From a1a61731b19059d1547f1c979a334586dc7f5e9a Mon Sep 17 00:00:00 2001 From: aricart Date: Mon, 6 Jan 2020 16:15:54 -0400 Subject: [PATCH 1/2] added an intro on resolvers with links to other documents and tooling --- nats-server/configuration/README.md | 2 +- nats-server/configuration/resolver.md | 33 +++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 nats-server/configuration/resolver.md diff --git a/nats-server/configuration/README.md b/nats-server/configuration/README.md index 3547e39..d9210ba 100644 --- a/nats-server/configuration/README.md +++ b/nats-server/configuration/README.md @@ -127,7 +127,7 @@ authorization: { | [`ping_interval`]() | Interval in seconds in which the server checks if a connection is active | | `port` | Port for client connections | | `reconnect_error_reports` | Number of failed attempt to reconnect a route, gateway or leaf node connection. Default is to report every attempt. | -| [`resolver`](../../nats-tools/nsc/nsc.md#nats-server-configuration) | Resolver type `MEMORY` or `URL` for account JWTs | +| [`resolver`]() | Resolver type `MEMORY` or `URL` for account JWTs | | [`tls`](securing_nats/tls.md#tls-configuration) | Configuration map for tls for client and http monitoring | | `trace` | If `true` enable protocol trace log messages | | `write_deadline` | Maximum number of seconds the server will block when writing a to a client \(slow consumer\) | diff --git a/nats-server/configuration/resolver.md b/nats-server/configuration/resolver.md new file mode 100644 index 0000000..342fb26 --- /dev/null +++ b/nats-server/configuration/resolver.md @@ -0,0 +1,33 @@ +# resolver + +The `resolver` configuration option is used in conjunction with [NATS JWT Authentication](securing_nats/auth_intro/jwt_auth.md) and [nsc](../../nats-tools/nsc/nsc). The `resolver` option specifies an URL where the nats-server can retrieve an account JWT. There are two built-in resolver implementations: + + - `URL` + - `MEMORY` + +# URL Resolver + +The `URL` resolver specifies an URL where the server can append an account public key to retrieve that accounts JWT. Convention for [NATS Account JWT Servers](../../nats-tools/nas) is to serve JWTs at: `http://localhost:9090/jwt/v1/accounts/`. For such a configuration you would specify the resolver as follows: + +```yaml +resolver: URL(http://localhost:9090/jwt/v1/accounts/) +``` + +Note that if not using a nats-account-server, the URL can be anything so long as by appending the public key for an account, the requested JWT is returned. + +For more information on how to configure an account server, see [NATS Account JWT Server](../../nats-tools/nas). + +# MEMORY + +The `MEMORY` resolver is statically configured in the server's configuration file. The memory resolver makes use of the `resolver_preload` directive, which specifies a map of a public key to an account JWT: + +```yaml +resolver: MEMORY +resolver_preload: { +ACSU3Q6LTLBVLGAQUONAGXJHVNWGSKKAUA7IY5TB4Z7PLEKSR5O6JTGR: eyJ0eXAiOiJqd3QiLCJhbGciOiJlZDI1NTE5In0.eyJqdGkiOiJPRFhJSVI2Wlg1Q1AzMlFJTFczWFBENEtTSDYzUFNNSEZHUkpaT05DR1RLVVBISlRLQ0JBIiwiaWF0IjoxNTU2NjU1Njk0LCJpc3MiOiJPRFdaSjJLQVBGNzZXT1dNUENKRjZCWTRRSVBMVFVJWTRKSUJMVTRLM1lERzNHSElXQlZXQkhVWiIsIm5hbWUiOiJBIiwic3ViIjoiQUNTVTNRNkxUTEJWTEdBUVVPTkFHWEpIVk5XR1NLS0FVQTdJWTVUQjRaN1BMRUtTUjVPNkpUR1IiLCJ0eXBlIjoiYWNjb3VudCIsIm5hdHMiOnsibGltaXRzIjp7InN1YnMiOi0xLCJjb25uIjotMSwibGVhZiI6LTEsImltcG9ydHMiOi0xLCJleHBvcnRzIjotMSwiZGF0YSI6LTEsInBheWxvYWQiOi0xLCJ3aWxkY2FyZHMiOnRydWV9fX0._WW5C1triCh8a4jhyBxEZZP8RJ17pINS8qLzz-01o6zbz1uZfTOJGvwSTS6Yv2_849B9iUXSd-8kp1iMXHdoBA +} +``` + +The `MEMORY` resolver is recommended when the server has a small number of accounts that don't change very often. + +For more information on how to configure a memory resolver, see [this tutorial](../../nats-tools/nas/mem_resolver.md). \ No newline at end of file From 370550b31f0eeae01ce9d9b5f40cb231ed0f71cf Mon Sep 17 00:00:00 2001 From: Ginger Collison Date: Mon, 6 Jan 2020 16:04:57 -0600 Subject: [PATCH 2/2] Update resolver.md --- nats-server/configuration/resolver.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/nats-server/configuration/resolver.md b/nats-server/configuration/resolver.md index 342fb26..588b0e6 100644 --- a/nats-server/configuration/resolver.md +++ b/nats-server/configuration/resolver.md @@ -1,23 +1,23 @@ # resolver -The `resolver` configuration option is used in conjunction with [NATS JWT Authentication](securing_nats/auth_intro/jwt_auth.md) and [nsc](../../nats-tools/nsc/nsc). The `resolver` option specifies an URL where the nats-server can retrieve an account JWT. There are two built-in resolver implementations: +The `resolver` configuration option is used in conjunction with [NATS JWT Authentication](securing_nats/auth_intro/jwt_auth.md) and [nsc](../../nats-tools/nsc/nsc). The `resolver` option specifies a URL where the nats-server can retrieve an account JWT. There are two built-in resolver implementations: - `URL` - `MEMORY` -# URL Resolver +## URL Resolver -The `URL` resolver specifies an URL where the server can append an account public key to retrieve that accounts JWT. Convention for [NATS Account JWT Servers](../../nats-tools/nas) is to serve JWTs at: `http://localhost:9090/jwt/v1/accounts/`. For such a configuration you would specify the resolver as follows: +The `URL` resolver specifies a URL where the server can append an account public key to retrieve that account's JWT. Convention for [NATS Account JWT Servers](../../nats-tools/nas) is to serve JWTs at: `http://localhost:9090/jwt/v1/accounts/`. For such a configuration you would specify the resolver as follows: ```yaml resolver: URL(http://localhost:9090/jwt/v1/accounts/) ``` -Note that if not using a nats-account-server, the URL can be anything so long as by appending the public key for an account, the requested JWT is returned. +Note that if you are not using a nats-account-server, the URL can be anything as long as by appending the public key for an account, the requested JWT is returned. For more information on how to configure an account server, see [NATS Account JWT Server](../../nats-tools/nas). -# MEMORY +## MEMORY The `MEMORY` resolver is statically configured in the server's configuration file. The memory resolver makes use of the `resolver_preload` directive, which specifies a map of a public key to an account JWT: @@ -30,4 +30,4 @@ ACSU3Q6LTLBVLGAQUONAGXJHVNWGSKKAUA7IY5TB4Z7PLEKSR5O6JTGR: eyJ0eXAiOiJqd3QiLCJhbG The `MEMORY` resolver is recommended when the server has a small number of accounts that don't change very often. -For more information on how to configure a memory resolver, see [this tutorial](../../nats-tools/nas/mem_resolver.md). \ No newline at end of file +For more information on how to configure a memory resolver, see [this tutorial](../../nats-tools/nas/mem_resolver.md).