Permissions issue trying to create account remotely using cleos

EOSIO / eos

An open source smart contract platform

https://developers.eos.io/manuals/eos

MIT License

11.28k stars 3.6k forks source link

Permissions issue trying to create account remotely using cleos #4675

Closed notsag-dev closed 6 years ago

notsag-dev commented 6 years ago

Hello guys. I'm having problems trying to create a new account on the blockchain remotely using cleos. I'm currently running a test EOS node locally on a Kubernetes (Minikube) pod, using the version v1.0.8 of the eos-dev Docker image. Additionally, I created another pod running the same image just to have the EOS tools in order to make calls to the blockchain service "remotely" (pods have different IP addresses).

I'm not sure about what key I have to have in my wallet in order to create the account remotelly as the creator is "eosio". Because of that, I created a wallet (default) on the machine where the blockchain is running and added a key to that wallet. Finally, I imported that key into the wallet on the machine from where I'm trying to create the account (named "localwallet" in the commands below).

Then I run the commands as follows (on the "remote" system):

cleos wallet unlock -n localwallet password: Error 3120007: Already unlocked

cleos -u http://10.106.212.74:8888 create account eosio accnt EOS5tz8E6hMWkoVE8QFwefw1QY5NYUftWAKYjcTFEKmjeXMxyXGWu EOS5tz8E6hMWkoVE8QFwefw1QY5NYUftWAKYjcTFEKmjeXMxyXGWu Error 3090003: provided keys, permissions, and delays do not satisfy declared authorizations Ensure that you have the related private keys inside your wallet and your wallet is unlocked.

I want to clarify that before trying this I had tried creating the account with keys that had been generated on the remote server using cleos, and from JS code using eosjs-ecc as well, without being imported on the system where the blockchain is running (I think that would be the normal case when you don't manage the block producer node). Those attempts were unsuccessful too.

So, my questions are:

Do you really need to create a new key pair on the machine where nodeos is running and after import that key into your local wallet in order to create a new account? Or it's just enough to create your key pair locally and just create the account using the generated pubkey?
Why is that command failing? Is there anything missing?

Thank you.

jgiszczak commented 6 years ago

Keys being added to a new account do not need to be added to any wallet first.

Keys can be created on any machine with cleos available, or by eosjs-ecc. Generally speaking, keys should only be created on a machine you control, as the private key is handled in the process.

The private key for eosio should be in the wallet local to the machine running the create command. While it is possible to use a remote wallet, it is strongly discouraged. In your case, since you specified no --wallet-url on the command line, the eosio private key must be in an unlocked wallet on the machine running create, served from a keosd on the port cleos expects, which is 8900. If you launched keosd manually, without specifying a listen port, it will be on 8888, which is not the port cleos expects. If you allowed cleos to launch keosd, it will be on the correct port. If you launched keosd manually, then ran cleos without specifying the wallet URL of 127.0.0.1:8888, you will have two instances of keosd running, and the results will not be what you expect.

notsag-dev commented 6 years ago

Thank you for your fast reply, @jgiszczak. I didn't run keosd manually, but keosd was executed automatically when I run cleos, so everything should be OK regarding that.

When I say "remote server" it just means that is not the same IP of the virtual machine where the EOS blockchain is running, but both VMs are running on my computer. At the same time, I have imported the eosio key into the other VM as well in order to interact with the blockchain in the name of eosio from my nodejs Docker container (using the eosjs library).

As I had permissions problems while creating a new account from the JS code, I decided to try performing the account creation using cleos, facing permissions problems again. Maybe this is not expected to be done, and the eosio user can only operate from the same host where nodeos is running. Is that the case?

jgiszczak commented 6 years ago

The eosio user can execute transactions from anywhere, as long as the matching private key is available in an accessible wallet. Since it has been a while, your wallet may have been locked since the last time you tried a command. Try cleos wallet keys to be sure the wallet is unlocked and to get the list of keys in it. If you're following tutorials using the default genesis.json, you should have EOS6MRyAjQq8ud7hVNYcfnVPJqcVpscN5So8BhtHuGYqET5GDW5CV in your key list in your wallet.

notsag-dev commented 6 years ago

Thank you very much for your help, @jgiszczak. Problem solved. I just pushed the fixed code in case someone needs it.

oslivan commented 6 years ago

hello, the problem I am having is very strange. below is my execution log.

yanpz@dev:/tmp/eosio$ cleos wallet create -n abc
Creating wallet: abc
Save password to use in the future to unlock this wallet.
Without password imported keys will not be retrievable.
"PW5KYfSXLZH12tyeBJZVUUSeGPjgQT33MArzoQuDEZimDXBBGjPHN"
yanpz@dev:/tmp/eosio$ cleos create key
Private key: 5KgSsJ4w9xi3ZgVMFUhUomkwskCxT5aQW9t6dPD3gEET9LxUUX9
Public key: EOS5xHxDtEMk75QiJo4LcRjUkd51xjat1AqK3HvEu5k1vdYD5F794
yanpz@dev:/tmp/eosio$ cleos create key
Private key: 5KgFd9NRo4fN15x15Z8ihUfQzPcaPYnjzXSdtYM6z9VK5E7a9xY
Public key: EOS8NHixHGQXsD8KFsAjUVZbGcHi7hexPahouPZ5yG2SAd2CTjWxU
yanpz@dev:/tmp/eosio$ cleos wallet import -n abc --private-key 5KgFd9NRo4fN15x15Z8ihUfQzPcaPYnjzXSdtYM6z9VK5E7a9xY
imported private key for: EOS8NHixHGQXsD8KFsAjUVZbGcHi7hexPahouPZ5yG2SAd2CTjWxU
yanpz@dev:/tmp/eosio$ cleos wallet import -n abc --private-key 5KgSsJ4w9xi3ZgVMFUhUomkwskCxT5aQW9t6dPD3gEET9LxUUX9
imported private key for: EOS5xHxDtEMk75QiJo4LcRjUkd51xjat1AqK3HvEu5k1vdYD5F794
yanpz@dev:/tmp/eosio$ cleos wallet list
Wallets:
[
  "abc *",
  "default",
  "yanpz *"
]
yanpz@dev:/tmp/eosio$ cleos create account abc eosio EOS8NHixHGQXsD8KFsAjUVZbGcHi7hexPahouPZ5yG2SAd2CTjWxU EOS5xHxDtEMk75QiJo4LcRjUkd51xjat1AqK3HvEu5k1vdYD5F794
Error 3090003: Provided keys, permissions, and delays do not satisfy declared authorizations
Ensure that you have the related private keys inside your wallet and your wallet is unlocked.

I unlocked the abc account and imported the private key, but I can't create a new account. What is the reason? Thanks.

notsag-dev commented 6 years ago

Could you try this:

cleos create account eosio abc EOS8NHixHGQXsD8KFsAjUVZbGcHi7hexPahouPZ5yG2SAd2CTjWxU EOS5xHxDtEMk75QiJo4LcRjUkd51xjat1AqK3HvEu5k1vdYD5F794

If you want to create the abc account, you have to put first eosio and after abc.

notsag-dev commented 6 years ago

You'll probably have to import the eosio keys to one of your wallets and unlock it as well in order to do that. As @jgiszczak said before, if you are using the default genesis.json file, eosio has a well known key by default. I think that key was being imported automatically when creating the default wallet in the past but I don't know if that's being done in the newer versions of eos. If not, just import it as we're doing in this script (line 19).

oslivan commented 6 years ago

Thank you for your reply. I had a misunderstanding before, wronging the concept of wallet and account. I consider the newly created wallet as an account. now, the account abc has been created successfully.