE2OKPqNVRxl1gVtDO3SEDpIQKjYroAngJ8BSc2wTsISesQhHf2SoNHISBA
System Account named SIGNSYS
system_account: ABVV7MCJSIL3NXOICTHWFVCXRHHJMBNTORTH2LITJC6CZASFAVMW2K6X
configuration of the nats based resolver
resolver {
type: full
# Directory in which the account jwt will be stored
dir: './jwt'
# In order to support jwt deletion, set to true
# If the resolver type is full delete will rename the jwt.
# This is to allow manual restoration in case of inadvertent deletion.
# To restore a jwt, remove the added suffix .delete and restart or send a reload signal.
# To free up storage you must manually delete files with the suffix .delete.
allow_delete: false
# Interval at which a nats-server with a nats based account resolver will compare
# it's state with one random nats based account resolver in the cluster and if needed,
# exchange jwt and converge on the same set of jwt.
interval: "2m"
# Timeout for lookup requests in case an account does not exist locally.
timeout: "1.9s"
}
Preload the nats based resolver with the system account jwt.
This is not necessary but avoids a bootstrapping system account.
This only applies to the system account. Therefore other account jwt are not included here.
To populate the resolver:
1) make sure that your operator has the account server URL pointing at your nats servers.
The url must start with: "nats://"
nsc edit operator --account-jwt-server-url nats://localhost:4222
2) push your accounts using: nsc push --all
The argument to push -u is optional if your account server url is set as described.
3) to prune accounts use: nsc push --prune
In order to enable prune you must set above allow_delete to true
Later changes to the system account take precedence over the system account jwt listed here.
resolver_preload: {
ABVV7MCJSIL3NXOICTHWFVCXRHHJMBNTORTH2LITJC6CZASFAVMW2K6X: eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiI3T1NSQlRLUVNJN1FNTDRORTdRWDIyUzJYS0s2UUhNSDM1QzdaT0dHNDQyT0NPTjVQUEhBIiwiaWF0IjoxNzM3ODc2NDI1LCJpc3MiOiJPQlBBVEtDQ1ZaSE0yQ1NNRzVPR0RDNUQzSkVOSEdIRFJENExQN0FURjZCN05RN0xUQ1JSWE4zQyIsIm5hbWUiOiJTSUdOU1lTIiwic3ViIjoiQUJWVjdNQ0pTSUwzTlhPSUNUSFdGVkNYUkhISk1CTlRPUlRIMkxJVEpDNkNaQVNGQVZNVzJLNlgiLCJuYXRzIjp7ImxpbWl0cyI6eyJzdWJzIjotMSwiZGF0YSI6LTEsInBheWxvYWQiOi0xLCJpbXBvcnRzIjotMSwiZXhwb3J0cyI6LTEsIndpbGRjYXJkcyI6dHJ1ZSwiY29ubiI6LTEsImxlYWYiOi0xfSwic2lnbmluZ19rZXlzIjpbIkFCVlY3TUNKU0lMM05YT0lDVEhXRlZDWFJISEpNQk5UT1JUSDJMSVRKQzZDWkFTRkFWTVcySzZYIl0sImRlZmF1bHRfcGVybWlzc2lvbnMiOnsicHViIjp7fSwic3ViIjp7fX0sImF1dGhvcml6YXRpb24iOnt9LCJ0eXBlIjoiYWNjb3VudCIsInZlcnNpb24iOjJ9fQ.CRIjJzoFKwwkyeZpY-c5dlAGOTE32IttKziPM54lwt5hbxPd_Wn7K_U-NdIepWaOTgQeiq6CFg48V1wicwAwDA,
}

push account

/nsc # nsc push --account signacc -u nats://192.168.157.130
[ OK ] push to nats-server "nats://192.168.157.130" using system account "SIGNSYS":
[ OK ] push signacc to nats-server with nats account resolver:
[ OK ] pushed "signacc" to nats-server ubuntu22-1: jwt updated
[ OK ] pushed "signacc" to nats-server ubuntu22-2: jwt updated
[ OK ] pushed to a total of 2 nats-server
/

创建用户并push

/nsc # nsc add user signsysuser -K ./nkeys/keys/A/BV/ABVV7MCJSIL3NXOICTHWFVCXRHHJMBNTORTH2LITJC6CZASFAVMW2K6X.nk
[ OK ] generated and stored user key "UCRW5B3ZBOQQZVA4P4IP4ZL2NCVMFCFQP7V77UZDITNG7TISIEDF66TG"
[ OK ] generated user creds file /nsc/nkeys/creds/signoperator/SIGNSYS/signsysuser.creds
[ OK ] added user "signsysuser" to account "SIGNSYS"nsc push --account SIGNSYS -u nats://192.168.157.130
[ OK ] push to nats-server "nats://192.168.157.130" using system account "SIGNSYS":
[ OK ] push SIGNSYS to nats-server with nats account resolver:
[ OK ] pushed "SIGNSYS" to nats-server ubuntu22-1: jwt updated
[ OK ] pushed "SIGNSYS" to nats-server ubuntu22-2: jwt updated
[ OK ] pushed to a total of 2 nats-server/nsc # find . -name "*.creds"
./nkeys/creds/signoperator/signacc/signuser.creds
./nkeys/creds/signoperator/SIGNSYS/signsysuser.creds
/nsc # nats server list --server=192.168.157.130 --creds=./nkeys/creds/signoperator/SIGNSYS/signsysuser.creds

修改权限并push

nsc edit account --allow-sub ‘*.>’
nsc push --account signacc -u nats://192.168.157.130