Skip to content

Commit

Permalink
Support "validator" terminology.
Browse files Browse the repository at this point in the history
  • Loading branch information
abizjak committed Nov 14, 2023
1 parent ed07057 commit 43b7e4b
Show file tree
Hide file tree
Showing 10 changed files with 130 additions and 43 deletions.
7 changes: 7 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,13 @@

## Unreleased changes

- Add options `CONCORDIUM_NODE_VALIDATOR_CREDENTIALS_FILE` and
`CONCORDIUM_NODE_VALIDATOR_DECRYPT_CREDENTIALS` that alias
`CONCORDIUM_NODE_BAKER_CREDENTIALS_FILE`
`CONCORDIUM_NODE_BAKER_DECRYPT_CREDENTIALS`, respectively
The latter two options are still available, but hidden in the help text.
- Support `validatorId` in addition to `bakerId` in the credentials to start a validator.

## 6.2.1

- The account map is now kept solely on disk in a separate lmdb database and it is no longer part of the internal block state database.
Expand Down
6 changes: 3 additions & 3 deletions VARIABLES.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,10 @@ Then this should be set to the external port in order to allow other nodes to co

- `CONCORDIUM_NODE_DATA_DIR` Where the node should store its data, in particular the nodes database is stored here.

## Baker
Configurations related to baking.
## Validator
Configurations related to running a validator.

- `CONCORDIUM_NODE_BAKER_CREDENTIALS_FILE` A path to the file containing the baker keys. The filepath must be either an absolute path or a relative filepath to the CWD of the process. If this variable is not set, then the node is not eligible for baking.
- `CONCORDIUM_NODE_VALIDATOR_CREDENTIALS_FILE` A path to the file containing the validator keys. The filepath must be either an absolute path or a relative filepath to the CWD of the process. If this variable is not set, then the node is not eligible for baking.

## Connection
Network related configurations for a node.
Expand Down
13 changes: 11 additions & 2 deletions concordium-consensus/src/Concordium/Types/BakerIdentity.hs
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
module Concordium.Types.BakerIdentity where

import Control.Monad
import Data.Aeson (FromJSON, parseJSON, withObject, (.:))
import Data.Aeson (FromJSON, parseJSON, withObject, (.:), (.:?))

import qualified Concordium.Crypto.BlockSignature as Sig
import qualified Concordium.Crypto.BlsSignature as BLS
Expand Down Expand Up @@ -51,7 +51,16 @@ bakerElectionPublicKey ident = VRF.publicKey (bakerElectionKey ident)

instance FromJSON BakerIdentity where
parseJSON v = flip (withObject "Baker identity:") v $ \obj -> do
bakerId <- obj .: "bakerId"
maybeBakerId <- obj .:? "bakerId"
maybeValidatorId <- obj .:? "validatorId"
bakerId <- case (maybeBakerId, maybeValidatorId) of
(Nothing, Nothing) -> fail "Neither 'validatorId' nor 'bakerId' are specified."
(Just bid, Nothing) -> return bid
(Nothing, Just bid) -> return bid
(Just bid, Just vid) ->
if bid == vid
then return vid
else fail "'bakerId' and 'validatorId' are both specified, but different."
bakerSignKey <- parseJSON v
bakerElectionKey <- parseJSON v
bakerAggregationKey <- obj .: "aggregationSignKey"
Expand Down
79 changes: 76 additions & 3 deletions concordium-node/src/configuration.rs
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,14 @@ impl PrometheusConfig {
}

#[derive(StructOpt, Debug)]
// Parameters related to Baking (only used in cli).
/// Parameters related to Baking (only used in cli).
//
// This structure has a bit of redundancy. In particular it has duplicate
// options for specifying credentials. The reason for this is that Concordium
// underwent a renaming of "baker" to "validator". In order to streamline
// documentation the additional option using "validator" was added, but in order
// to keep backwards compatibility the existing options that use "baker" needed
// to remain.
pub struct BakerConfig {
#[cfg(feature = "profiling")]
#[structopt(
Expand Down Expand Up @@ -295,18 +302,34 @@ pub struct BakerConfig {
pub account_cache_size: u32,
#[structopt(
long = "baker-credentials-file",
hidden = true,
help = "Path to the baker credentials file. If the path is relative it is interpreted \
relative to the node process' working directory.",
env = "CONCORDIUM_NODE_BAKER_CREDENTIALS_FILE"
)]
pub baker_credentials_file: Option<PathBuf>,
baker_credentials_file: Option<PathBuf>,
#[structopt(
long = "validator-credentials-file",
help = "Path to the validator credentials file. If the path is relative it is interpreted \
relative to the node process' working directory.",
env = "CONCORDIUM_NODE_VALIDATOR_CREDENTIALS_FILE"
)]
validator_credentials_file: Option<PathBuf>,
#[structopt(
long = "decrypt-baker-credentials",
hidden = true,
help = "Indicate that the baker credentials are provided encrypted and thus need to be \
decrypted.",
env = "CONCORDIUM_NODE_BAKER_DECRYPT_CREDENTIALS"
)]
pub decrypt_baker_credentials: bool,
decrypt_baker_credentials: bool,
#[structopt(
long = "decrypt-validator-credentials",
help = "Indicate that the validator credentials are provided encrypted and thus need to \
be decrypted.",
env = "CONCORDIUM_NODE_VALIDATOR_DECRYPT_CREDENTIALS"
)]
decrypt_validator_credentials: bool,
#[structopt(
long = "modules-cache-size",
help = "The maximum number of smart contract modules that can be stored in the module \
Expand All @@ -317,6 +340,56 @@ pub struct BakerConfig {
pub modules_cache_size: u32,
}

