nsctool creates and manages these identities and allows you to deploy them to a JWT account server, which in turn makes the configurations available to nats-servers.
Operatorsare responsible for running nats-servers, and issuing account JWTs. Operators set the limits on what an account can do, such as the number of connections, data limits, etc.
Accountsare responsible for issuing user JWTs. An account defines streams and services that can be exported to other accounts. Likewise, they import streams and services from other accounts.
Usersare issued by an account, and encode limits regarding usage and authorization over the account's subject space.
nsccan make use of that configuration:
~/.nscand can be changed via the
~/.nkeysand can be changed via the
$NKEYS_PATHenvironment variable. The contents of the nkeys directory should be treated as secrets.
$NSC_HOME/nats, and can be changed using the command
nsc env -s <dir>. The stores directory can stored under revision control. The JWTs themselves do not contain any secrets.
Ufor users. These prefixes are also part of the public key. The second and third letters in the public key are used to create directories where other like-named keys are stored.
nkfiles themselves are named after the complete public key, and stored in a single string - the private key in question:
Sfor seed. The second letter starts with the type of key in question.
credsdirectory. This directory is organized in a way friendly to humans. It stores user credential files or
credsfiles for short. A credentials file contains a copy of the user JWT and the private key for the user. These files are used by NATS clients to connect to a NATS server:
!. If you have more than one account, you can show them all by specifying the
algorithmed25519 for signature. The payload will list different things. On our basically empty operator, we will only have standard JWT
jti- a jwt id
iat- the timestamp when the JWT was issued in UNIX time
iss- the issuer of the JWT, in this case the operator's public key
sub- the subject or identity represented by the JWT, in this case the same operator
type- since this is an operator JWT,
operatoris the type
natsobject, which is where we add NATS specific JWT configuration to the JWT claim.
MEMORYresolver, which statically maps account public keys to an account JWT in the server’s configuration file. It is somewhat easier to configure because it doesn’t require another moving part, but fails to provide the needed experience of setting up an account server. Let’s set up an Account Server.
Ooperator that we created earlier). By default, the server listens on the localhost at port 9090.
nsc pushfor more information about how to push JWTs to the account server.
operatorJWT, which we have pointed at directly, and a resolver. The resolver has two options
URL. We are interested in the
URLsince we want the nats-server to talk to the account server. Note we put the URL of the server with the path
/jwt/v1/accounts. Currently, this is where the account server expects requests for account information.
nsc tool -hfor more detailed information.
nscyou can specify authorization for specific subjects to which the user can or cannot publish or subscribe. By default a user doesn't have any limits on the subjects that it can publish or subscribe to. Any message stream or message published in the account is subscribable by the user. The user can also publish to any subject or imported service. Note that authorization, if configured, must be specified on a per user basis.
_INBOX.>. You can further restrict it, but you'll be responsible for segmenting the subject space so as to not break request/reply communications between clients.
q. To enable the service to receive and respond to requests it requires permissions to subscribe to
qand publish permissions under
_INBOX.>addresses and subscribing to the service's request subject.
q, and receive replies on an inbox.
nsc env --account <account name>to set the account as the current default. If you have defined
NSC_HOMEin the environment, you'll also see their current effective values. Finally, if you want to set the stores directory to anything other than the default, you can do
nsc env --store <dir containing an operator>. If you have multiple accounts, you can try having multiple terminals, each in a directory for a different account.