From a1a61731b19059d1547f1c979a334586dc7f5e9a Mon Sep 17 00:00:00 2001 From: aricart Date: Mon, 6 Jan 2020 16:15:54 -0400 Subject: [PATCH] added an intro on resolvers with links to other documents and tooling --- nats-server/configuration/README.md | 2 +- nats-server/configuration/resolver.md | 33 +++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 nats-server/configuration/resolver.md diff --git a/nats-server/configuration/README.md b/nats-server/configuration/README.md index 3547e39..d9210ba 100644 --- a/nats-server/configuration/README.md +++ b/nats-server/configuration/README.md @@ -127,7 +127,7 @@ authorization: { | [`ping_interval`]() | Interval in seconds in which the server checks if a connection is active | | `port` | Port for client connections | | `reconnect_error_reports` | Number of failed attempt to reconnect a route, gateway or leaf node connection. Default is to report every attempt. | -| [`resolver`](../../nats-tools/nsc/nsc.md#nats-server-configuration) | Resolver type `MEMORY` or `URL` for account JWTs | +| [`resolver`]() | Resolver type `MEMORY` or `URL` for account JWTs | | [`tls`](securing_nats/tls.md#tls-configuration) | Configuration map for tls for client and http monitoring | | `trace` | If `true` enable protocol trace log messages | | `write_deadline` | Maximum number of seconds the server will block when writing a to a client \(slow consumer\) | diff --git a/nats-server/configuration/resolver.md b/nats-server/configuration/resolver.md new file mode 100644 index 0000000..342fb26 --- /dev/null +++ b/nats-server/configuration/resolver.md @@ -0,0 +1,33 @@ +# resolver + +The `resolver` configuration option is used in conjunction with [NATS JWT Authentication](securing_nats/auth_intro/jwt_auth.md) and [nsc](../../nats-tools/nsc/nsc). The `resolver` option specifies an URL where the nats-server can retrieve an account JWT. There are two built-in resolver implementations: + + - `URL` + - `MEMORY` + +# URL Resolver + +The `URL` resolver specifies an URL where the server can append an account public key to retrieve that accounts JWT. Convention for [NATS Account JWT Servers](../../nats-tools/nas) is to serve JWTs at: `http://localhost:9090/jwt/v1/accounts/`. For such a configuration you would specify the resolver as follows: + +```yaml +resolver: URL(http://localhost:9090/jwt/v1/accounts/) +``` + +Note that if not using a nats-account-server, the URL can be anything so long as by appending the public key for an account, the requested JWT is returned. + +For more information on how to configure an account server, see [NATS Account JWT Server](../../nats-tools/nas). + +# MEMORY + +The `MEMORY` resolver is statically configured in the server's configuration file. The memory resolver makes use of the `resolver_preload` directive, which specifies a map of a public key to an account JWT: + +```yaml +resolver: MEMORY +resolver_preload: { +ACSU3Q6LTLBVLGAQUONAGXJHVNWGSKKAUA7IY5TB4Z7PLEKSR5O6JTGR: eyJ0eXAiOiJqd3QiLCJhbGciOiJlZDI1NTE5In0.eyJqdGkiOiJPRFhJSVI2Wlg1Q1AzMlFJTFczWFBENEtTSDYzUFNNSEZHUkpaT05DR1RLVVBISlRLQ0JBIiwiaWF0IjoxNTU2NjU1Njk0LCJpc3MiOiJPRFdaSjJLQVBGNzZXT1dNUENKRjZCWTRRSVBMVFVJWTRKSUJMVTRLM1lERzNHSElXQlZXQkhVWiIsIm5hbWUiOiJBIiwic3ViIjoiQUNTVTNRNkxUTEJWTEdBUVVPTkFHWEpIVk5XR1NLS0FVQTdJWTVUQjRaN1BMRUtTUjVPNkpUR1IiLCJ0eXBlIjoiYWNjb3VudCIsIm5hdHMiOnsibGltaXRzIjp7InN1YnMiOi0xLCJjb25uIjotMSwibGVhZiI6LTEsImltcG9ydHMiOi0xLCJleHBvcnRzIjotMSwiZGF0YSI6LTEsInBheWxvYWQiOi0xLCJ3aWxkY2FyZHMiOnRydWV9fX0._WW5C1triCh8a4jhyBxEZZP8RJ17pINS8qLzz-01o6zbz1uZfTOJGvwSTS6Yv2_849B9iUXSd-8kp1iMXHdoBA +} +``` + +The `MEMORY` resolver is recommended when the server has a small number of accounts that don't change very often. + +For more information on how to configure a memory resolver, see [this tutorial](../../nats-tools/nas/mem_resolver.md). \ No newline at end of file