856106174a
Caught during the live cutover: nats-server rejects 'unknown field no_auth_user' when it is nested in the authorization block, taking the whole broker down. Both the generator (open stage) and the committed bootstrap default emitted it nested. Moved to top level. Enforce-stage output was unaffected (no no_auth_user), which is what the live broker now runs. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
19 lines
885 B
Plaintext
19 lines
885 B
Plaintext
# BOOTSTRAP DEFAULT — no secrets, safe to commit.
|
|
#
|
|
# Anonymous is mapped to a HARMLESS namespace (corrosion.unclaimed.>), never to
|
|
# real tenant subjects (corrosion.{uuid}.>) — so a fresh/stale deploy running
|
|
# this default cannot read or forge any tenant's traffic. The REST API still
|
|
# works; agent telemetry just won't flow until the real config is generated.
|
|
#
|
|
# On every real deploy, scripts/generate-nats-auth.mjs OVERWRITES this file
|
|
# (on the host, not in git) with the privileged internal user + per-license
|
|
# scoped users. NATS_AUTH_STAGE defaults to "enforce" (anonymous rejected).
|
|
#
|
|
# NOTE: no_auth_user is a TOP-LEVEL field, NOT inside authorization { }.
|
|
authorization {
|
|
users: [
|
|
{ user: "anonymous", password: "", permissions: { publish: { allow: ["corrosion.unclaimed.>"] }, subscribe: { allow: ["corrosion.unclaimed.>"] } } }
|
|
]
|
|
}
|
|
no_auth_user: "anonymous"
|