Allowing account owners to manage exports and imports without access to operator private keys

[mixicz]

Hi,
I want to build NATS supercluster in larger organization with dozens of independent teams. Idea is, each team can start own NATS cluster and join supercluster. To support this and adhere to our security rules, we had idea, that there will be one team responsible for supercluster support owning the operator. They would create account for each team who would join supercluster. This way all teams would be isolated and only specific resources can be exported and made accessible to others and each team could create own users for their applications and services.

While doing PoC of this approach I came upon problem, that exports and imports are stored in account JWT, thus all changes require to use operator signing key. But I would like to avoid unnecessary overhead and bottleneck in having to ask central team to do all import and export changes on accounts, while not sharing operator private keys.

Is there some secure way to allow account owners to manage their own exports and imports without access to operator private keys?

[aricart]

you cannot - think about it, the imports and the exports are stored in the account JWT, the account JWT is trusted because it is signed by the operator, thus you need to have an operator sign the account.

[mixicz]

This is actually not true, as after some more research I found managed operator, which I originally overlooked. It is exactly what I need:

Each time you edit your account JWT nsc will push the change to a managed operator's server and pull the signed response.

Question is how to create managed operator with its server though, as documentation only describes how to use it as user.

[aricart]

The managed operator is using an operator signing key to issue the account (accounts have to be signed by the operator).

[mixicz]

Such functionality is provided by managed operator.