From 03d6494a74750ad7e9176e699e9e547290732cb1 Mon Sep 17 00:00:00 2001 From: Joshua Fernandes Date: Wed, 4 Jan 2023 12:49:16 +1000 Subject: [PATCH] permissions files --- README.md | 6 ++++-- defaults/main.yml | 1 + tasks/config.yml | 8 ++++---- templates/permissions_config.toml.j2 | 4 ++-- 4 files changed, 11 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 9e4d401..38b36ce 100644 --- a/README.md +++ b/README.md @@ -91,8 +91,10 @@ All variables which can be overridden are stored in [defaults/main.yml](defaults | `besu_bootnodes` | [] | List of comma-separated enode URLs for P2P discovery bootstrap. When connecting to MainNet or public testnets, the default is a predefined list of enode URLs | | `besu_static_nodes_file` | /etc/besu/static-nodes.json | Path to the [static nodes file](https://besu.hyperledger.org/en/stable/Reference/CLI/CLI-Syntax/#static-nodes-file) | | `besu_host_whitelist` | `["*"]` | Comma-separated list of hostnames to allow access to the JSON-RPC API. By default, access from localhost and 127.0.0.1 is accepted. | -| `besu_permissions_accounts_config_file` | ___unset___ | Path to the [local accounts permissioning file](http://besu.hyperledger.org/en/stable/HowTo/Limit-Access/Local-Permissioning/#permissions-configuration-file) | -| `besu_permissions_nodes_config_file` | ___unset___ | Path to the [local nodes permissioning file](http://besu.hyperledger.org/en/stable/HowTo/Limit-Access/Local-Permissioning/#permissions-configuration-file) | +| `besu_local_permissions_enabled` | "false" | Enable local permissioning | +| `besu_local_permissions_config_file` | /etc/besu/permissions_config.toml | Path to the [local accounts permissioning file](http://besu.hyperledger.org/en/stable/HowTo/Limit-Access/Local-Permissioning/#permissions-configuration-file) and [local nodes permissioning file](http://besu.hyperledger.org/en/stable/HowTo/Limit-Access/Local-Permissioning/#permissions-configuration-file) | +| `besu_local_permissions_accounts` | [] | List of permissioned accounts | +| `besu_local_permissions_nodes` | [] | List of permissioned nodes | | `besu_permissions_accounts_contract_address` | ___unset___ | The contract address for onchain accounts permissioning | | `besu_permissions_nodes_contract_address` | ___unset___ | The contract address for onchain nodes permissioning | | `besu_cmdline_args` | "" | Command line args that are passed in as overrides | diff --git a/defaults/main.yml b/defaults/main.yml index 380a63d..ae610ac 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -24,6 +24,7 @@ besu_log_dir: "/var/log/besu" besu_profile_file: "/etc/profile.d/besu-path.sh" besu_static_nodes_file: "{{ besu_config_dir }}/static-nodes.json" besu_local_permissions_config_file: "{{ besu_config_dir }}/permissions_config.toml" +besu_local_permissions_config_file_template: "permissions_config.toml.j2" # Managed service config besu_managed_service: true diff --git a/tasks/config.yml b/tasks/config.yml index 5a8d08a..61e4843 100644 --- a/tasks/config.yml +++ b/tasks/config.yml @@ -29,14 +29,14 @@ when: besu_static_nodes != [] - name: Generate local permissions file if defined - copy: - dest: "{{ besu_static_nodes_file }}" - content: "{{ besu_static_nodes | to_json }}" + template: + src: "{{ besu_local_permissions_config_file_template }}" + dest: "{{ besu_local_permissions_config_file }}" owner: "{{ besu_user }}" group: "{{ besu_group }}" mode: 0644 become: true - when: besu_static_nodes != [] + when: besu_local_permissions_accounts != [] or besu_local_permissions_nodes != [] - name: JWT secret block: diff --git a/templates/permissions_config.toml.j2 b/templates/permissions_config.toml.j2 index 92654cc..fbd191f 100644 --- a/templates/permissions_config.toml.j2 +++ b/templates/permissions_config.toml.j2 @@ -1,11 +1,11 @@ {% if besu_local_permissions_accounts != [] %} # local accounts allowlist -accounts-allowlist="{{ besu_local_permissions_accounts }}" +accounts-allowlist=[{{besu_local_permissions_accounts|map('to_json')|join(',')}}] {% endif %} {% if besu_local_permissions_nodes != [] %} # local nodes allowlist -nodes-allowlist="{{ besu_local_permissions_accounts }}" +nodes-allowlist=[{{besu_local_permissions_nodes|map('to_json')|join(',')}}] {% endif %}