search

Consensys / quorum-kubernetes

Helm charts for Hyperledger Besu and GoQuorum
Apache License 2.0
119 stars 128 forks source link

Local permissions issue #223

Closed iulianolyn closed 1 month ago

iulianolyn commented 9 months ago

Hi everyone,

I just deployed the consensys Kubernetes in AWS and I'm struggling with activating the local permissions. So basically I would like to have accounts-allowlist=[] with a list of accounts that are allowed to do transactions on the nodes.

I've noticed that the permissions_config.toml is not mounted inside the volumes so I added the following configuration to the /helm/charts/besu-node/node-statefulset.yaml:

In volumes:

{{- if .Values.node.besu.permissions.enabled }}
      - name: permissions-config
        configMap:
          name: {{ include "besu-node.fullname" . }}-permissions
          items:
            - key: permissions_config.toml
              path: permissions_config.toml
{{- end }}

in volumesMounts:

{{- if .Values.node.besu.permissions.enabled }}
          - name: permissions-config
            mountPath: /config/permissions
            readOnly: false
{{- end }}

and then I updated the /helm/charts/besu-node/values.yaml with:

permissions:
      enabled: true
    filePath: "/config/permissions/permissions_config.toml"
      accounts:
        enabled: true
        allowlist: ["0x*********************************"]

Everything seems fine until I start the nodes. I get a warning like this: TomlConfigFileParser | Write access denied for file at: /config/permissions/permissions_config.toml. Configuration modification operations will not be permitted.

I ssh into the pod validator by kubectl exec --stdin --tty -n besu besu-node-validator-1-0 -- /bin/bash and I checked the file and it has r/w permissions. lrwxrwxrwx 1 root root 30 Jan 24 10:23 permissions_config.toml -> ..data/permissions_config.toml

besu@besu-node-validator-1-0:~$ cat /config/permissions/permissions_config.toml
# Permissioning TOML file

accounts-allowlist=["0x******************************"]
nodes-allowlist=[]

besu@besu-node-validator-1-0:~$

I tried also to publish a smart contract using the account from the allowlist and I got this issue from hardhat: Sender account is not authorized to send transactions. Just to mention that if I do not activate the permissions there is no issue publishing a smart contract.

Do you guys have an idea what is wrong with the configuration? Do you have any recommendations on how to activate local permissions?

Thank you! Iulian

joshuafernandes commented 1 month ago

Hi @iulianolyn the second error makes sense in regards to not being able to send a tx if the account isn't allowed.

For note the permissions there are for root but all besu pods run as besu (user 1000) which will explain it not being able to write. Having said that though Im not sure why it needs write permissions specifically though, if anything I would have though read would be sufficient. I'd suggest asking for assistance in Discord or posting this issue in the besu repo directly as this is more Besu specific than k8s specific.

One other thing you could do in the interim is to put it in /tmp?