impl BakerConfig {
fn decrypt_credentials(&self) -> bool {
self.decrypt_baker_credentials || self.decrypt_validator_credentials
}

/// If the [`BakerConfig`] specifies that baker credentials should be read
/// then attempt to read them, returning an `Err` if this is not
/// possible.
///
/// If the configuration does not specify baker credentials return
/// `Ok(None)`.
pub fn read_baker_credentials(&self) -> anyhow::Result<Option<Vec<u8>>> {
let path = match (
self.baker_credentials_file.as_ref(),
self.validator_credentials_file.as_ref(),
) {
(None, None) => return Ok(None),
(Some(bcred), Some(vcred)) => {
anyhow::ensure!(
bcred == vcred,
"Both --baker-credentials-file and --validator-credentials-file are supplied, \
and different."
);
bcred
}
(Some(cred), None) => cred,
(None, Some(cred)) => cred,
};
let read_data = match std::fs::read(path) {
Ok(read_data) => read_data,
Err(e) => anyhow::bail!("Cannot open the validator credentials file ({})!", e),
};
if self.decrypt_credentials() {
let et = serde_json::from_slice(&read_data)?;
let pass = rpassword::read_password_from_tty(Some(
"Enter password to decrypt baker credentials: ",
))?;
match concordium_base::common::encryption::decrypt(&pass.into(), &et) {
Ok(d) => Ok(Some(d)),
Err(_) => anyhow::bail!(
"Could not decrypt validator credentials. Most likely the password you \
provided is incorrect."
),
}
} else {
Ok(Some(read_data))
}
}
}

#[derive(StructOpt, Debug)]
/// Parameters related to the V2 GRPC interface.
pub struct GRPC2Config {
Expand Down
24 changes: 1 addition & 23 deletions concordium-node/src/plugins/consensus.rs
Original file line number Diff line number Diff line change
Expand Up @@ -96,29 +96,7 @@ pub fn get_baker_data(
Err(e) => bail!("Cannot open the genesis file ({})", e),
};

let private_data = if let Some(path) = &conf.baker_credentials_file {
let read_data = match std::fs::read(path) {
Ok(read_data) => read_data,
Err(e) => bail!("Cannot open the baker credentials file ({})!", e),
};
if conf.decrypt_baker_credentials {
let et = serde_json::from_slice(&read_data)?;
let pass = rpassword::read_password_from_tty(Some(
"Enter password to decrypt baker credentials: ",
))?;
match concordium_base::common::encryption::decrypt(&pass.into(), &et) {
Ok(d) => Some(d),
Err(_) => bail!(
"Could not decrypt baker credentials. Most likely the password you provided \
is incorrect."
),
}
} else {
Some(read_data)
}
} else {
None
};
let private_data = conf.read_baker_credentials()?;

Ok((genesis_data, private_data))
}
Expand Down
4 changes: 2 additions & 2 deletions scripts/distribution/macOS-package/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -156,8 +156,8 @@ The build script goes through the following major steps:
EnviromentVariables section:
```
<!-- Path to the baker credentials file. -->
<key>CONCORDIUM_NODE_BAKER_CREDENTIALS_FILE</key>
<string>/Library/Application Support/Concordium Node/Mainnet/Config/baker-credentials.json</string>
<key>CONCORDIUM_NODE_VALIDATOR_CREDENTIALS_FILE</key>
<string>/Library/Application Support/Concordium Node/Mainnet/Config/validator-credentials.json</string>
```
2. Restart the given node by using the stop/start shortcuts.
Expand Down
12 changes: 6 additions & 6 deletions scripts/distribution/ubuntu-packages/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -192,17 +192,17 @@ which will set the environment variable `CONCORDIUM_NODE_LISTEN_PORT` to `8888`

The node supports the following environment variables.

