Accounts - Best way to add new accounts and reload running servers in a cluster

[apuckey]

Hi all,

I was trying to add some new accounts to a cluster of 5 servers. The documentation says i can do this however it doesnt elaborate on the correct procedure so here's what i tried:

These servers are managed by puppet so try 1:
update config in puppetserver
do a puppet run on each individual node which updates the server config then executes docker exec nats nats-server --signal reload

this rolls from server a to server e so the accounts existed in A first then B etc etc. By the end all 5 servers had reloaded but the new accounts did not work.

So try 2 I then manually restarted each node now that the server.conf had the new accounts A -> E but i still could not use the new account.

Finally try 3 I edited the server config and added debug: true then again restarted all nodes in order A -> E and then the account worked.

I Suspect what's happened is the account config needed to exist in all 5 servers before I reloaded ANY node in the cluster as i assume the other 4 nodes check to see if they have that account in the server.conf.

Can someone shed some light on this or is my assumption correct and i will have to do the puppet deploy slightly different to make it work correctly.

Cheers!

[ripienaar]

The JWT based authentication system is designed to solve this problem.

https://docs.nats.io/running-a-nats-service/configuration/securing_nats/auth_intro/jwt

[apuckey]

From what i can see theres no upgrade path from using normal username/password accounts and the new JWT System as you cant have both in the same config. I do love how the new one works though :)

Am I missing something here or do we have to change all our apps to support both authentication methods before migrating.

Cheers

[derekcollison]

One option is to create a new server (or cluster) with the JWT auth and have the original server(s) leafnode to this new cluster. That will allow you to slowly move apps over.

You could also use auth-callout as an option.