Directory Store

    Starting the server:

    1. > nats-account-server -c nas.conf
    2. 2019/05/31 12:35:23.430128 [INF] loading configuration from "/Users/synadia/Desktop/nats_jwt_doc/as_dir/nas.conf"
    3. 2019/05/31 12:35:23.430417 [INF] starting NATS Account server, version 0.0-dev
    4. 2019/05/31 12:35:23.430434 [INF] server time is Fri May 31 12:35:23 CDT 2019
    5. 2019/05/31 12:35:23.430462 [INF] loading operator from /users/synadia/.nsc/nats/AAA/AAA.jwt
    6. 2019/05/31 12:35:23.430919 [INF] creating a store at /tmp/as_store
    7. 2019/05/31 12:35:23.430948 [INF] NATS is not configured, server will not fire notifications on update
    8. 2019/05/31 12:35:23.437938 [INF] http listening on port 9090
    9. 2019/05/31 12:35:23.437953 [INF] nats-account-server is running
    10. 2019/05/31 12:35:23.437956 [INF] configure the nats-server with:
    11. 2019/05/31 12:35:23.437966 [INF]   resolver: URL(http://localhost:9090/jwt/v1/accounts/)

    On a new store, the server doesn’t have any JWTs. This means that any nats-server that attempts to resolve accounts will fail. To add JWTs to the server, you can use a tool like curl to post request. But it is much easier if you use nsc to update the nats-account-server.

    The nsc tool has built-in facilities to push JWTs related to an operator. The tool also performs validation of your JWTs to ensure that you push JWTs that will validate correctly.

    1. Generated account key - private key stored "~/.nkeys/AAA/accounts/A/A.nk"
    4. > nsc add user -n u1
    5. Generated user key - private key stored "~/.nkeys/AAA/accounts/A/users/u1.nk"
    6. Generated user creds file "~/.nkeys/AAA/accounts/A/users/u1.creds"
    7. Success! - added user "u1" to "A"
    9. > nsc add user -n u2
    10. Generated user key - private key stored "~/.nkeys/AAA/accounts/A/users/u2.nk"
    11. Generated user creds file "~/.nkeys/AAA/accounts/A/users/u2.creds"
    12. Success! - added user "u2" to "A"
    14. > nsc add account -n B
    15. Success! - added account "B"

    With the account and a couple of users in place, let’s push all the accounts to the nats-account-server. If the account JWT server URL is not set on the operator, you may want to set it. Note that account servers typically require the path /jwt/v1 in addition to the protocol and hostport (or you can specify the --account-jwt-server-url flag to nsc’s push command).

    Going forward all interactions on behalf of the operator will use this account server. Now we can push all accounts.

    2. successfully pushed all accounts [A,B]

    Note that if the account server is not configured on the operator or there is a need to override temporarily, the -u option is availble on the nsc push command.

    1. > nsc push -u http://localhost:9090/jwt/v1/ -A
    2. successfully pushed all accounts [A,B]

    Quick check on nsc to verify the ids of the accounts on nsc, match the files:

    1. > nsc list accounts -W
    2. ╭─────────────────────────────────────────────────────────────────╮
    3.                             Accounts                             
    4. ├──────┬──────────────────────────────────────────────────────────┤
    5.  Name  Public Key                                               
    6. ├──────┼──────────────────────────────────────────────────────────┤
    7.  A     ACVEO3LPVRGE5W262FCYF3OMGQFJIW252AX75FEE6BUY752BFVDADN27 
    8.  B     ADDVBX4VPWSNEDLWH5Y6ITASMXS3QY3L6KRNZ6VIQJ6Q3FRGR43NFHTY 
    9. ╰──────┴──────────────────────────────────────────────────────────╯

      Note that the @ before the file name is required for curl to read the specified file, and use it as the payload. Otherwise, it will simply post the path specified, which will result in an update error.

      Curl can also be used to JWTs.