NATS Weekly #8

Byron Ruth

Published on Jan 10th, 2022

Week of January 3 - 9, 2022

🗞 Announcements, writings, and projects

A short list of  announcements, blog posts, projects updates and other news.


🎬 Media

📖 Articles

💁‍♀️ FYI

💡 Recently asked questions

Questions sourced from Slack, Twitter, or individuals. Responses and examples are in my own words, unless otherwise noted.

How can I create a user JWT without requiring the seed?

Normally, when a new user is created under an account, a credentials file is created consisting of a JWT token and a seed having this structure:

------END NATS USER JWT------

************************* IMPORTANT *************************
NKEY Seed printed below can be used to sign and prove identity.
NKEYs are sensitive and should be treated as secrets.

------END USER NKEY SEED------


The seed is used to sign a nonce which is provided by the server when establishing a connection.

There was an option added with MQTT support was added which was to introduce the --bearer option when creating users. This specifically indicates that this user only needs to supply the JWT and not be required to sign the nonce provided by the server.

The justification was that existing MQTT clients only support supplying username and password without the addition nonce singing step. This means that users flagged as bearer tokens can authenticate using only the JWT as the password (and with a non-empty arbitrary username).

Bearer-only tokens should not be used with native NATS clients. However, if there is a desire to use NATS users for authenticating with other non-NATS servers, using bearer tokens could be an option.

Are user permissions inherited from account permissions?

I ran into this question after configuring an account with a set of permissions that I had expected all users created under that account would inherit and individual users could augment those permissions.

It turns out that this is not the behavior, but there is support for scoped account signing keys which can be used to stamp out users having identical permissions.

It did not quite fit my need, but it is a great option for use when deploying replicas a given client where individual user credentials are desired.

Is is possible to show the streams for an account, using the system account?

The short answer is no. The primary reason is because the system account (typically referred to as SYS) is a separate account from any other accounts which means it has isolated permissions.

As noted in the docs, the system account is used for monitor the NATS server/cluster specifically, under the $SYS.> subject space. It states:

It is NOT recommended to use this account to facilitate communication between your own applications. Its sole purpose is to facilitate communication with and between nats-server.

Within your own application account, a simple solution is to create a dedicated user with the desired permissions for inspecting metadata on streams and consumers. This can be achieved by giving permission to a subset of the $JS.> subject space.