Sharing many distributed account Jetstreams with a server-side account

[dkc6gh]

I have a "server account" in NATS that needs to publish and consume Jetstream messages from thousands of accounts (distributed edges with multi-tenancy). To support streaming to the "server account," it becomes almost impossible to import every single account into the "server account." This makes the server account JWT really huge with all the import settings from other accounts, and NATS server cannot seem to handle this huge JWT. Currently edges are using leaf node configuration.

Are there any easier ways to achieve this, as suggested in discussions/5788, like just exporting one service from the server account instead and letting other distributed accounts import this?

[jnmoyne]

Use a single account and thousands of users for that account, and for each user only allow publication and subscription to the limited set of subjects (ie just the subjects (and therefore streams) it is allowed to publish to, and just the JS API (see https://docs.nats.io/reference/reference-protocols/nats_api_reference) that you allow it to send requests to, using the allow and deny in the user's JWT.

[dkc6gh]

Unfortunately, all the edges must use their own accounts due to separation requirements.

[jnmoyne]

There is separation between users in the same account if they are not allowed to publish/subscribe to the same subjects. Accounts a more for when you need each to have it's own subject name space and want to control import/export between them.

[dkc6gh]

The use case I am dealing with involves accounts representing different customers. It is quite difficult to put different customers into a single account. A customer can have multiple edges also. Ideally, each customer should have a separate account for better separation. The server account needs to listen to messages from different customers or accounts, and take appropriate actions.