Multitenancy: allow agent deployment/main wallet to be in read-only mode - Githubissues

openwallet-foundation / acapy

Hyperledger Aries Cloud Agent Python (ACA-Py) is a foundation for building decentralized identity applications and services running in non-mobile environments.

https://wiki.hyperledger.org/display/aries

Apache License 2.0

412 stars 512 forks source link

Multitenancy: allow agent deployment/main wallet to be in read-only mode #2317

Closed esune closed 1 year ago

esune commented 1 year ago

When running in multitenancy mode, the agent deployment needs to run with the "ledger write" mode enabled (ACAPY_READ_ONLY_LEDGER=false) for tenants to be able to perform ledger writes (e.g.: publishing a public DID, a schema definition, etc.) either directly, or by using an endorser.

This requires the main wallet, which only ever acts as tenant manager, to have a public DID registered on the ledger as well, which seems unnecessary.

Suggested behaviour:

An agent running in multi-tenant mode can be started successfully in read-only mode
- The main wallet for the multi-tenant deployment will NOT require a public did posted on the ledger
Tenants will be allowed to run in write mode, and perform ledger-write transactions either by using an endorser, or by registering their DID with the required privileges, after setting ACAPY_READ_ONLY_LEDGER=false
- Work in https://github.com/hyperledger/aries-cloudagent-python/pull/2233 might need to be extended to allow this functionality

esune commented 1 year ago

@dbluhm thoughts on this? I believe Indicio is using multi-tenant deployments of ACA-Py as well and I'd be curious in feedback/thoughts from your use-cases/

c.c.: @swcurran @andrewwhitehead @shaangill025 @usingtechnology

dbluhm commented 1 year ago

It's been a minute since I've interacted with a multi-tenant setup but, from memory, I don't recall ever needing to anchor a public DID for the base wallet before the tenants were able to write. When testing, I usually do not use the --wallet-seed argument and create DIDs through the Admin API for a subwallet and go through onboarding for that DID for that specific subwallet. Am I missing something?

esune commented 1 year ago

I did not think/know it was possible to run an agent without providing a seed - this might be what we are missing in our deployments so I'll have to try that.

We also provision subwallet DIDs using the API as well, and that is not a problem - the main wallet DID is what is currently throwing us off.

esune commented 1 year ago

@dbluhm I learned something new today, thanks! 🙂 I did not realize we could start the main wallet WITHOUT a seed, switching to this pattern seems to resolve our issues and I think make this specific issue unnecessary. I wonder if we should document this as preferred method to run multitenancy to help other people not fall into the same situation?

swcurran commented 1 year ago

An update to the Multi-tenancy doc?

esune commented 1 year ago

An update to the Multi-tenancy doc?

I opened a PR with a quick doc update - please let me know if the wording makes sense.