permissions files

2 years ago · 03d6494a74
parent bc99c0c8ec
commit 03d6494a74
4 changed files with 11 additions and 8 deletions
--- a/README.md
+++ b/README.md
@ -91,8 +91,10 @@ All variables which can be overridden are stored in [defaults/main.yml](defaults
 | `besu_bootnodes` | [] | List of comma-separated enode URLs for P2P discovery bootstrap. When connecting to MainNet or public testnets, the default is a predefined list of enode URLs |
 | `besu_static_nodes_file` | /etc/besu/static-nodes.json | Path to the [static nodes file](https://besu.hyperledger.org/en/stable/Reference/CLI/CLI-Syntax/#static-nodes-file) |
 | `besu_host_whitelist` | `["*"]` | Comma-separated list of hostnames to allow access to the JSON-RPC API. By default, access from localhost and 127.0.0.1 is accepted. |
-| `besu_permissions_accounts_config_file` | ___unset___ | Path to the [local accounts permissioning file](http://besu.hyperledger.org/en/stable/HowTo/Limit-Access/Local-Permissioning/#permissions-configuration-file) |
-| `besu_permissions_nodes_config_file` | ___unset___ | Path to the [local nodes permissioning file](http://besu.hyperledger.org/en/stable/HowTo/Limit-Access/Local-Permissioning/#permissions-configuration-file) |
+| `besu_local_permissions_enabled` | "false" | Enable local permissioning |
+| `besu_local_permissions_config_file` | /etc/besu/permissions_config.toml | Path to the [local accounts permissioning file](http://besu.hyperledger.org/en/stable/HowTo/Limit-Access/Local-Permissioning/#permissions-configuration-file) and [local nodes permissioning file](http://besu.hyperledger.org/en/stable/HowTo/Limit-Access/Local-Permissioning/#permissions-configuration-file) |
+| `besu_local_permissions_accounts` | [] | List of permissioned accounts |
+| `besu_local_permissions_nodes` | [] | List of permissioned nodes |
 | `besu_permissions_accounts_contract_address` | ___unset___ | The contract address for onchain accounts permissioning |
 | `besu_permissions_nodes_contract_address` | ___unset___ | The contract address for onchain nodes permissioning |
 | `besu_cmdline_args` | "" | Command line args that are passed in as overrides |
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -24,6 +24,7 @@ besu_log_dir: "/var/log/besu"
 besu_profile_file: "/etc/profile.d/besu-path.sh"
 besu_static_nodes_file: "{{ besu_config_dir }}/static-nodes.json"
 besu_local_permissions_config_file: "{{ besu_config_dir }}/permissions_config.toml"
+besu_local_permissions_config_file_template: "permissions_config.toml.j2"

 # Managed service config
 besu_managed_service: true
--- a/tasks/config.yml
+++ b/tasks/config.yml
@ -29,14 +29,14 @@
  when: besu_static_nodes != []

 - name: Generate local permissions file if defined
-  copy:
-    dest: "{{ besu_static_nodes_file }}"
-    content: "{{ besu_static_nodes | to_json }}" 
+  template:
+    src: "{{ besu_local_permissions_config_file_template }}"
+    dest: "{{ besu_local_permissions_config_file }}" 
    owner: "{{ besu_user }}"
    group: "{{ besu_group }}"
    mode: 0644
  become: true
-  when: besu_static_nodes != []
+  when: besu_local_permissions_accounts != [] or besu_local_permissions_nodes != []

 - name: JWT secret
  block:
--- a/templates/permissions_config.toml.j2
+++ b/templates/permissions_config.toml.j2
@ -1,11 +1,11 @@

 {% if besu_local_permissions_accounts != [] %}
 # local accounts allowlist
-accounts-allowlist="{{ besu_local_permissions_accounts }}"
+accounts-allowlist=[{{besu_local_permissions_accounts|map('to_json')|join(',')}}]
 {% endif %}

 {% if besu_local_permissions_nodes != [] %}
 # local nodes allowlist
-nodes-allowlist="{{ besu_local_permissions_accounts }}"
+nodes-allowlist=[{{besu_local_permissions_nodes|map('to_json')|join(',')}}]
 {% endif %}