Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce new CUSTOM_LOOKUP and CUSTOM_LOOKUP_FULL Account Resolvers #6435

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Introduce new CUSTOM_LOOKUP and CUSTOM_LOOKUP_FULL Account Resolvers #6435

wants to merge 3 commits into from

Conversation

ghstahl
Copy link

@ghstahl ghstahl commented Jan 30, 2025
edited
Loading

issue

Signed-off-by: Your Name your.email@example.com

@ghstahl
https://github.com/nats-io/nats-server/issues/6434
e349aef 
Introduced
type CustomLookupAccResolver struct {
	*DirAccResolver
}
@ghstahl ghstahl requested a review from a team as a code owner January 30, 2025 18:40
@ghstahl ghstahl changed the title https://github.com/nats-io/nats-server/issues/6434 Introduce a new CUSTOM_LOOKUP Account Resolver Jan 30, 2025
@ghstahl
refactor
c46367e 
Added 2 custom resolver.
CUSTOM_LOOKUP_FULL which is based on the FULL directly resolver
CUSTOM_LOOKUP which always makes an external call.
@ghstahl ghstahl changed the title Introduce a new CUSTOM_LOOKUP Account Resolver Introduce new CUSTOM_LOOKUP and CUSTOM_LOOKUP_FULL Account Resolvers Jan 31, 2025
@aricart
Copy link
Member

aricart commented Feb 4, 2025

I made a proof of concept of implementing dynamic account creation using the callout feature. That would be a simpler mechanism without having to modify the server.

aricart/callout.go#11

@shaunco
Copy link

shaunco commented Feb 13, 2025
edited
Loading

@aricart - Thanks for the example, but requiring every single IoT device in our environment to be pre-seeded with a sentinel.creds file, and potentially having 100k+ leaf-nodes drop offline if that file ever changes, seems extremely impractical. Why can't the sub, signing_keys, auth_users from the sentinel.creds file's JWT be specified in the cluster config just like we can with static accounts and an authorization block? Why make us distribute creds file to every leaf node when we only have 1? When we try we get:

nats-server: operators do not allow authorization callouts to be configured directly

Maybe I'm missing something here in the NATS auth design, but if we want to own auth_callout and the account resolver, why do we need to get involved in the operator/NSC/creds file complexity? We have a very different definition of "simpler mechanism" when we're looking to own all auth/accounts and your version brings in 13 nsc calls and a creds file that must be distributed to a large number of physically inaccessible devices.

@aricart
Copy link
Member

aricart commented Feb 14, 2025

@ghstahl can you reach out to me in slack?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ghstahl @aricart @shaunco