Generated user key - private key stored "~/.nkeys/SAOP/accounts/SYS/users/SYSU.nk"
Generated user creds file "~/.nkeys/SAOP/accounts/SYS/users/SYSU.creds"
Success! - added user "SYSU" to "SYS"
By default, the operator JWT can be found in ~/.nsc/nats/<operator_name>/<operator.name>.jwt.
NATS-Account-Server
nats-account-server -nsc ~/.nsc/nats/SAOP
The server will by default vend JWT configurations on the an endpoint at: http(s)://<server_url>/jwt/v1/accounts/.
NATS Server Configuration
The server configuration will need:
The operator JWT - (~/.nsc/nats/<operator_name>/<operator.name>.jwt)
The URL where the server can resolve accounts (http://localhost:9090/jwt/v1/accounts/)
The public key of the system_account
The only thing we don't have handy is the public key for the system account. We can get it easy enough:
nsc list accounts
╭─────────────────────────────────────────────────────────────────╮
│ Accounts │
├──────┬──────────────────────────────────────────────────────────┤
│ Name │ Public Key │
├──────┼──────────────────────────────────────────────────────────┤
│ SYS │ ADWJVSUSEVC2GHL5GRATN2LOEOQOY2E6Z2VXNU3JEIK6BDGPWNIW3AXF │
╰──────┴──────────────────────────────────────────────────────────╯
Because the server has additional resolver implementations, you need to enclose the server url like: URL(<url>).
Let's create server config with the following contents and save it to server.conf:
Let's add a subscriber for all the events published by the system account:
nats sub --creds ~/.nkeys/SAOP/accounts/SYS/users/SYSU.creds ">"
Very quickly we'll start seeing messages from the server as they are published by the NATS server. As should be expected, the messages are just JSON, so they can easily be inspected even if just using a simple nats sub to read them.
To see an account update:
nats pub --creds ~/.nkeys/SAOP/accounts/SYS/users/SYSU.creds foo bar
The subscriber will print the connect and disconnect:
$SYS.REQ.USER.INFO - Request Connected User Information
For the active connection, get basic user information including the account name, permissions, and expiry, if applicable. Note, this works with any connected user, not just a system account user.
To discover servers in the cluster, and get a small health summary, publish a request to $SYS.REQ.SERVER.PING. Note that while the example below uses nats-req, only the first answer for the request will be printed. You can easily modify the example to wait until no additional responses are received for a specific amount of time, thus allowing for all responses to be collected.
$SYS.REQ.SERVER.<id>.STATSZ - Requesting Server Stats Summary
If you know the server id for a particular server (such as from a response to $SYS.REQ.SERVER.PING), you can query the specific server for its health information:
$SYS.REQ.SERVER.<id>.PROFILEZ - Request Profiling Information
If profiling is enabled for a server, this service enables requesting it from the server. The request payload must specify the name of the profile being requested with an optional debug level, including:
Published [$SYS.REQ.SERVER.NC7AKPQRC6CIZGWRJOTVFIGVSL7VW7WXTQCTUJFNG7HTCMCKQTGE5PUL.PROFILEZ] : '{
"name": "heap",
"debug": 1
}'
Received [_INBOX.DQD44ugVt0O4Ur3pWIOOD1.WQOBevoq] : '{
"profile": "<base64-encoded profile output>"
}'
$SYS.REQ.SERVER.<id>.RELOAD - Hot Reload Configuration
Sending a request to this service will attempt to hot reload the server configuration, akin to nats-server --signal reload. If there are errors with the new configuration, they will be returned in an error field in the response.