natscli icon indicating copy to clipboard operation
natscli copied to clipboard
verified publisher icon nats-io

nats auth account mappings add command fail with operator signing key not found

Open mbneimann opened this issue 9 months ago • 7 comments

Observed behavior

Testing the new nats auth account mappings add command produced an error. It is only the add command that gives this error, ls and info does not and I haven't tried rm.

nats auth account mappings add BDK_TD_LS4000 'sensors.>' 'supervision.>' 100 'Supervision' --operator=TheArchitect nats: error: operator signing key "OCW7VKIV4N6LAFUCKG2HYK7NBNQ3LNRZNKR5CYS5EK3M2ZK35XXOXVX5" is was not found

The signing key is present: nsc list keys 2>&1 | grep OCW7VKIV4N6LAFUCKG2HYK7NBNQ3LNRZNKR5CYS5EK3M2ZK35XXOXVX5 | TheArchitect | OCW7VKIV4N6LAFUCKG2HYK7NBNQ3LNRZNKR5CYS5EK3M2ZK35XXOXVX5 | | * |

Expected behavior

No error was expected, since the signing key is present and other commands works fine.

Server and client version

nats --version 0.2.0

Host environment

WSL Ubuntu 24.04.1 LST on a Windows 10 laptop

Steps to reproduce

No response

mbneimann avatar Mar 20 '25 14:03 mbneimann

Thanks for info @mbneimann. I am unable to reproduce this error locally, so I wonder if this might be something to do with your setup.

Are you able to run the following command for me?

$ nats auth account keys add BDK_TD_LS4000 TEST_ROLE --operator=TheArchitect

This will create a signing key for your BDK account, but I expect it will fail just like the mappings add command did. If it does fail then it looks like the operator signing key file, OCW7VKIV4N6LAFUCKG2HYK7NBNQ3LNRZNKR5CYS5EK3M2ZK35XXOXVX5.nc isn't where it should be.

ploubser avatar Mar 24 '25 12:03 ploubser

Hi @ploubser,

You are right, the command fails:

$ nats auth account keys add BDK_TD_LS4000 TEST_ROLE --operator=TheArchitect
nats: error: operator signing key "OCW7VKIV4N6LAFUCKG2HYK7NBNQ3LNRZNKR5CYS5EK3M2ZK35XXOXVX5" is was not found

The operator key exists here:

$ ls -al $HOME/.local/share/nats/nsc/keys/keys/O/CW/OCW7VKIV4N6LAFUCKG2HYK7NBNQ3LNRZNKR5CYS5EK3M2ZK35XXOXVX5.nk
-rw------- 1 mbneimann mbneimann 58 Nov 28 11:30 /home/mbneimann/.local/share/nats/nsc/keys/keys/O/CW/OCW7VKIV4N6LAFUCKG2HYK7NBNQ3LNRZNKR5CYS5EK3M2ZK35XXOXVX5.nk

Creating the signing key still works with nsc:

$ nsc edit account --name BDK_TD_LS4000 --sk generate
[ OK ] added signing key "ABZTNJCWPKWD45F7NJ5RPNGFXDIUK5LLHIOYID4E2RKT434DZMQGXEPH"
[ OK ] edited account "BDK_TD_LS4000"

And adding the role:

$ nsc edit signing-key --account BDK_TD_LS4000 --role TEST_ROLE --sk ABZTNJCWPKWD45F7NJ5RPNGFXDIUK5LLHIOYID4E2RKT434DZMQGXEPH
[ OK ] edited signing key "ABZTNJCWPKWD45F7NJ5RPNGFXDIUK5LLHIOYID4E2RKT434DZMQGXEPH"

Listing the key with nats auth works:

$ nats auth account keys ls BDK_TD_LS4000
nats auth account keys ls BDK_TD_LS4000
╭─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮
│                                                         Scoped Signing Keys                                                         │
├────────────────┬──────────────────────────────────────────────────────────┬─────────────┬───────────────────┬───────────┬───────────┤
│ Role           │ Key                                                      │ Description │ Max Subscriptions │ Pub Perms │ Sub Perms │
├────────────────┼──────────────────────────────────────────────────────────┼─────────────┼───────────────────┼───────────┼───────────┤
│ user           │ ABKAP3WDEKMSPTWZA7VHYHNGGIHQ3QDEWNBWVATK7ZBCCNJ4QYAKR2NY │             │                -1 │         0 │         0 │
│ TEST_ROLE      │ ABZTNJCWPKWD45F7NJ5RPNGFXDIUK5LLHIOYID4E2RKT434DZMQGXEPH │             │                -1 │         0 │         0 │
│ data_collector │ AD7GQ24LDRAOQL7HKH2HJ6UUK5HZH6ABTMFIOQDVAVXUXU5JYESB3TTI │             │                -1 │         0 │         0 │
╰────────────────┴──────────────────────────────────────────────────────────┴─────────────┴───────────────────┴───────────┴───────────╯

I cannot delete the key with nats auth:

$ nats auth account keys rm BDK_TD_LS4000 --key ABZTNJCWPKWD45F7NJ5RPNGFXDIUK5LLHIOYID4E2RKT434DZMQGXEPH
[local] ? Really remove the Scoped Signing Key ABZTNJCWPKWD45F7NJ5RPNGFXDIUK5LLHIOYID4E2RKT434DZMQGXEPH with role TEST_ROLE Yes
nats: error: operator signing key "OCW7VKIV4N6LAFUCKG2HYK7NBNQ3LNRZNKR5CYS5EK3M2ZK35XXOXVX5" is was not found

I created the setup a while ago, initially using nsc, but have since also used nats auth commands as they got available in the nightly builds.

mbneimann avatar Mar 25 '25 07:03 mbneimann

@aricart might have some insight here on what might be the cause

https://github.com/synadia-io/jwt-auth-builder.go/blob/b3b671675f1889df817ddf1f4a8700c85e3c6d00/accounts.go#L89-L111

ripienaar avatar Mar 25 '25 10:03 ripienaar

@aricart might have some insight here on what might be the cause

synadia-io/jwt-auth-builder.go@b3b6716/accounts.go#L89-L111

doggy code on the lib... - Fixing.

aricart avatar Mar 25 '25 13:03 aricart

This is fixed now, in the library - thank you @ploubser and @mbneimann

aricart avatar Mar 25 '25 14:03 aricart

Thanks for the great and super quick work!

mbneimann avatar Mar 25 '25 17:03 mbneimann

Thanks @aricart, we've pulled your changes into the client.

ploubser avatar Mar 26 '25 10:03 ploubser