If the operator JWT specified in
operatorcontains an account resolver URL,
resolveronly needs to be specified in order to overwrite that default.
nats-serverand stores the account JWTs in a local (not shared) directory that the server has access to (i.e. you can't have more than one
nats-servers using the same directory. All the servers in the cluster or super-cluster must be configured to use it, and they implement an 'eventually consistent' mechanism via NATS and the system account to synchronize (or lookup) the account data between themselves.
nats-server(i.e. if you have a lot of accounts), this resolver has two sub types
nscCLI tool to create/manage the JWTs locally, and use
nsc pushto push new JWTs to the nats-servers' built-in resolvers,
nsc pullto refresh their local copy of account JWTs, and
nsc revocationsto revoke them.
nats-serverstores all JWTs and exchanges them in an eventually consistent way with other resolvers of the same type.
resolver_preload. When present, JWTs are listed and stored in the resolver. There, they may be subject to updates. Restarts of the
nats-serverwill hold on to these more recent versions.
full. You need enough to still serve your workload adequately, while some servers are offline.
nats-serveronly stores a subset of the JWTs and evicts others based on an LRU scheme. Missing JWTs are downloaded from the
fullnats based resolver(s).
nsc, send it as a request to
$SYS.REQ.CLAIMS.UPDATE. Each participating
fullNATS based account resolver will respond with a message detailing success or failure.
$SYS.REQ.ACCOUNT.*.CLAIMS.LOOKUPand respond with the account JWT corresponding to the requested account id (wildcard).
nsc pullto make sure you have a copy of all the account data in the server in your local machine
nsc edit operator --account-jwt-server-url <nats://...>
nsc push -Ato push your account data to the nats-servers using the built-in nats account resolver
MEMORYresolver is statically configured in the server's configuration file. You would use this mode if you would rather manage the account resolving 'by hand' through the
nat-servers' configuration files. The memory resolver makes use of the
resolver_preloaddirective, which specifies a map of public keys to account JWTs:
MEMORYresolver is recommended when the server has a small number of accounts that don't change very often.
URLresolver specifies a URL where the server can append an account public key to retrieve that account's JWT. Convention for standalone NATS Account JWT Servers is to serve JWTs at:
http://localhost:9090/jwt/v1/accounts/. For such a configuration you would specify the resolver as follows:
Note that if you are not using a nats-account-server, the URL can be anything as long as by appending the public key for an account, the requested JWT is returned.
tlsconfiguration map lets you further restrict TLS to the resolver.