When using the nats account resolver and a JWT is not found, the client could
often get an i/o timeout error due to not receiving a timely response
before the account resolver fetch request times out. Now instead
of waiting for the fetch request to timeout, a resolver without JWTs
will notify as well that it could not find a matching JWT, waiting for a
response from all active servers.
Also included in this PR is some cleanup to the logs emitted by the
resolver.
Signed-off-by: Waldemar Quevedo <wally@nats.io>
To enable in full mode configure allow_delete: true
When enabled the file will be renamed to allow for manual restore.
In cache mode it will be enabled by default.
When enabled files will be deleted.
Signed-off-by: Matthias Hanel <mh@synadia.com>
Update already existed scoped by account, this exposes update without account.
List returns a list of all stored accounts.
Delete deletes accounts.
Fix a crash on startup with non existing directory.
Signed-off-by: Matthias Hanel <mh@synadia.com>
Full nats based resolver sync within a cluster.
This functionality addresses syncing between cluster.
Fixing deadlock when more than one server responds to lookup.
Fixing crash when shutdown and pack happen at the same time.
When using Unix() time, since it is number of seconds, it is better
to round up the time before adding a ttl. Trying to shorten some
of the tests showed that in some cases a file was removed too early.
This was because the computed expiration with ttl fell in the same
second, so the file was removed prematurely.
So anywhere where we used to do: time.Now().Addd(ttl).Unix(), I
changed to time.Now().Round(time.Second).Add(ttl).Unix().
I was able to reduce the time of TestTTL from 21 seconds down to
less than 5. TestExpiration was also shorten.
Signed-off-by: Ivan Kozlovic <ivan@synadia.com>
* Adding nats based resolver and bootstrap system account
These resolver operate on an exclusive directory
Two types:
full: managing all jwt in the directory
Will synchronize with other full resolver
nats-account-server will also run such a resolver
cache: lru cache managing only a subset of all jwt in the directory
Will lookup jwt from full resolver
Can overwrite expiration with a ttl for the file
Both:
track expiration of jwt and clean up
Support reload
Notify the server of changed jwt
Bootstrapping system account allows users signed with the system account
jwt to connect, without the server knowing the jwt.
This allows uploading jwt (including system account) using nats by
publishing to $SYS.ACCOUNT.<name>.CLAIMS.UPDATE
Sending a request, server will respond with the result of the operation.
Receive all jwt stored in one server by sending a
request to $SYS.ACCOUNT.CLAIMS.PACK
One server will respond with a message per stored jwt.
The end of the responses is indicated by an empty message.
The content of dirstore.go and dirstore_test.go was moved from
nats-account-server
Signed-off-by: Matthias Hanel <mh@synadia.com>
