Account Question

[zbindenren]

Hi

We have a configuration similart to:

accounts: {
    A: {
        jetstream: enable
        users: [
            { nkey: UDH...  }
        ]
    },
    B: {
        jetstream: enable
        users: [
            { nkey: UD2...  }
        ]
    },
    SYS: {
        users: [
            { nkey: UD3... }
        ]
    },
}

system_account: SYS

If I try to list streams with the SYS account I get:

$ nats stream list
nats: error: could not list streams: context deadline exceeded, try --help

This is probably because it is not allowed to enable jetstream for SYS the account.

Would it be possible to create an account that is able to list all streams and consumers for all accounts?

[derekcollison]

That is correct, the $SYS account provides JetStream.

From the $SYS account you can do the following.

nats server report jetstream

We do not allow the behavior to have a role up for all accounts, that would violate a security principle.

@ripienaar may have some other handy NATS cli commands though.

[zbindenren]

Hi @derekcollison

Thanks for the answer. This was almost what I was looking for.

If I run the command: nats server report jetstream --account=USER the report displays all 0 (consumers, streams etc) even I am sure I have consumers and streams. Maybe this is a misinterpretation on my part.

As admin it would be great to be able to list all streams and corresponding consumer information with the SYS account.

[derekcollison]

The $SYS account gives you certain permissions as an operator, but users accounts are still secure. You can write a multiplexer that would utilize limited credentials from all the accounts you wish to monitor. We have no plans to violate the security model of accounts, its design around security is very important to our users and customers.