- `CONCORDIUM_NODE_BAKER_CREDENTIALS_FILE` the file with baker keys.
If it is set then the node will start as a baker, or at least attempt to.
- `CONCORDIUM_NODE_VALIDATOR_CREDENTIALS_FILE` the file with validator keys.
If it is set then the node will start as a validator, or at least attempt to.
This must be a path relative to the `WorkingDirectory` or an absolute path.
Since the node is sandboxed it does not have access to the `/home` directory
and some other parts of the system.
The recommended way to expose the baker keys to the node is to use the
The recommended way to expose the validator keys to the node is to use the
`BindReadOnlyPaths` option to remap the file from wherever it is on the host
system to a location which the node can read. For example (this assumes the baker keys are located in `/home/user/baker-credentials.json` on the host system)
system to a location which the node can read. For example (this assumes the validator keys are located in `/home/user/validator-credentials.json` on the host system)
```
Environment=CONCORDIUM_NODE_BAKER_CREDENTIALS_FILE=%S/concordium-${build_genesis_hash}/baker-credentials.json
BindReadOnlyPaths=/home/user/baker-credentials.json:%S/concordium-${build_genesis_hash}/baker-credentials.json
Environment=CONCORDIUM_NODE_VALIDATOR_CREDENTIALS_FILE=%S/concordium-${build_genesis_hash}/validator-credentials.json
BindReadOnlyPaths=/home/user/validator-credentials.json:%S/concordium-${build_genesis_hash}/validator-credentials.json
```


Expand Down
7 changes: 4 additions & 3 deletions service/windows/Configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -52,11 +52,12 @@ data_dir = 'C:\ProgramData\Concordium\Node Runner\mainnet\data'
The path to the data directory for the node, where the node's databases and the genesis data are stored.
This must be a folder on your system, and must contain the genesis data file `genesis.dat`, or else the node will fail to start.

### **baker_credentials** (string; optional)
### **validator_credentials** (string; optional)
```
baker_credentials = 'baker-credentials.json'
validator_credentials = 'validator-credentials.json'
```
The path to a baker credentials file if the node is to run as a baker.
The path to a validator credentials file if the node is to run as a validator.
The legacy option `baker_credentials` is an alias of this option.

### **listen.port** (integer; optional)
```
Expand Down
19 changes: 19 additions & 0 deletions service/windows/src/config.rs
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,25 @@ fn load_config_file(conf_str: &str, conf_root: &Path) -> anyhow::Result<Config>
);
let baker_credentials =
toml_get_as!(as_str, &node, "baker_credentials").map(make_relative_path);
let validator_credentials =
toml_get_as!(as_str, &node, "validator_credentials").map(make_relative_path);
// In order to support legacy configuration files we support both
// baker_credentials and validator_credentials.
// We allow both, but to prevent errors we mandate that if both options are
// supplied they are consistent.
let baker_credentials = match (baker_credentials, validator_credentials) {
(Some(bcred), Some(vcred)) => {
anyhow::ensure!(
bcred == vcred,
"Both `baker_credentials` and `validator_credentials` are specified, and \
different."
);
Some(bcred)
}
(baker_credentials, validator_credentials) => {
baker_credentials.or(validator_credentials)
}
};
let log_config = if let Some(config) = toml_get_as!(as_str, &node, "log", "config") {
LoggerConfig::Config(make_relative_path(config))
} else if let Some(log_path) = toml_get_as!(as_str, &node, "log", "path") {
Expand Down
2 changes: 1 addition & 1 deletion service/windows/src/node.rs
Original file line number Diff line number Diff line change
Expand Up @@ -212,7 +212,7 @@ impl NodeConfig {
cmd.env("CONCORDIUM_NODE_CONNECTION_BOOTSTRAP_NODES", self.bootstrap_nodes.clone());
self.baker_credentials
.as_ref()
.map(|bcred| cmd.env("CONCORDIUM_NODE_BAKER_CREDENTIALS_FILE", bcred.clone()));
.map(|bcred| cmd.env("CONCORDIUM_NODE_VALIDATOR_CREDENTIALS_FILE", bcred.clone()));
self.grpc2_address
.as_ref()
.map(|rpcaddr| cmd.env("CONCORDIUM_NODE_GRPC2_LISTEN_ADDRESS", rpcaddr.to_string()));
Expand Down

0 comments on commit 43b7e4b

Please sign in to comment.