Skip to content

Add server error logging for invalid imports using decentralized/jwt auth #7983

Open
Open
Add server error logging for invalid imports using decentralized/jwt auth#7983
Labels
proposalEnhancement idea or proposal
@mxie-philips

Description

@mxie-philips
mxie-philips
opened on Mar 24, 2026

Proposed change

When defining accounts using user/pass in the configuration, I get validation on server startup when a subject stream import is not authorized (in this example due to account_token_position, which enforces account A can't import * for the account token). However, I don't see the same error logging when using the same invalid import using jwt auth.

Tested on:
NSC version: 2.12.0
NATS server version: 2.12.3

JWT conf file generated and used

nsc add operator -n <OP_NAME> --sys
// nsc by default adds the export SYS.ACCOUNT.*.> subject on the system account

nsc add account <ACC_NAME>
nsc add import --src-account SYS --remote-subject "\$SYS.ACCOUNT.*.CONNECT"
nsc add import --src-account SYS --remote-subject "\$SYS.ACCOUNT.*.DISCONNECT"
nsc generate config --nats-resolver

After generating the config, starting the server results in no errors being logged and the subject stream imports are silently ignored.

Standard user/pass conf file used and error shown

accounts: {
    DEFAULT: {
        jetstream: enabled
        users: [
            {user: admin1, password: admin1},
            {user: admin, password: admin}
        ]
    }
    A: {
		jetstream: enabled
        users: [
            {user: a, password: a}
        ]
        imports: [
            {stream: {account: '$SYS', subject: '$SYS.ACCOUNT.*.>'}},
        ]
    },
    B: { 
		jetstream: enabled
        users: [
            {user: b, password: b}
        ]
    },
    $SYS: {
        users: [
            {user: sys, password: sys}
        ]
        exports: [
            {stream: '$SYS.ACCOUNT.*.>', account_token_position: 3},
        ]
    }
}
Image

Use case

I was attempting to figure out why there were no messages being received on an imported subject for an account. It wasn't until I checked the monitoring server that I realized the imports defined in the jwt and the imports recorded in the server were different. I wasn't aware of what account_token_position meant at the time (and I can't find documentation on the website about it), which made things more difficult. Having the initial error log would make debugging much easier for future developers who face the same issue.

Contribution

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    proposalEnhancement idea or proposal

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions