From 663c01a6efbf04b9f853c610577c88685a532ee9 Mon Sep 17 00:00:00 2001 From: Byron Gravenorst Date: Wed, 24 Jun 2020 08:42:37 +1000 Subject: [PATCH 1/7] Rename whitelist to allowlist. Signed-off-by: Byron Gravenorst --- .../HowTo/Limit-Access/Local-Permissioning.md | 6 ++--- docs/Reference/CLI/CLI-Subcommands.md | 6 ++--- docs/Reference/CLI/CLI-Syntax.md | 26 +++++++++---------- 3 files changed, 19 insertions(+), 19 deletions(-) diff --git a/docs/HowTo/Limit-Access/Local-Permissioning.md b/docs/HowTo/Limit-Access/Local-Permissioning.md index d9fd2bb4220..45e47da4e07 100644 --- a/docs/HowTo/Limit-Access/Local-Permissioning.md +++ b/docs/HowTo/Limit-Access/Local-Permissioning.md @@ -4,11 +4,11 @@ description: Hyperledger Besu local permissioning # Local permissioning -Local permissioning supports node and account whitelisting. +Local permissioning supports limiting access to specific nodes and accounts. -## Node whitelisting +## Configure node access -You can specify nodes in the nodes whitelist in the +You can specify nodes to allow access in the [permissions configuration file](#permissions-configuration-file) file. With node whitelisting enabled, communication is only between nodes in the whitelist. diff --git a/docs/Reference/CLI/CLI-Subcommands.md b/docs/Reference/CLI/CLI-Subcommands.md index 8a7c8e1f7f0..af80c27cf2e 100644 --- a/docs/Reference/CLI/CLI-Subcommands.md +++ b/docs/Reference/CLI/CLI-Subcommands.md @@ -229,15 +229,15 @@ server. The command accepts the following command line options: * [\--data-path](./CLI-Syntax.md#data-path) -* [\--host-whitelist](./CLI-Syntax.md#host-whitelist) +* [\--host-allowlist](./CLI-Syntax.md#host-allowlist) * [\--rpc-http-host](./CLI-Syntax.md#rpc-http-host) * [\--rpc-http-port](./CLI-Syntax.md#rpc-http-port) * [\--logging](./CLI-Syntax.md#logging) ```bash tab="Syntax" -besu retesteth [--data-path=] [--rpc-http-host=] [--rpc-http-port=] [-l=] [--host-whitelist=[,…]… or * or all] +besu retesteth [--data-path=] [--rpc-http-host=] [--rpc-http-port=] [-l=] [--host-allowlist=[,…]… or * or all] ``` ```bash tab="Example" -besu retesteth --data-path=/home/me/me_node --rpc-http-port=8590 --host-whitelist=* +besu retesteth --data-path=/home/me/me_node --rpc-http-port=8590 --host-allowlist=* ``` diff --git a/docs/Reference/CLI/CLI-Syntax.md b/docs/Reference/CLI/CLI-Syntax.md index 7ce7157b1e5..350178f366c 100644 --- a/docs/Reference/CLI/CLI-Syntax.md +++ b/docs/Reference/CLI/CLI-Syntax.md @@ -319,32 +319,32 @@ The GraphQL HTTP listening port (TCP). The default is 8547. Ports must be Show the help message and exit. -### host-whitelist +### host-allowlist ```bash tab="Syntax" ---host-whitelist=[,...]... or "*" +--host-allowlist=[,...]... or "*" ``` ```bash tab="Command Line" ---host-whitelist=medomain.com,meotherdomain.com +--host-allowlist=medomain.com,meotherdomain.com ``` ```bash tab="Environment Variable" -BESU_HOST_WHITELIST=medomain.com,meotherdomain.com +BESU_HOST_ALLOWLIST=medomain.com,meotherdomain.com ``` ```bash tab="Configuration File" -host-whitelist=["medomain.com", "meotherdomain.com"] +host-allowlist=["medomain.com", "meotherdomain.com"] ``` A comma-separated list of hostnames to allow -[access to the JSON-RPC API](../../HowTo/Interact/APIs/Using-JSON-RPC-API.md#host-whitelist). By +[access to the JSON-RPC API](../../HowTo/Interact/APIs/Using-JSON-RPC-API.md#host-allowlist). By default, Besu accepts access from `localhost` and `127.0.0.1`. !!!note If using [Prometheus](https://prometheus.io/) to pull metrics from a node, you must specify all - the other nodes you want to pull metrics from in the whitelist of hostnames. + the other nodes you want to pull metrics from in the list of allowed hostnames. !!!tip @@ -507,7 +507,7 @@ metrics-host="127.0.0.1" The host on which [Prometheus](https://prometheus.io/) accesses [Besu metrics](../../HowTo/Monitor/Metrics.md#monitor-node-performance-using-prometheus). The -metrics server respects the [`--host-whitelist` option](#host-whitelist). +metrics server respects the [`--host-allowlist` option](#host-allowlist). The default is `127.0.0.1`. @@ -576,7 +576,7 @@ metrics-push-host="127.0.0.1" ``` The host of the [Prometheus Push Gateway](https://github.com/prometheus/pushgateway). The default -is `127.0.0.1`. The metrics server respects the [`--host-whitelist` option](#host-whitelist). +is `127.0.0.1`. The metrics server respects the [`--host-allowlist` option](#host-allowlist). !!! note @@ -1240,7 +1240,7 @@ you do not specify this option, Besu signs each transaction with a different ran key. If using [account permissioning] and privacy, you must specify a private key file and the signing -key included in the accounts whitelist. +key included in the list of allowed accounts. ### privacy-multi-tenancy-enabled @@ -1697,7 +1697,7 @@ The [JWT provider's public key file] used for JSON-RPC HTTP authentication with ```bash tab="Command Line" -$# You can whitelist one or more domains with a comma-separated list. +$# You can allow one or more domains with a comma-separated list. --rpc-http-cors-origins="http://medomain.com","https://meotherdomain.com" ``` @@ -1721,9 +1721,9 @@ A list of domain URLs for CORS validation. You must enclose the URLs in double q them with commas. Listed domains can access the node using JSON-RPC. If your client interacts with Besu using a -browser app (such as Remix or a block explorer), you must whitelist the client domains. +browser app (such as Remix or a block explorer), add the client domain to the list. -The default value is `"none"`. If you do not whitelist any domains, browser apps cannot interact +The default value is `"none"`. If you do not list any domains, browser apps cannot interact with your Besu node. !!!note From 7795bdd5f70ef272772eb5ad66f8a5352f52dfa0 Mon Sep 17 00:00:00 2001 From: Byron Gravenorst Date: Wed, 24 Jun 2020 10:06:39 +1000 Subject: [PATCH 2/7] Additional updates. Signed-off-by: Byron Gravenorst --- docs/HowTo/Limit-Access/Local-Permissioning.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/HowTo/Limit-Access/Local-Permissioning.md b/docs/HowTo/Limit-Access/Local-Permissioning.md index 45e47da4e07..0346816ba61 100644 --- a/docs/HowTo/Limit-Access/Local-Permissioning.md +++ b/docs/HowTo/Limit-Access/Local-Permissioning.md @@ -8,19 +8,19 @@ Local permissioning supports limiting access to specific nodes and accounts. ## Configure node access -You can specify nodes to allow access in the -[permissions configuration file](#permissions-configuration-file) file. With node whitelisting -enabled, communication is only between nodes in the whitelist. +You can allow access to specified nodes in the +[permissions configuration file](#permissions-configuration-file). When limiting node access, +communication is only between nodes listed in the file. -!!! example "Nodes Whitelist in Permissions Configuration File" +!!! example "Allow nodes access in the permissions configuration file" - `nodes-whitelist=["enode://6f8a80d14311c39f35f516fa664deaaaa13e85b2f7493f37f6144d86991ec012937307647bd3b9a82abe2974e1407241d54947bbb39763a4cac9f77166ad92a0@192.168.0.9:4567","enode://6f8a80d14311c39f35f516fa664deaaaa13e85b2f7493f37f6144d86991ec012937307647bd3b9a82abe2974e1407241d54947bbb39763a4cac9f77166ad92a0@192.169.0.9:4568"]` + `nodes-allowlist=["enode://6f8a80d14311c39f35f516fa664deaaaa13e85b2f7493f37f6144d86991ec012937307647bd3b9a82abe2974e1407241d54947bbb39763a4cac9f77166ad92a0@192.168.0.9:4567","enode://6f8a80d14311c39f35f516fa664deaaaa13e85b2f7493f37f6144d86991ec012937307647bd3b9a82abe2974e1407241d54947bbb39763a4cac9f77166ad92a0@192.169.0.9:4568"]` -Node whitelisting is at the node level. That is, each node in the network has a +Specify node access at the node level. That is, each node in the network has a [permissions configuration file](#permissions-configuration-file) file in the [data directory](../../Reference/CLI/CLI-Syntax.md#data-path) for the node. -To update the nodes whitelist when the node is running, use the JSON-RPC API methods: +To update the list of allowed nodes while the node is running, use the JSON-RPC API methods: * [perm_addNodesToWhitelist](../../Reference/API-Methods.md#perm_addnodestowhitelist) * [perm_removeNodesFromWhitelist](../../Reference/API-Methods.md#perm_removenodesfromwhitelist). From 024d114c50494ec665ae4ea8f310ae66637d2ae1 Mon Sep 17 00:00:00 2001 From: Byron Gravenorst Date: Thu, 16 Jul 2020 09:34:09 +1000 Subject: [PATCH 3/7] Whitelist renaming. Signed-off-by: Byron Gravenorst --- docs/Concepts/Node-Keys.md | 2 +- .../Permissioning/Onchain-Permissioning.md | 19 +-- docs/HowTo/Deploy/Lite-Block-Explorer.md | 4 +- docs/HowTo/Get-Started/Starting-node.md | 6 +- docs/HowTo/Interact/APIs/API.md | 10 +- .../HowTo/Limit-Access/Local-Permissioning.md | 108 +++++++++--------- ...elists.md => Updating-Permission-Lists.md} | 20 ++-- docs/HowTo/Troubleshoot/Troubleshooting.md | 2 +- .../Sign-Privacy-Marker-Transactions.md | 2 +- docs/Reference/API-Methods.md | 71 ++++++------ .../Create-Permissioned-Network.md | 40 +++---- .../Getting-Started-Onchain-Permissioning.md | 14 +-- .../Privacy/Configuring-Multi-Tenancy.md | 2 +- docs/Tutorials/Privacy/Configuring-Privacy.md | 12 +- .../Private-Network/Create-IBFT-Network.md | 18 +-- .../Create-Private-Clique-Network.md | 14 +-- .../Private-Network/Create-Private-Network.md | 6 +- mkdocs.yml | 2 +- 18 files changed, 177 insertions(+), 175 deletions(-) rename docs/HowTo/Limit-Access/{Updating-Whitelists.md => Updating-Permission-Lists.md} (68%) diff --git a/docs/Concepts/Node-Keys.md b/docs/Concepts/Node-Keys.md index e474d3fb969..9fa97176d7a 100644 --- a/docs/Concepts/Node-Keys.md +++ b/docs/Concepts/Node-Keys.md @@ -40,7 +40,7 @@ You can export the node address, either to standard output or to a specified fil ## Enode URL The enode URL identifies a node. For example, the `--bootnodes` option and the -`perm_addNodesToWhitelist` method specify nodes by enode URL. +`perm_addNodesToAllowlist` method specify nodes by enode URL. The enode URL format is `enode://@` where: diff --git a/docs/Concepts/Permissioning/Onchain-Permissioning.md b/docs/Concepts/Permissioning/Onchain-Permissioning.md index 84488fa60e9..942bf8fdb08 100644 --- a/docs/Concepts/Permissioning/Onchain-Permissioning.md +++ b/docs/Concepts/Permissioning/Onchain-Permissioning.md @@ -5,7 +5,7 @@ description: Onchain permissioning # Onchain permissioning Onchain permissioning uses smart contracts to store and administer the node, account, and admin -whitelists. Using onchain permissioning enables all nodes to read the whitelists from a single +permissions. Using onchain permissioning enables all nodes to read the permissions from a single source, the blockchain. !!! note @@ -23,29 +23,30 @@ repository are: * Ingress contracts for nodes and accounts - proxy contracts defined in the genesis file to defer the permissioning logic to the Node Rules and Account Rules contracts. The Ingress contracts deploy to static addresses. -* Node Rules - stores the node whitelist and node whitelist operations (for example, add and +* Node Rules - stores the permitted nodes and node operations (for example, add and remove). -* Account Rules - stores the accounts whitelist and account whitelist operations (for example, add +* Account Rules - stores the permitted accounts and account operations (for example, add and remove). * Admin - stores the list of admin accounts and admin list operations (for example, add and remove). There is one list of admin accounts for node and accounts. ## Permissioning management Dapp -The [Permissioning Management Dapp] provides view and maintain access to the whitelists. +The [Permissioning Management Dapp] provides view and maintain access to the permitted nodes, +accounts, and admins. !!! tip Before v1.2, the management interface used Truffle, now deprecated. For an improved user experience, use the Dapp. -### Whitelists +### Permission lists -Permissioning implements three whitelists: +Permission lists are available for the following: * Accounts, which can submit transactions to the network. * Nodes, which can join the network. -* Admins, which are accounts able to update the accounts and nodes whitelists. +* Admins, which are accounts able to update permitted accounts and nodes. !!! caution "Using account permissioning and privacy" @@ -55,7 +56,7 @@ Permissioning implements three whitelists: If using account permissioning and privacy, a signing key must be specified using the [`--privacy-marker-transaction-signing-key-file`] command line option and the signing key - included in the accounts whitelist. + included in the list of permitted accounts. ## Bootnodes @@ -68,7 +69,7 @@ bootnodes to rediscover peers. !!! important - All bootnodes must be on the nodes whitelist. + All bootnodes must be on the list of permitted nodes. [PegaSysEng/permissioning-smart-contracts]: https://github.com/PegaSysEng/permissioning-smart-contracts diff --git a/docs/HowTo/Deploy/Lite-Block-Explorer.md b/docs/HowTo/Deploy/Lite-Block-Explorer.md index 276c4445a37..5c49eb9f206 100644 --- a/docs/HowTo/Deploy/Lite-Block-Explorer.md +++ b/docs/HowTo/Deploy/Lite-Block-Explorer.md @@ -32,7 +32,7 @@ To run the Ethereum Lite Explorer using the Docker image: To run Besu in development mode: ```bash - besu --network=dev --miner-enabled --miner-coinbase=0xfe3b557e8fb62b89f4916b721be55ceb828dbd73 --rpc-http-cors-origins="all" --host-whitelist="*" --rpc-http-enabled --data-path=/tmp/tmpDatdir + besu --network=dev --miner-enabled --miner-coinbase=0xfe3b557e8fb62b89f4916b721be55ceb828dbd73 --rpc-http-cors-origins="all" --host-allowlist="*" --rpc-http-enabled --data-path=/tmp/tmpDatdir ``` 1. Run the `alethio/ethereum-lite-explorer` Docker image specifying the JSON-RPC HTTP URL @@ -92,7 +92,7 @@ To run the Ethereum Lite Explorer using the Docker image: To run Besu in development mode: ```bash - besu --network=dev --miner-enabled --miner-coinbase=0xfe3b557e8fb62b89f4916b721be55ceb828dbd73 --rpc-http-cors-origins="all" --host-whitelist="*" --rpc-http-enabled --data-path=/tmp/tmpDatdir + besu --network=dev --miner-enabled --miner-coinbase=0xfe3b557e8fb62b89f4916b721be55ceb828dbd73 --rpc-http-cors-origins="all" --host-allowlist="*" --rpc-http-enabled --data-path=/tmp/tmpDatdir ``` 1. In the `ethereum-lite-explorer` directory, run the Lite Explorer in development mode: diff --git a/docs/HowTo/Get-Started/Starting-node.md b/docs/HowTo/Get-Started/Starting-node.md index a544e3b1558..3178090e5a2 100644 --- a/docs/HowTo/Get-Started/Starting-node.md +++ b/docs/HowTo/Get-Started/Starting-node.md @@ -77,7 +77,7 @@ confirm the node is running. To run a node that mines blocks at a rate suitable for testing purposes: ```bash -besu --network=dev --miner-enabled --miner-coinbase=0xfe3b557e8fb62b89f4916b721be55ceb828dbd73 --rpc-http-cors-origins="all" --host-whitelist="*" --rpc-ws-enabled --rpc-http-enabled --data-path=/tmp/tmpDatdir +besu --network=dev --miner-enabled --miner-coinbase=0xfe3b557e8fb62b89f4916b721be55ceb828dbd73 --rpc-http-cors-origins="all" --host-allowlist="*" --rpc-ws-enabled --rpc-http-enabled --data-path=/tmp/tmpDatdir ``` You can also use the following [configuration file](../Configure/Using-Configuration-File.md) @@ -88,7 +88,7 @@ network="dev" miner-enabled=true miner-coinbase="0xfe3b557e8fb62b89f4916b721be55ceb828dbd73" rpc-http-cors-origins=["all"] -host-whitelist=["*"] +host-allowlist=["*"] rpc-ws-enabled=true rpc-http-enabled=true data-path="/tmp/tmpdata-path" @@ -102,7 +102,7 @@ data-path="/tmp/tmpdata-path" ([`--rpc-http-enabled`](../../Reference/CLI/CLI-Syntax.md#rpc-http-enabled)) and setting [`--rpc-http-host`](../../Reference/CLI/CLI-Syntax.md#rpc-http-host) to 0.0.0.0 exposes the RPC connection on your node to any remote connection. - * Setting [`--host-whitelist`](../../Reference/CLI/CLI-Syntax.md#host-whitelist) to `"*"` + * Setting [`--host-allowlist`](../../Reference/CLI/CLI-Syntax.md#host-allowlist) to `"*"` allows JSON-RPC API access from any host. * Setting [`--rpc-http-cors-origins`](../../Reference/CLI/CLI-Syntax.md#rpc-http-cors-origins) to diff --git a/docs/HowTo/Interact/APIs/API.md b/docs/HowTo/Interact/APIs/API.md index 4dae80a9517..662d55da51d 100644 --- a/docs/HowTo/Interact/APIs/API.md +++ b/docs/HowTo/Interact/APIs/API.md @@ -50,11 +50,11 @@ The default ports are: Ports must be [exposed appropriately](../../Find-and-Connect/Managing-Peers.md#port-configuration). -## Host whitelist +## Host allowlist To prevent DNS rebinding, Besu accepts incoming HTTP requests, WebSockets connections, and GraphQL requests only from hostnames specified using the -[`--host-whitelist`](../../../Reference/CLI/CLI-Syntax.md#host-whitelist) option. Besu accepts +[`--host-allowlist`](../../../Reference/CLI/CLI-Syntax.md#host-allowlist) option. Besu accepts incoming requests and connections from `localhost` and `127.0.0.1` by default. If your application publishes RPC ports, specify the hostnames when starting Besu. @@ -62,14 +62,14 @@ If your application publishes RPC ports, specify the hostnames when starting Bes !!! example ```bash - besu --host-whitelist=example.com + besu --host-allowlist=example.com ``` -Specify "*" for `--host-whitelist` to effectively disable host protection. +Specify "*" for `--host-allowlist` to effectively disable host protection. !!! caution - Specifying "*" for `--host-whitelist` is not recommended for production code. + Specifying "*" for `--host-allowlist` is not recommended for production code. ## Not supported by Besu diff --git a/docs/HowTo/Limit-Access/Local-Permissioning.md b/docs/HowTo/Limit-Access/Local-Permissioning.md index 0346816ba61..4ab2b193974 100644 --- a/docs/HowTo/Limit-Access/Local-Permissioning.md +++ b/docs/HowTo/Limit-Access/Local-Permissioning.md @@ -6,7 +6,7 @@ description: Hyperledger Besu local permissioning Local permissioning supports limiting access to specific nodes and accounts. -## Configure node access +## Node permissioning You can allow access to specified nodes in the [permissions configuration file](#permissions-configuration-file). When limiting node access, @@ -22,41 +22,41 @@ Specify node access at the node level. That is, each node in the network has a To update the list of allowed nodes while the node is running, use the JSON-RPC API methods: -* [perm_addNodesToWhitelist](../../Reference/API-Methods.md#perm_addnodestowhitelist) -* [perm_removeNodesFromWhitelist](../../Reference/API-Methods.md#perm_removenodesfromwhitelist). +* [perm_addNodesToAllowlist](../../Reference/API-Methods.md#perm_addnodestoallowlist) +* [perm_removeNodesFromAllowlist](../../Reference/API-Methods.md#perm_removenodesfromallowlist). You can also update the [`permissions_config.toml`](#permissions-configuration-file) file directly -and then update the whitelists using the +and then update the permissions list using the [`perm_reloadPermissionsFromFile`](../../Reference/API-Methods.md#perm_reloadpermissionsfromfile) method. Updates to the permissions configuration file persist across node restarts. -To view the nodes whitelist, use the -[perm_getNodesWhitelist](../../Reference/API-Methods.md#perm_getnodeswhitelist) method. +To view the allowed nodes, use the +[perm_getNodesAllowlist](../../Reference/API-Methods.md#perm_getnodesallowlist) method. !!! note Each node has a [permissions configuration file](#permissions-configuration-file), which means - nodes can have different nodes whitelists. This means nodes might be participating in the - network that are not on the whitelist of other nodes in the network. We recommend each node in - the network has the same nodes whitelist. + nodes can have different permission lists. This means nodes might be participating in the + network that are not on the permissions list of other nodes in the network. We recommend each node in + the network has the same permissions list. On-chain permissioning is under development. On-chain permissioning will use one on-chain - nodes whitelist. + nodes permission list. -!!! example "An Example of Different Node Whitelists" +!!! example "An example of different node permission lists" - Node 1 Whitelist = [Node 2, Node 3] + Node 1 Allowlist = [Node 2, Node 3] - Node 2 Whitelist = [Node 3, Node 5] + Node 2 Allowlist = [Node 3, Node 5] Node 5 is participating in the same network as Node 1 even though Node 1 does not have Node 5 - on their whitelist. + on their permissions list. ### Bootnodes -The nodes whitelist must include the bootnodes or Hyperledger Besu does not start +The nodes permissions list must include the bootnodes or Hyperledger Besu does not start with node permissions enabled. !!! example @@ -67,12 +67,12 @@ with node permissions enabled. --bootnodes="enode://7e4ef30e9ec683f26ad76ffca5b5148fa7a6575f4cfad4eb0f52f9c3d8335f4a9b6f9e66fcc73ef95ed7a2a52784d4f372e7750ac8ae0b544309a5b391a23dd7@127.0.0.1:30303","enode://2feb33b3c6c4a8f77d84a5ce44954e83e5f163e7a65f7f7a7fec499ceb0ddd76a46ef635408c513d64c076470eac86b7f2c8ae4fcd112cb28ce82c0d64ec2c94@127.0.0.1:30304","enode://7b61d5ee4b44335873e6912cb5dd3e3877c860ba21417c9b9ef1f7e500a82213737d4b269046d0669fb2299a234ca03443f25fe5f706b693b3669e5c92478ade@127.0.0.1:30305" ``` - The `nodes-whitelist` in the [permissions configuration file](#permissions-configuration-file) + The `nodes-allowlist` in the [permissions configuration file](#permissions-configuration-file) must contain the specified bootnodes. -### Enabling node whitelisting +### Enabling node permissioning -To enable node whitelisting, specify the +To enable node permissioning, specify the [`--permissions-nodes-config-file-enabled`](../../Reference/CLI/CLI-Syntax.md#permissions-nodes-config-file-enabled) option when starting Besu. @@ -80,17 +80,17 @@ The `PERM` API methods are not enabled by default. To enable the `PERM` API meth [`--rpc-http-api`](../../Reference/CLI/CLI-Syntax.md#rpc-http-api) or [`--rpc-ws-api`](../../Reference/CLI/CLI-Syntax.md#rpc-ws-api) options. -## Account whitelisting +## Account permissioning -You can specify accounts in the accounts whitelist in the +You can specify accounts in the accounts permissions list in the [permissions configuration file](#permissions-configuration-file). A node with account -permissioning accepts transactions only from accounts in the accounts whitelist. +permissioning accepts transactions only from accounts in the accounts permission list. -!!! example "Accounts Whitelist in Permissions Configuration File" +!!! example "Accounts Permissions Configuration File" - `accounts-whitelist=["0x0000000000000000000000000000000000000009"]` + `accounts-allowlist=["0x0000000000000000000000000000000000000009"]` -Account whitelisting is at the node level. That is, each node in the network has a +Account permissioning is at the node level. That is, each node in the network has a [permisssions configuration file](#permissions-configuration-file) in the [data directory](../../Reference/CLI/CLI-Syntax.md#data-path) for the node. @@ -102,65 +102,65 @@ Account whitelisting is at the node level. That is, each node in the network has If using account permissioning and privacy, a signing key must be specified using the [`--privacy-marker-transaction-signing-key-file`](../../Reference/CLI/CLI-Syntax.md#privacy-marker-transaction-signing-key-file) - command line option and the signing key included in the accounts whitelist. + command line option and the signing key included in the accounts permission list. -Transaction validation against the accounts whitelist occurs at the following points: +Transaction validation against the accounts permission list occurs at the following points: * Submitted by JSON-RPC API method [`eth_sendRawTransaction`](../../Reference/API-Methods.md#eth_sendrawtransaction) * Received via propagation from another node * Added to a block by a mining node. -After adding transactions to a block, the transactions are not validated against the whitelist when -received by another node. That is, a node can synchronise and add blocks containing transactions -from accounts that are not on the accounts whitelist of that node. +After adding transactions to a block, the transactions are not validated against the permissions +list when received by another node. That is, a node can synchronise and add blocks containing +transactions from accounts that are not on the accounts permission list of that node. The following diagram illustrates applying local and onchain permissioning rules. ![Permissioning Flow](../../images/PermissioningFlow.png) -!!! example "An Example of Different Account Whitelists" +!!! example "An Example of Different Account Permission lists" - Node 1 Whitelist = [Account A, Account B] + Node 1 Allowlist = [Account A, Account B] - Node 2 Whitelist = [Account B, Account C] + Node 2 Allowlist = [Account B, Account C] - Mining Node Whitelist = [Account A, Account B] + Mining Node Allowlist = [Account A, Account B] Account A submits a transaction on Node 1. Node 1 validates and propagates the transaction. The Mining Node receives the transaction, validates it is from an account in the Mining Node - accounts whitelist, and includes the transaction in the block. Node 2 receives and adds the - block created by the Mining Node. + accounts permission list, and includes the transaction in the block. Node 2 receives and adds + the block created by the Mining Node. Node 2 now has a transaction in the blockchain from Account A, which is not on the accounts - whitelist for Node 2. + permission list for Node 2. !!! note Each node has a [permissions configuration file](#permissions-configuration-file) which means - nodes in the network can have different accounts whitelists. This means a transaction can be - successfully submitted by Node A from an account in the Node A whitelist but rejected by Node B - to which it's propagated if the account is not in the Node B whitelist. We recommend each node - in the network has the same accounts whitelist. + nodes in the network can have different accounts permission lists. This means a transaction can + be successfully submitted by Node A from an account in the Node A permission list but rejected + by Node B to which it's propagated if the account is not in the Node B permission list. We + recommend each node in the network has the same accounts permission list. -To update the accounts whitelist when the node is running, use the JSON-RPC API methods: +To update the accounts permission list when the node is running, use the JSON-RPC API methods: -* [`perm_addAccountsToWhitelist`](../../Reference/API-Methods.md#perm_addaccountstowhitelist) -* [`perm_removeAccountsFromWhitelist`](../../Reference/API-Methods.md#perm_removeaccountsfromwhitelist). +* [`perm_addAccountsToAllowlist`](../../Reference/API-Methods.md#perm_addaccountstoallowlist) +* [`perm_removeAccountsFromAllowlist`](../../Reference/API-Methods.md#perm_removeaccountsfromallowlist). You can also update the [`permissions_config.toml`](#permissions-configuration-file) file directly and use the [`perm_reloadPermissionsFromFile`](../../Reference/API-Methods.md#perm_reloadpermissionsfromfile) -method to update the whitelists. +method to update the permission lists. Updates to the permissions configuration file persist across node restarts. -To view the accounts whitelist, use the -[`perm_getAccountsWhitelist`](../../Reference/API-Methods.md#perm_getaccountswhitelist) method. +To view the accounts permission list, use the +[`perm_getAccountsAllowlist`](../../Reference/API-Methods.md#perm_getaccountsallowlist) method. -### Enabling account whitelisting +### Enabling account permissioning -To enable account whitelisting, specify the +To enable account permissioning, specify the [`--permissions-accounts-config-file-enabled`](../../Reference/CLI/CLI-Syntax.md#permissions-accounts-config-file-enabled) option when starting Besu. @@ -170,21 +170,21 @@ The `PERM` API methods are not enabled by default. To enable the `PERM` API meth ## Permissions configuration file -The permissions configuration file contains the nodes and accounts whitelists. If the +The permissions configuration file contains the nodes and accounts permission lists. If the [`--permissions-accounts-config-file`](../../Reference/CLI/CLI-Syntax.md#permissions-accounts-config-file) -and [`permissions-nodes-config-file`](../../Reference/CLI/CLI-Syntax.md#permissions-nodes-config-file) +and [`--permissions-nodes-config-file`](../../Reference/CLI/CLI-Syntax.md#permissions-nodes-config-file) options are not specified, the name of the permissions configuration file must be [`permissions_config.toml`](#permissions-configuration-file) and must be in the [data directory](../../Reference/CLI/CLI-Syntax.md#data-path) for the node. -You can specify the accounts and nodes whitelists in the same file or in separate files for +You can specify the accounts and nodes permissions in the same file or in separate files for accounts and nodes. To specify a permissions configuration file (or separate files for accounts and nodes) in any location, use the [`--permissions-accounts-config-file`](../../Reference/CLI/CLI-Syntax.md#permissions-accounts-config-file) and -[`permissions-nodes-config-file`](../../Reference/CLI/CLI-Syntax.md#permissions-nodes-config-file) +[`--permissions-nodes-config-file`](../../Reference/CLI/CLI-Syntax.md#permissions-nodes-config-file) options. !!!note @@ -198,9 +198,9 @@ options. !!! example "Sample Permissions Configuration File" ```toml - accounts-whitelist=["0xb9b81ee349c3807e46bc71aa2632203c5b462032", "0xb9b81ee349c3807e46bc71aa2632203c5b462034"] + accounts-allowlist=["0xb9b81ee349c3807e46bc71aa2632203c5b462032", "0xb9b81ee349c3807e46bc71aa2632203c5b462034"] - nodes-whitelist=["enode://7e4ef30e9ec683f26ad76ffca5b5148fa7a6575f4cfad4eb0f52f9c3d8335f4a9b6f9e66fcc73ef95ed7a2a52784d4f372e7750ac8ae0b544309a5b391a23dd7@127.0.0.1:30303","enode://2feb33b3c6c4a8f77d84a5ce44954e83e5f163e7a65f7f7a7fec499ceb0ddd76a46ef635408c513d64c076470eac86b7f2c8ae4fcd112cb28ce82c0d64ec2c94@127.0.0.1:30304","enode://7b61d5ee4b44335873e6912cb5dd3e3877c860ba21417c9b9ef1f7e500a82213737d4b269046d0669fb2299a234ca03443f25fe5f706b693b3669e5c92478ade@127.0.0.1:30305"] + nodes-allowlist=["enode://7e4ef30e9ec683f26ad76ffca5b5148fa7a6575f4cfad4eb0f52f9c3d8335f4a9b6f9e66fcc73ef95ed7a2a52784d4f372e7750ac8ae0b544309a5b391a23dd7@127.0.0.1:30303","enode://2feb33b3c6c4a8f77d84a5ce44954e83e5f163e7a65f7f7a7fec499ceb0ddd76a46ef635408c513d64c076470eac86b7f2c8ae4fcd112cb28ce82c0d64ec2c94@127.0.0.1:30304","enode://7b61d5ee4b44335873e6912cb5dd3e3877c860ba21417c9b9ef1f7e500a82213737d4b269046d0669fb2299a234ca03443f25fe5f706b693b3669e5c92478ade@127.0.0.1:30305"] ``` diff --git a/docs/HowTo/Limit-Access/Updating-Whitelists.md b/docs/HowTo/Limit-Access/Updating-Permission-Lists.md similarity index 68% rename from docs/HowTo/Limit-Access/Updating-Whitelists.md rename to docs/HowTo/Limit-Access/Updating-Permission-Lists.md index fdda9741cc4..bce20d920ab 100644 --- a/docs/HowTo/Limit-Access/Updating-Whitelists.md +++ b/docs/HowTo/Limit-Access/Updating-Permission-Lists.md @@ -1,19 +1,19 @@ --- -description: Updating Hyperledger Besu onchain whitelists +description: Updating Hyperledger Besu onchain permission lists --- -# Updating nodes and accounts whitelists +# Updating node and account permission lists -## Update nodes whitelist +## Update node permission lists -To add a node to the Hyperledger Besu nodes whitelist: +To add a node to the Hyperledger Besu nodes permission list: 1. On the _Whitelisted Nodes_ tab of the Permissioning Management Dapp, click the _Add Whitelisted Nodes_ button. The Add Node window displays. 1. Enter the [enode URL](../../Concepts/Node-Keys.md#enode-url) of the node you are adding and click the _Add Whitelisted Node_ button. -To remove a node from the nodes whitelist: +To remove a node from the nodes permission list: 1. On the _Whitelisted Nodes_ tab of the Permissioning Management Dapp, hover over the row of the node you are removing. A trash can displays. @@ -22,23 +22,23 @@ To remove a node from the nodes whitelist: !!! tip If you add a running node, the node does not attempt to reconnect to the bootnode and - synchronize until peer discovery restarts. To add a whitelisted node as a peer without waiting + synchronize until peer discovery restarts. To add an allowed node as a peer without waiting for peer discovery to restart, use [`admin_addPeer`](../../Reference/API-Methods.md#admin_addpeer). - If you add the node to the whitelist before starting the node, using `admin_addPeer` is not + If you add the node to the permission list before starting the node, using `admin_addPeer` is not required because peer discovery is run on node startup. -## Update accounts whitelists +## Update account permission lists -To add an account to the accounts whitelist: +To add an account to the accounts permission list: 1. On the _Whitelisted Accounts_ tab of the Permissioning Management Dapp, click the _Add Whitelisted Account_ button. The add Account Window displays. 1. Enter the account address in the _Account Address_ field and click the _Add Whitelisted Account_ button. -To remove an account from the accounts whitelist: +To remove an account from the accounts permission list: 1. On the _Whitelisted Accounts_ tab of the Permissioning Management Dapp, hover over the row of the account you are removing. A trash can displays. diff --git a/docs/HowTo/Troubleshoot/Troubleshooting.md b/docs/HowTo/Troubleshoot/Troubleshooting.md index 03297e40e8d..a23a4e5fbaf 100644 --- a/docs/HowTo/Troubleshoot/Troubleshooting.md +++ b/docs/HowTo/Troubleshoot/Troubleshooting.md @@ -16,7 +16,7 @@ directory. ## Host not authorized If a `Host not authorized` error occurs when attempting to access the JSON-RPC API, ensure -[`--host-whitelist`](../../Reference/CLI/CLI-Syntax.md#host-whitelist) includes the host you are +[`--host-allowlist`](../../Reference/CLI/CLI-Syntax.md#host-allowlist) includes the host you are sending the RPC from, or `*`. ## Peers fail to connect diff --git a/docs/HowTo/Use-Privacy/Sign-Privacy-Marker-Transactions.md b/docs/HowTo/Use-Privacy/Sign-Privacy-Marker-Transactions.md index c3f177346e6..fc1dc6f02eb 100644 --- a/docs/HowTo/Use-Privacy/Sign-Privacy-Marker-Transactions.md +++ b/docs/HowTo/Use-Privacy/Sign-Privacy-Marker-Transactions.md @@ -23,7 +23,7 @@ command line option when starting Besu. If using account permissioning and privacy, a signing key must be specified using the [`--privacy-marker-transaction-signing-key-file`](../../Reference/CLI/CLI-Syntax.md#privacy-marker-transaction-signing-key-file) - command line option and the signing key included in the accounts whitelist. + command line option and the signing key included in the accounts permission list. !!! note diff --git a/docs/Reference/API-Methods.md b/docs/Reference/API-Methods.md index 81c454753db..11623e87e66 100644 --- a/docs/Reference/API-Methods.md +++ b/docs/Reference/API-Methods.md @@ -4102,10 +4102,10 @@ permissioning only. methods, use the [`--rpc-http-api`](CLI/CLI-Syntax.md#rpc-http-api) or [`--rpc-ws-api`](CLI/CLI-Syntax.md#rpc-ws-api) CLI options. -### perm_addAccountsToWhitelist +### perm_addAccountsToAllowlist Adds accounts (participants) to the -[accounts whitelist](../HowTo/Limit-Access/Local-Permissioning.md#account-whitelisting). +[accounts permission list](../HowTo/Limit-Access/Local-Permissioning.md#account-permissioning). #### Parameters @@ -4118,17 +4118,17 @@ Adds accounts (participants) to the #### Returns -`result` - `Success` or `error`. Errors include attempting to add accounts already on the whitelist -or including invalid account addresses. +`result` - `Success` or `error`. Errors include attempting to add accounts already on the +permissions list or including invalid account addresses. !!! example ```bash tab="curl HTTP request" - curl -X POST --data '{"jsonrpc":"2.0","method":"perm_addAccountsToWhitelist","params":[["0xb9b81ee349c3807e46bc71aa2632203c5b462032", "0xb9b81ee349c3807e46bc71aa2632203c5b462034"]], "id":1}' http://127.0.0.1:8545 + curl -X POST --data '{"jsonrpc":"2.0","method":"perm_addAccountsToAllowlist","params":[["0xb9b81ee349c3807e46bc71aa2632203c5b462032", "0xb9b81ee349c3807e46bc71aa2632203c5b462034"]], "id":1}' http://127.0.0.1:8545 ``` ```bash tab="wscat WS request" - {"jsonrpc":"2.0","method":"perm_addAccountsToWhitelist","params":[["0xb9b81ee349c3807e46bc71aa2632203c5b462032", "0xb9b81ee349c3807e46bc71aa2632203c5b462034"]], "id":1} + {"jsonrpc":"2.0","method":"perm_addAccountsToAllowlist","params":[["0xb9b81ee349c3807e46bc71aa2632203c5b462032", "0xb9b81ee349c3807e46bc71aa2632203c5b462034"]], "id":1} ``` ```json tab="JSON result" @@ -4139,10 +4139,10 @@ or including invalid account addresses. } ``` -### perm_getAccountsWhitelist +### perm_getAccountsAllowlist Lists accounts (participants) in the -[accounts whitelist](../HowTo/Limit-Access/Local-Permissioning.md#account-whitelisting). +[accounts permissions list](../HowTo/Limit-Access/Local-Permissioning.md#account-permissioning). #### Parameters @@ -4150,16 +4150,16 @@ None #### Returns -`result: list` - Accounts (participants) in the accounts whitelist. +`result: list` - Accounts (participants) in the accounts permissions list. !!! example ```bash tab="curl HTTP request" - curl -X POST --data '{"jsonrpc":"2.0","method":"perm_getAccountsWhitelist","params":[], "id":1}' http://127.0.0.1:8545 + curl -X POST --data '{"jsonrpc":"2.0","method":"perm_getAccountsAllowlist","params":[], "id":1}' http://127.0.0.1:8545 ``` ```bash tab="wscat WS request" - {"jsonrpc":"2.0","method":"perm_getAccountsWhitelist","params":[], "id":1} + {"jsonrpc":"2.0","method":"perm_getAccountsAllowlist","params":[], "id":1} ``` ```json tab="JSON result" @@ -4173,10 +4173,10 @@ None } ``` -### perm_removeAccountsFromWhitelist +### perm_removeAccountsFromAllowlist Removes accounts (participants) from the -[accounts whitelist](../HowTo/Limit-Access/Local-Permissioning.md#account-whitelisting). +[accounts permissions list](../HowTo/Limit-Access/Local-Permissioning.md#account-permissioning). #### Parameters @@ -4189,17 +4189,17 @@ Removes accounts (participants) from the #### Returns -`result` - `Success` or `error`. Errors include attempting to remove accounts not on the whitelist -or including invalid account addresses. +`result` - `Success` or `error`. Errors include attempting to remove accounts not on the permissions +list or including invalid account addresses. !!! example ```bash tab="curl HTTP request" - curl -X POST --data '{"jsonrpc":"2.0","method":"perm_removeAccountsFromWhitelist","params":[["0xb9b81ee349c3807e46bc71aa2632203c5b462032", "0xb9b81ee349c3807e46bc71aa2632203c5b462034"]], "id":1}' http://127.0.0.1:8545 + curl -X POST --data '{"jsonrpc":"2.0","method":"perm_removeAccountsFromAllowlist","params":[["0xb9b81ee349c3807e46bc71aa2632203c5b462032", "0xb9b81ee349c3807e46bc71aa2632203c5b462034"]], "id":1}' http://127.0.0.1:8545 ``` ```bash tab="wscat WS request" - {"jsonrpc":"2.0","method":"perm_removeAccountsFromWhitelist","params":[["0xb9b81ee349c3807e46bc71aa2632203c5b462032", "0xb9b81ee349c3807e46bc71aa2632203c5b462034"]], "id":1} + {"jsonrpc":"2.0","method":"perm_removeAccountsFromAllowlist","params":[["0xb9b81ee349c3807e46bc71aa2632203c5b462032", "0xb9b81ee349c3807e46bc71aa2632203c5b462034"]], "id":1} ``` ```json tab="JSON result" @@ -4210,10 +4210,10 @@ or including invalid account addresses. } ``` -### perm_addNodesToWhitelist +### perm_addNodesToAllowlist Adds nodes to the -[nodes whitelist](../HowTo/Limit-Access/Local-Permissioning.md#node-whitelisting). +[nodes permissions list](../HowTo/Limit-Access/Local-Permissioning.md#node-permissioning). #### Parameters @@ -4226,17 +4226,17 @@ Adds nodes to the #### Returns -`result` - `Success` or `error`. Errors include attempting to add nodes already on the whitelist or -including invalid enode URLs. +`result` - `Success` or `error`. Errors include attempting to add nodes already on the permissions +list or including invalid enode URLs. !!! example ```bash tab="curl HTTP request" - curl -X POST --data '{"jsonrpc":"2.0","method":"perm_addNodesToWhitelist","params":[["enode://7e4ef30e9ec683f26ad76ffca5b5148fa7a6575f4cfad4eb0f52f9c3d8335f4a9b6f9e66fcc73ef95ed7a2a52784d4f372e7750ac8ae0b544309a5b391a23dd7@127.0.0.1:30303","enode://2feb33b3c6c4a8f77d84a5ce44954e83e5f163e7a65f7f7a7fec499ceb0ddd76a46ef635408c513d64c076470eac86b7f2c8ae4fcd112cb28ce82c0d64ec2c94@127.0.0.1:30304"]], "id":1}' http://127.0.0.1:8545 + curl -X POST --data '{"jsonrpc":"2.0","method":"perm_addNodesToAllowlist","params":[["enode://7e4ef30e9ec683f26ad76ffca5b5148fa7a6575f4cfad4eb0f52f9c3d8335f4a9b6f9e66fcc73ef95ed7a2a52784d4f372e7750ac8ae0b544309a5b391a23dd7@127.0.0.1:30303","enode://2feb33b3c6c4a8f77d84a5ce44954e83e5f163e7a65f7f7a7fec499ceb0ddd76a46ef635408c513d64c076470eac86b7f2c8ae4fcd112cb28ce82c0d64ec2c94@127.0.0.1:30304"]], "id":1}' http://127.0.0.1:8545 ``` ```bash tab="wscat WS request" - {"jsonrpc":"2.0","method":"perm_addNodesToWhitelist","params":[["enode://7e4ef30e9ec683f26ad76ffca5b5148fa7a6575f4cfad4eb0f52f9c3d8335f4a9b6f9e66fcc73ef95ed7a2a52784d4f372e7750ac8ae0b544309a5b391a23dd7@127.0.0.1:30303","enode://2feb33b3c6c4a8f77d84a5ce44954e83e5f163e7a65f7f7a7fec499ceb0ddd76a46ef635408c513d64c076470eac86b7f2c8ae4fcd112cb28ce82c0d64ec2c94@127.0.0.1:30304"]], "id":1} + {"jsonrpc":"2.0","method":"perm_addNodesToAllowlist","params":[["enode://7e4ef30e9ec683f26ad76ffca5b5148fa7a6575f4cfad4eb0f52f9c3d8335f4a9b6f9e66fcc73ef95ed7a2a52784d4f372e7750ac8ae0b544309a5b391a23dd7@127.0.0.1:30303","enode://2feb33b3c6c4a8f77d84a5ce44954e83e5f163e7a65f7f7a7fec499ceb0ddd76a46ef635408c513d64c076470eac86b7f2c8ae4fcd112cb28ce82c0d64ec2c94@127.0.0.1:30304"]], "id":1} ``` ```json tab="JSON result" @@ -4247,10 +4247,10 @@ including invalid enode URLs. } ``` -### perm_getNodesWhitelist +### perm_getNodesAllowlist Lists nodes in the -[nodes whitelist](../HowTo/Limit-Access/Local-Permissioning.md#node-whitelisting). +[nodes permissions list](../HowTo/Limit-Access/Local-Permissioning.md#node-permissioning). #### Parameters @@ -4258,16 +4258,17 @@ None #### Returns -`result: list` - [Enode URLs](../Concepts/Node-Keys.md#enode-url) of nodes in the nodes whitelist. +`result: list` - [Enode URLs](../Concepts/Node-Keys.md#enode-url) of nodes in the nodes permissions +list. !!! example ```bash tab="curl HTTP request" - curl -X POST --data '{"jsonrpc":"2.0","method":"perm_getNodesWhitelist","params":[], "id":1}' http://127.0.0.1:8545 + curl -X POST --data '{"jsonrpc":"2.0","method":"perm_getNodesAllowlist","params":[], "id":1}' http://127.0.0.1:8545 ``` ```bash tab="wscat WS request" - {"jsonrpc":"2.0","method":"perm_getNodesWhitelist","params":[], "id":1} + {"jsonrpc":"2.0","method":"perm_getNodesAllowlist","params":[], "id":1} ``` ```json tab="JSON result" @@ -4281,10 +4282,10 @@ None } ``` -### perm_removeNodesFromWhitelist +### perm_removeNodesFromAllowlist Removes nodes from the -[nodes whitelist](../HowTo/Limit-Access/Local-Permissioning.md#node-whitelisting). +[nodes permissions list](../HowTo/Limit-Access/Local-Permissioning.md#node-permissioning). #### Parameters @@ -4297,17 +4298,17 @@ Removes nodes from the #### Returns -`result` - `Success` or `error`. Errors include attempting to remove nodes not on the whitelist or -including invalid enode URLs. +`result` - `Success` or `error`. Errors include attempting to remove nodes not on the permissions +list or including invalid enode URLs. !!! example ```bash tab="curl HTTP request" - curl -X POST --data '{"jsonrpc":"2.0","method":"perm_removeNodesFromWhitelist","params":[["enode://7e4ef30e9ec683f26ad76ffca5b5148fa7a6575f4cfad4eb0f52f9c3d8335f4a9b6f9e66fcc73ef95ed7a2a52784d4f372e7750ac8ae0b544309a5b391a23dd7@127.0.0.1:30303","enode://2feb33b3c6c4a8f77d84a5ce44954e83e5f163e7a65f7f7a7fec499ceb0ddd76a46ef635408c513d64c076470eac86b7f2c8ae4fcd112cb28ce82c0d64ec2c94@127.0.0.1:30304"]], "id":1}' http://127.0.0.1:8545 + curl -X POST --data '{"jsonrpc":"2.0","method":"perm_removeNodesFromAllowlist","params":[["enode://7e4ef30e9ec683f26ad76ffca5b5148fa7a6575f4cfad4eb0f52f9c3d8335f4a9b6f9e66fcc73ef95ed7a2a52784d4f372e7750ac8ae0b544309a5b391a23dd7@127.0.0.1:30303","enode://2feb33b3c6c4a8f77d84a5ce44954e83e5f163e7a65f7f7a7fec499ceb0ddd76a46ef635408c513d64c076470eac86b7f2c8ae4fcd112cb28ce82c0d64ec2c94@127.0.0.1:30304"]], "id":1}' http://127.0.0.1:8545 ``` ```bash tab="wscat WS request" - {"jsonrpc":"2.0","method":"perm_removeNodesFromWhitelist","params":[["enode://7e4ef30e9ec683f26ad76ffca5b5148fa7a6575f4cfad4eb0f52f9c3d8335f4a9b6f9e66fcc73ef95ed7a2a52784d4f372e7750ac8ae0b544309a5b391a23dd7@127.0.0.1:30303","enode://2feb33b3c6c4a8f77d84a5ce44954e83e5f163e7a65f7f7a7fec499ceb0ddd76a46ef635408c513d64c076470eac86b7f2c8ae4fcd112cb28ce82c0d64ec2c94@127.0.0.1:30304"]], "id":1} + {"jsonrpc":"2.0","method":"perm_removeNodesFromAllowlist","params":[["enode://7e4ef30e9ec683f26ad76ffca5b5148fa7a6575f4cfad4eb0f52f9c3d8335f4a9b6f9e66fcc73ef95ed7a2a52784d4f372e7750ac8ae0b544309a5b391a23dd7@127.0.0.1:30303","enode://2feb33b3c6c4a8f77d84a5ce44954e83e5f163e7a65f7f7a7fec499ceb0ddd76a46ef635408c513d64c076470eac86b7f2c8ae4fcd112cb28ce82c0d64ec2c94@127.0.0.1:30304"]], "id":1} ``` ```json tab="JSON result" @@ -4320,7 +4321,7 @@ including invalid enode URLs. ### perm_reloadPermissionsFromFile -Reloads the accounts and nodes whitelists from the [permissions configuration file]. +Reloads the accounts and nodes permission lists from the [permissions configuration file]. #### Parameters diff --git a/docs/Tutorials/Permissioning/Create-Permissioned-Network.md b/docs/Tutorials/Permissioning/Create-Permissioned-Network.md index 11f5ff1c99a..441a8310256 100644 --- a/docs/Tutorials/Permissioning/Create-Permissioned-Network.md +++ b/docs/Tutorials/Permissioning/Create-Permissioned-Network.md @@ -131,7 +131,7 @@ In `extraData`, replace `` with the ### 4. Create the permissions configuration file -The permissions configuration file defines the nodes and accounts whitelists. +The permissions configuration file defines the nodes and accounts permission lists. Copy the following permissions configuration to a file called `permissions_config.toml` and save a copy in the `Node-1/data`, `Node-2/data`, and `Node-3/data` directories: @@ -139,9 +139,9 @@ copy in the `Node-1/data`, `Node-2/data`, and `Node-3/data` directories: !!! example "permissions_config.toml" ```toml - accounts-whitelist=["0xfe3b557e8fb62b89f4916b721be55ceb828dbd73", "0x627306090abaB3A6e1400e9345bC60c78a8BEf57"] + accounts-allowlist=["0xfe3b557e8fb62b89f4916b721be55ceb828dbd73", "0x627306090abaB3A6e1400e9345bC60c78a8BEf57"] - nodes-whitelist=[] + nodes-allowlist=[] ``` The permissions configuration file includes the first two accounts from the genesis file. @@ -154,18 +154,18 @@ Use the JSON-RPC API to add permissioned nodes after starting the nodes. data directory for each node. On-chain permissioning is under development. On-chain permissioning will use one on-chain nodes - whitelist and accounts whitelist. + and accounts permission lists. ### 5. Start Node-1 Use the following command: ```bash tab="MacOS" -besu --data-path=data --genesis-file=../cliqueGenesis.json --permissions-nodes-config-file-enabled --permissions-accounts-config-file-enabled --rpc-http-enabled --rpc-http-api=ADMIN,ETH,NET,PERM,CLIQUE --host-whitelist="*" --rpc-http-cors-origins="*" +besu --data-path=data --genesis-file=../cliqueGenesis.json --permissions-nodes-config-file-enabled --permissions-accounts-config-file-enabled --rpc-http-enabled --rpc-http-api=ADMIN,ETH,NET,PERM,CLIQUE --host-allowlist="*" --rpc-http-cors-origins="*" ``` ```bash tab="Windows" -besu --data-path=data --genesis-file=..\cliqueGenesis.json --permissions-nodes-config-file-enabled --permissions-accounts-config-file-enabled --rpc-http-enabled --rpc-http-api=ADMIN,ETH,NET,PERM,CLIQUE --host-whitelist="*" --rpc-http-cors-origins="*" +besu --data-path=data --genesis-file=..\cliqueGenesis.json --permissions-nodes-config-file-enabled --permissions-accounts-config-file-enabled --rpc-http-enabled --rpc-http-api=ADMIN,ETH,NET,PERM,CLIQUE --host-allowlist="*" --rpc-http-cors-origins="*" ``` The command line allows you to enable: @@ -177,7 +177,7 @@ The command line allows you to enable: * The ADMIN, ETH, NET, PERM, and CLIQUE APIs using the [`--rpc-http-api`](../../Reference/CLI/CLI-Syntax.md#rpc-http-api) option * All-host access to the HTTP JSON-RPC API using the - [`--host-whitelist`](../../Reference/CLI/CLI-Syntax.md#host-whitelist) option + [`--host-allowlist`](../../Reference/CLI/CLI-Syntax.md#host-allowlist) option * All-domain access to the node through the HTTP JSON-RPC API using the [`--rpc-http-cors-origins`](../../Reference/CLI/CLI-Syntax.md#rpc-http-cors-origins) option. @@ -192,11 +192,11 @@ following steps. Start another terminal, change to the `Node-2` directory, and start Node-2: ```bash tab="MacOS" -besu --data-path=data --genesis-file=../cliqueGenesis.json --permissions-nodes-config-file-enabled --permissions-accounts-config-file-enabled --rpc-http-enabled --rpc-http-api=ADMIN,ETH,NET,PERM,CLIQUE --host-whitelist="*" --rpc-http-cors-origins="*" --p2p-port=30304 --rpc-http-port=8546 +besu --data-path=data --genesis-file=../cliqueGenesis.json --permissions-nodes-config-file-enabled --permissions-accounts-config-file-enabled --rpc-http-enabled --rpc-http-api=ADMIN,ETH,NET,PERM,CLIQUE --host-allowlist="*" --rpc-http-cors-origins="*" --p2p-port=30304 --rpc-http-port=8546 ``` ```bash tab="Windows" -besu --data-path=data --genesis-file=..\cliqueGenesis.json --permissions-nodes-config-file-enabled --permissions-accounts-config-file-enabled --rpc-http-enabled --rpc-http-api=ADMIN,ETH,NET,PERM,CLIQUE --host-whitelist="*" --rpc-http-cors-origins="*" --p2p-port=30304 --rpc-http-port=8546 +besu --data-path=data --genesis-file=..\cliqueGenesis.json --permissions-nodes-config-file-enabled --permissions-accounts-config-file-enabled --rpc-http-enabled --rpc-http-api=ADMIN,ETH,NET,PERM,CLIQUE --host-allowlist="*" --rpc-http-cors-origins="*" --p2p-port=30304 --rpc-http-port=8546 ``` The command line specifies: @@ -217,11 +217,11 @@ the enode URL to update the permissions configuration file in the following step Start another terminal, change to the `Node-3` directory, and start Node-3: ```bash tab="MacOS" -besu --data-path=data --genesis-file=../cliqueGenesis.json --permissions-nodes-config-file-enabled --permissions-accounts-config-file-enabled --rpc-http-enabled --rpc-http-api=ADMIN,ETH,NET,PERM,CLIQUE --host-whitelist="*" --rpc-http-cors-origins="*" --p2p-port=30305 --rpc-http-port=8547 +besu --data-path=data --genesis-file=../cliqueGenesis.json --permissions-nodes-config-file-enabled --permissions-accounts-config-file-enabled --rpc-http-enabled --rpc-http-api=ADMIN,ETH,NET,PERM,CLIQUE --host-allowlist="*" --rpc-http-cors-origins="*" --p2p-port=30305 --rpc-http-port=8547 ``` ```bash tab="Windows" -besu --data-path=data --genesis-file=..\cliqueGenesis.json --permissions-nodes-config-file-enabled --permissions-accounts-config-file-enabled --rpc-http-enabled --rpc-http-api=ADMIN,ETH,NET,PERM,CLIQUE --host-whitelist="*" --rpc-http-cors-origins="*" --p2p-port=30305 --rpc-http-port=8547 +besu --data-path=data --genesis-file=..\cliqueGenesis.json --permissions-nodes-config-file-enabled --permissions-accounts-config-file-enabled --rpc-http-enabled --rpc-http-api=ADMIN,ETH,NET,PERM,CLIQUE --host-allowlist="*" --rpc-http-cors-origins="*" --p2p-port=30305 --rpc-http-port=8547 ``` The command line specifies: @@ -240,7 +240,7 @@ the enode URL to update the permissions configuration file in the following step ### 8. Add enode URLs for nodes to permissions configuration file Start another terminal and use the -[`perm_addNodesToWhitelist`](../../Reference/API-Methods.md#perm_addnodestowhitelist) JSON-RPC API +[`perm_addNodesToAllowlist`](../../Reference/API-Methods.md#perm_addnodestoallowlist) JSON-RPC API method to add the nodes to the permissions configuration file for each node. Replace ``, ``, and `` with the enode URL displayed when @@ -249,19 +249,19 @@ starting each node. Node-1: ```bash -curl -X POST --data '{"jsonrpc":"2.0","method":"perm_addNodesToWhitelist","params":[["","",""]], "id":1}' http://127.0.0.1:8545 +curl -X POST --data '{"jsonrpc":"2.0","method":"perm_addNodesToAllowlist","params":[["","",""]], "id":1}' http://127.0.0.1:8545 ``` Node-2: ```bash -curl -X POST --data '{"jsonrpc":"2.0","method":"perm_addNodesToWhitelist","params":[["","",""]], "id":1}' http://127.0.0.1:8546 +curl -X POST --data '{"jsonrpc":"2.0","method":"perm_addNodesToAllowlist","params":[["","",""]], "id":1}' http://127.0.0.1:8546 ``` Node 3: ```bash -curl -X POST --data '{"jsonrpc":"2.0","method":"perm_addNodesToWhitelist","params":[["","",""]], "id":1}' http://127.0.0.1:8547 +curl -X POST --data '{"jsonrpc":"2.0","method":"perm_addNodesToAllowlist","params":[["","",""]], "id":1}' http://127.0.0.1:8547 ``` !!! tip @@ -321,7 +321,7 @@ Node-3): } ``` -#### Send a transaction from an account in the whitelist +#### Send a transaction from an account in the permissions list Import the first account from the genesis file into MetaMask and send transactions, as described in [Private network example tutorial]: @@ -337,7 +337,7 @@ Import the first account from the genesis file into MetaMask and send transactio Besu does not support [private key management](../../HowTo/Send-Transactions/Account-Management.md). -### Try sending a transaction from an account not in the accounts whitelist +### Try sending a transaction from an account not in the accounts permission list Import the last account from the genesis file into MetaMask and try to send a transactions, as described in [Private Network Example Tutorial]: @@ -348,7 +348,7 @@ described in [Private Network Example Tutorial]: * Private key : `0xae6ae8e5ccbfb04590405997ee2d52d2b330726137b875053c36d94e974d162f` * Initial balance : `0x90000000000000000000000` (2785365088392105618523029504 in decimal) -### Start a node not on the nodes whitelist +### Start a node not on the nodes permission list In your `Permissioned-Network` directory, create a `Node-4` directory and `data` directory inside it. @@ -356,11 +356,11 @@ it. Change to the `Node-4` directory and start Node-4 specifying the Node-1 enode URL as the bootnode: ```bash tab="MacOS" -besu --data-path=data --bootnodes="" --genesis-file=../cliqueGenesis.json --rpc-http-enabled --rpc-http-api=ADMIN,ETH,NET,PERM,CLIQUE --host-whitelist="*" --rpc-http-cors-origins="*" --p2p-port=30306 --rpc-http-port=8548 +besu --data-path=data --bootnodes="" --genesis-file=../cliqueGenesis.json --rpc-http-enabled --rpc-http-api=ADMIN,ETH,NET,PERM,CLIQUE --host-allowlist="*" --rpc-http-cors-origins="*" --p2p-port=30306 --rpc-http-port=8548 ``` ```bash tab="Windows" -besu --data-path=data --bootnodes="" --genesis-file=..\cliqueGenesis.json --rpc-http-enabled --rpc-http-api=ADMIN,ETH,NET,PERM,CLIQUE --host-whitelist="*" --rpc-http-cors-origins="*" --p2p-port=30306 --rpc-http-port=8548 +besu --data-path=data --bootnodes="" --genesis-file=..\cliqueGenesis.json --rpc-http-enabled --rpc-http-api=ADMIN,ETH,NET,PERM,CLIQUE --host-allowlist="*" --rpc-http-cors-origins="*" --p2p-port=30306 --rpc-http-port=8548 ``` Start another terminal and use cURL to call the JSON-RPC API diff --git a/docs/Tutorials/Permissioning/Getting-Started-Onchain-Permissioning.md b/docs/Tutorials/Permissioning/Getting-Started-Onchain-Permissioning.md index 8391133e9da..d3132f06af0 100644 --- a/docs/Tutorials/Permissioning/Getting-Started-Onchain-Permissioning.md +++ b/docs/Tutorials/Permissioning/Getting-Started-Onchain-Permissioning.md @@ -21,7 +21,7 @@ To start a network with onchain permissioning: 1. [Build the project](#build-the-project) 1. [Deploy the permissioning contracts](#deploy-the-contracts) 1. [Start the webserver for the Permissioning Management Dapp] -1. [Add the first node to the nodes whitelist](#add-the-first-node-to-the-whitelist). +1. [Add the first node to the nodes permission list](#add-the-first-node-to-the-permission-list). ## Prerequisites @@ -142,7 +142,7 @@ The migration logs the addresses of the Admin and Rules contracts. !!! important The account that deploys the contracts is automatically an - [admin account](#update-accounts-or-admin-accounts-whitelists). + [admin account](#update-accounts-or-admin-accounts-permission-lists). ## Start the webserver for the Permissioning Management Dapp @@ -171,16 +171,16 @@ The migration logs the addresses of the Admin and Rules contracts. !!! note - Only [admin accounts](#update-accounts-or-admin-accounts-whitelists) can add or remove nodes - from the whitelist. + Only [admin accounts](#update-accounts-or-admin-accounts-permission-lists) can add or remove nodes + from the permission list. -## Add the first node to the whitelist +## Add the first node to the permission list -The first node must [add itself to the whitelist] before adding other nodes. +The first node must [add itself to the permission list] before adding other nodes. [Start first node with onchain permissioning and the JSON-RPC HTTP service enabled]: #onchain-permissioning-command-line-options [Clone the permissioning contracts repository and install dependencies]: #clone-the-contracts-and-install-dependencies [Start the webserver for the Permissioning Management Dapp]: #start-the-webserver-for-the-permissioning-management-dapp -[add itself to the whitelist]: ../../HowTo/Limit-Access/Updating-Whitelists.md#update-nodes-whitelist +[add itself to the permission list]: ../../HowTo/Limit-Access/Updating-Permission-Lists.md#update-node-permission-lists diff --git a/docs/Tutorials/Privacy/Configuring-Multi-Tenancy.md b/docs/Tutorials/Privacy/Configuring-Multi-Tenancy.md index 77e2ef78464..a7efb3e6393 100644 --- a/docs/Tutorials/Privacy/Configuring-Multi-Tenancy.md +++ b/docs/Tutorials/Privacy/Configuring-Multi-Tenancy.md @@ -82,7 +82,7 @@ the configuration file. In the `Node-1` directory, start Besu Node-1: ```bash tab="MacOS" -besu --data-path=data --genesis-file=../genesis.json --rpc-http-authentication-enabled --rpc-http-authentication-jwt-public-key-file=publicKey.pem --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-whitelist="*" --rpc-http-cors-origins="all" --privacy-enabled --privacy-url=http://127.0.0.1:8888 --privacy-multi-tenancy-enabled --min-gas-price=0 +besu --data-path=data --genesis-file=../genesis.json --rpc-http-authentication-enabled --rpc-http-authentication-jwt-public-key-file=publicKey.pem --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-allowlist="*" --rpc-http-cors-origins="all" --privacy-enabled --privacy-url=http://127.0.0.1:8888 --privacy-multi-tenancy-enabled --min-gas-price=0 ``` The command line specifies privacy options: diff --git a/docs/Tutorials/Privacy/Configuring-Privacy.md b/docs/Tutorials/Privacy/Configuring-Privacy.md index 9997e6760da..f7bbcfcf1b3 100644 --- a/docs/Tutorials/Privacy/Configuring-Privacy.md +++ b/docs/Tutorials/Privacy/Configuring-Privacy.md @@ -128,11 +128,11 @@ orion orion.conf In the `Node-1` directory, start Besu Node-1: ```bash tab="MacOS" -besu --data-path=data --genesis-file=../genesis.json --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-whitelist="*" --rpc-http-cors-origins="all" --privacy-enabled --privacy-url=http://127.0.0.1:8888 --privacy-public-key-file=Orion/nodeKey.pub --min-gas-price=0 +besu --data-path=data --genesis-file=../genesis.json --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-allowlist="*" --rpc-http-cors-origins="all" --privacy-enabled --privacy-url=http://127.0.0.1:8888 --privacy-public-key-file=Orion/nodeKey.pub --min-gas-price=0 ``` ```bash tab="Windows" -besu --data-path=data --genesis-file=..\genesis.json --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-whitelist="*" --rpc-http-cors-origins="all" --privacy-enabled --privacy-url=http://127.0.0.1:8888 --privacy-public-key-file=Orion\nodeKey.pub --min-gas-price=0 +besu --data-path=data --genesis-file=..\genesis.json --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-allowlist="*" --rpc-http-cors-origins="all" --privacy-enabled --privacy-url=http://127.0.0.1:8888 --privacy-public-key-file=Orion\nodeKey.pub --min-gas-price=0 ``` The command line specifies privacy options: @@ -167,11 +167,11 @@ In the `Node-2` directory, start Besu Node-2 specifying the Node-1 enode URL cop Node-1 as the bootnode: ```bash tab="MacOS" -besu --data-path=data --genesis-file=../genesis.json --bootnodes= --p2p-port=30304 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-whitelist="*" --rpc-http-cors-origins="all" --rpc-http-port=8546 --privacy-enabled --privacy-url=http://127.0.0.1:8889 --privacy-public-key-file=Orion/nodeKey.pub --min-gas-price=0 +besu --data-path=data --genesis-file=../genesis.json --bootnodes= --p2p-port=30304 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-allowlist="*" --rpc-http-cors-origins="all" --rpc-http-port=8546 --privacy-enabled --privacy-url=http://127.0.0.1:8889 --privacy-public-key-file=Orion/nodeKey.pub --min-gas-price=0 ``` ```bash tab="Windows" -besu --data-path=data --genesis-file=..\genesis.json --bootnodes= --p2p-port=30304 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-whitelist="*" --rpc-http-cors-origins="all" --rpc-http-port=8546 --privacy-enabled --privacy-url=http://127.0.0.1:8889 --privacy-public-key-file=Orion\nodeKey.pub --min-gas-price=0 +besu --data-path=data --genesis-file=..\genesis.json --bootnodes= --p2p-port=30304 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-allowlist="*" --rpc-http-cors-origins="all" --rpc-http-port=8546 --privacy-enabled --privacy-url=http://127.0.0.1:8889 --privacy-public-key-file=Orion\nodeKey.pub --min-gas-price=0 ``` The command line specifies the same options as for Node-1 with different ports and Orion node URL. @@ -189,11 +189,11 @@ In the `Node-3` directory, start Besu Node-3 specifying the Node-1 enode URL cop Node-1 as the bootnode: ```bash tab="MacOS" -besu --data-path=data --genesis-file=../genesis.json --bootnodes= --p2p-port=30305 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-whitelist="*" --rpc-http-cors-origins="all" --rpc-http-port=8547 --privacy-enabled --privacy-url=http://127.0.0.1:8890 --privacy-public-key-file=Orion/nodeKey.pub --min-gas-price=0 +besu --data-path=data --genesis-file=../genesis.json --bootnodes= --p2p-port=30305 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-allowlist="*" --rpc-http-cors-origins="all" --rpc-http-port=8547 --privacy-enabled --privacy-url=http://127.0.0.1:8890 --privacy-public-key-file=Orion/nodeKey.pub --min-gas-price=0 ``` ```bash tab="Windows" -besu --data-path=data --genesis-file=..\genesis.json --bootnodes= --p2p-port=30305 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-whitelist="*" --rpc-http-cors-origins="all" --rpc-http-port=8547 --privacy-enabled --privacy-url=http://127.0.0.1:8890 --privacy-public-key-file=Orion\nodeKey.pub --min-gas-price=0 +besu --data-path=data --genesis-file=..\genesis.json --bootnodes= --p2p-port=30305 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT,EEA,PRIV --host-allowlist="*" --rpc-http-cors-origins="all" --rpc-http-port=8547 --privacy-enabled --privacy-url=http://127.0.0.1:8890 --privacy-public-key-file=Orion\nodeKey.pub --min-gas-price=0 ``` The command line specifies the same options as for Node-1 with different ports and Orion node URL. diff --git a/docs/Tutorials/Private-Network/Create-IBFT-Network.md b/docs/Tutorials/Private-Network/Create-IBFT-Network.md index deecd5ab5bc..d99f20f748a 100644 --- a/docs/Tutorials/Private-Network/Create-IBFT-Network.md +++ b/docs/Tutorials/Private-Network/Create-IBFT-Network.md @@ -175,11 +175,11 @@ IBFT-Network/ In the `Node-1` directory, start Node-1: ```bash tab="MacOS" -besu --data-path=data --genesis-file=../genesis.json --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT --host-whitelist="*" --rpc-http-cors-origins="all" +besu --data-path=data --genesis-file=../genesis.json --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT --host-allowlist="*" --rpc-http-cors-origins="all" ``` ```bash tab="Windows" -besu --data-path=data --genesis-file=..\genesis.json --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT --host-whitelist="*" --rpc-http-cors-origins="all" +besu --data-path=data --genesis-file=..\genesis.json --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT --host-allowlist="*" --rpc-http-cors-origins="all" ``` The command line: @@ -191,7 +191,7 @@ The command line: * Enables the ETH, NET, and IBFT APIs using the [`--rpc-http-api`](../../Reference/CLI/CLI-Syntax.md#rpc-http-api) option * Enables all-host access to the HTTP JSON-RPC API using the - [`--host-whitelist`](../../Reference/CLI/CLI-Syntax.md#host-whitelist) option + [`--host-allowlist`](../../Reference/CLI/CLI-Syntax.md#host-allowlist) option * Enables all-domain access to the node through the HTTP JSON-RPC API using the [`--rpc-http-cors-origins`](../../Reference/CLI/CLI-Syntax.md#rpc-http-cors-origins) option @@ -206,11 +206,11 @@ Start another terminal, change to the `Node-2` directory and start Node-2 specif enode URL copied when starting Node-1 as the bootnode: ```bash tab="MacOS" -besu --data-path=data --genesis-file=../genesis.json --bootnodes= --p2p-port=30304 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT --host-whitelist="*" --rpc-http-cors-origins="all" --rpc-http-port=8546 +besu --data-path=data --genesis-file=../genesis.json --bootnodes= --p2p-port=30304 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT --host-allowlist="*" --rpc-http-cors-origins="all" --rpc-http-port=8546 ``` ```bash tab="Windows" -besu --data-path=data --genesis-file=..\genesis.json --bootnodes= --p2p-port=30304 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT --host-whitelist="*" --rpc-http-cors-origins="all" --rpc-http-port=8546 +besu --data-path=data --genesis-file=..\genesis.json --bootnodes= --p2p-port=30304 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT --host-allowlist="*" --rpc-http-cors-origins="all" --rpc-http-port=8546 ``` The command line specifies: @@ -231,11 +231,11 @@ Start another terminal, change to the `Node-3` directory and start Node-3 specif enode URL copied when starting Node-1 as the bootnode: ```bash tab="MacOS" -besu --data-path=data --genesis-file=../genesis.json --bootnodes= --p2p-port=30305 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT --host-whitelist="*" --rpc-http-cors-origins="all" --rpc-http-port=8547 +besu --data-path=data --genesis-file=../genesis.json --bootnodes= --p2p-port=30305 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT --host-allowlist="*" --rpc-http-cors-origins="all" --rpc-http-port=8547 ``` ```bash tab="Windows" -besu --data-path=data --genesis-file=..\genesis.json --bootnodes= --p2p-port=30305 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT --host-whitelist="*" --rpc-http-cors-origins="all" --rpc-http-port=8547 +besu --data-path=data --genesis-file=..\genesis.json --bootnodes= --p2p-port=30305 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT --host-allowlist="*" --rpc-http-cors-origins="all" --rpc-http-port=8547 ``` The command line specifies: @@ -255,11 +255,11 @@ Start another terminal, change to the `Node-4` directory and start Node-4 specif enode URL copied when starting Node-1 as the bootnode: ```bash tab="MacOS" -besu --data-path=data --genesis-file=../genesis.json --bootnodes= --p2p-port=30306 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT --host-whitelist="*" --rpc-http-cors-origins="all" --rpc-http-port=8548 +besu --data-path=data --genesis-file=../genesis.json --bootnodes= --p2p-port=30306 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT --host-allowlist="*" --rpc-http-cors-origins="all" --rpc-http-port=8548 ``` ```bash tab="Windows" -besu --data-path=data --genesis-file=..\genesis.json --bootnodes= --p2p-port=30306 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT --host-whitelist="*" --rpc-http-cors-origins="all" --rpc-http-port=8548 +besu --data-path=data --genesis-file=..\genesis.json --bootnodes= --p2p-port=30306 --rpc-http-enabled --rpc-http-api=ETH,NET,IBFT --host-allowlist="*" --rpc-http-cors-origins="all" --rpc-http-port=8548 ``` The command line specifies: diff --git a/docs/Tutorials/Private-Network/Create-Private-Clique-Network.md b/docs/Tutorials/Private-Network/Create-Private-Clique-Network.md index c0b352d7fd1..c896c4b608a 100644 --- a/docs/Tutorials/Private-Network/Create-Private-Clique-Network.md +++ b/docs/Tutorials/Private-Network/Create-Private-Clique-Network.md @@ -133,11 +133,11 @@ In `extraData`, replace `` with the Start Node-1: ```bash tab="MacOS" -besu --data-path=data --genesis-file=../cliqueGenesis.json --network-id 123 --rpc-http-enabled --rpc-http-api=ETH,NET,CLIQUE --host-whitelist="*" --rpc-http-cors-origins="all" +besu --data-path=data --genesis-file=../cliqueGenesis.json --network-id 123 --rpc-http-enabled --rpc-http-api=ETH,NET,CLIQUE --host-allowlist="*" --rpc-http-cors-origins="all" ``` ```bash tab="Windows" -besu --data-path=data --genesis-file=..\cliqueGenesis.json --network-id 123 --rpc-http-enabled --rpc-http-api=ETH,NET,CLIQUE --host-whitelist="*" --rpc-http-cors-origins="all" +besu --data-path=data --genesis-file=..\cliqueGenesis.json --network-id 123 --rpc-http-enabled --rpc-http-api=ETH,NET,CLIQUE --host-allowlist="*" --rpc-http-cors-origins="all" ``` The command line enables: @@ -147,7 +147,7 @@ The command line enables: * The ETH, NET, and CLIQUE APIs using the [`--rpc-http-api`](../../Reference/CLI/CLI-Syntax.md#rpc-http-api) option * All-host access to the HTTP JSON-RPC API using the - [`--host-whitelist`](../../Reference/CLI/CLI-Syntax.md#host-whitelist) option + [`--host-allowlist`](../../Reference/CLI/CLI-Syntax.md#host-allowlist) option * All-domain access to the node through the HTTP JSON-RPC API using the [`--rpc-http-cors-origins`](../../Reference/CLI/CLI-Syntax.md#rpc-http-cors-origins) option. @@ -162,11 +162,11 @@ Start another terminal, change to the `Node-2` directory and start Node-2 specif enode URL copied when starting Node-1 as the bootnode: ```bash tab="MacOS" -besu --data-path=data --genesis-file=../cliqueGenesis.json --bootnodes= --network-id 123 --p2p-port=30304 --rpc-http-enabled --rpc-http-api=ETH,NET,CLIQUE --host-whitelist="*" --rpc-http-cors-origins="all" --rpc-http-port=8546 +besu --data-path=data --genesis-file=../cliqueGenesis.json --bootnodes= --network-id 123 --p2p-port=30304 --rpc-http-enabled --rpc-http-api=ETH,NET,CLIQUE --host-allowlist="*" --rpc-http-cors-origins="all" --rpc-http-port=8546 ``` ```bash tab="Windows" -besu --data-path=data --genesis-file=..\cliqueGenesis.json --bootnodes= --network-id 123 --p2p-port=30304 --rpc-http-enabled --rpc-http-api=ETH,NET,CLIQUE --host-whitelist="*" --rpc-http-cors-origins="all" --rpc-http-port=8546 +besu --data-path=data --genesis-file=..\cliqueGenesis.json --bootnodes= --network-id 123 --p2p-port=30304 --rpc-http-enabled --rpc-http-api=ETH,NET,CLIQUE --host-allowlist="*" --rpc-http-cors-origins="all" --rpc-http-port=8546 ``` The command line specifies: @@ -187,11 +187,11 @@ Start another terminal, change to the `Node-3` directory and start Node-3 specif enode URL copied when starting Node-1 as the bootnode: ```bash tab="MacOS" -besu --data-path=data --genesis-file=../cliqueGenesis.json --bootnodes= --network-id 123 --p2p-port=30305 --rpc-http-enabled --rpc-http-api=ETH,NET,CLIQUE --host-whitelist="*" --rpc-http-cors-origins="all" --rpc-http-port=8547 +besu --data-path=data --genesis-file=../cliqueGenesis.json --bootnodes= --network-id 123 --p2p-port=30305 --rpc-http-enabled --rpc-http-api=ETH,NET,CLIQUE --host-allowlist="*" --rpc-http-cors-origins="all" --rpc-http-port=8547 ``` ```bash tab="Windows" -besu --data-path=data --genesis-file=..\cliqueGenesis.json --bootnodes= --network-id 123 --p2p-port=30305 --rpc-http-enabled --rpc-http-api=ETH,NET,CLIQUE --host-whitelist="*" --rpc-http-cors-origins="all" --rpc-http-port=8547 +besu --data-path=data --genesis-file=..\cliqueGenesis.json --bootnodes= --network-id 123 --p2p-port=30305 --rpc-http-enabled --rpc-http-api=ETH,NET,CLIQUE --host-allowlist="*" --rpc-http-cors-origins="all" --rpc-http-port=8547 ``` The command line specifies: diff --git a/docs/Tutorials/Private-Network/Create-Private-Network.md b/docs/Tutorials/Private-Network/Create-Private-Network.md index 9d9c6fa65c8..2df056960ea 100644 --- a/docs/Tutorials/Private-Network/Create-Private-Network.md +++ b/docs/Tutorials/Private-Network/Create-Private-Network.md @@ -92,11 +92,11 @@ the `Private-Network` directory: Start Node-1: ```bash tab="MacOS" -besu --data-path=data --genesis-file=../privateNetworkGenesis.json --miner-enabled --miner-coinbase fe3b557e8fb62b89f4916b721be55ceb828dbd73 --rpc-http-enabled --host-whitelist="*" --rpc-http-cors-origins="all" +besu --data-path=data --genesis-file=../privateNetworkGenesis.json --miner-enabled --miner-coinbase fe3b557e8fb62b89f4916b721be55ceb828dbd73 --rpc-http-enabled --host-allowlist="*" --rpc-http-cors-origins="all" ``` ```bash tab="Windows" -besu --data-path=data --genesis-file=..\privateNetworkGenesis.json --miner-enabled --miner-coinbase fe3b557e8fb62b89f4916b721be55ceb828dbd73 --rpc-http-enabled --host-whitelist="*" --rpc-http-cors-origins="all" +besu --data-path=data --genesis-file=..\privateNetworkGenesis.json --miner-enabled --miner-coinbase fe3b557e8fb62b89f4916b721be55ceb828dbd73 --rpc-http-enabled --host-allowlist="*" --rpc-http-cors-origins="all" ``` The command line enables: @@ -107,7 +107,7 @@ The command line enables: * JSON-RPC API using the [`--rpc-http-enabled`](../../Reference/CLI/CLI-Syntax.md#rpc-http-enabled) option. * All-host access to the HTTP JSON-RPC API using the - [`--host-whitelist`](../../Reference/CLI/CLI-Syntax.md#host-whitelist) option. + [`--host-allowlist`](../../Reference/CLI/CLI-Syntax.md#host-allowlist) option. * All-domain access to the node through the HTTP JSON-RPC API using the [`--rpc-http-cors-origins`](../../Reference/CLI/CLI-Syntax.md#rpc-http-cors-origins) option. diff --git a/mkdocs.yml b/mkdocs.yml index 8a5294267db..09b62abb286 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -105,7 +105,7 @@ nav: - Include Revert Reason in Transaction Receipts: HowTo/Send-Transactions/Revert-Reason.md - Limit Access to Node: - Use Local Permissioning: HowTo/Limit-Access/Local-Permissioning.md - - Update Onchain Permissioning Whitelists: HowTo/Limit-Access/Updating-Whitelists.md + - Update Onchain Permissioning Lists: HowTo/Limit-Access/Updating-Permission-Lists.md - Use Privacy Features: - Use EEA-compliant Privacy: HowTo/Use-Privacy/EEA-Compliant.md - Use Besu-extended Privacy: HowTo/Use-Privacy/Privacy.md From f52064d95e0ef399a65430859802c9f3105eb9e6 Mon Sep 17 00:00:00 2001 From: Byron Gravenorst Date: Wed, 29 Jul 2020 07:34:09 +1000 Subject: [PATCH 4/7] Address reviewer feedback. Signed-off-by: Byron Gravenorst --- .../Permissioning/Onchain-Permissioning.md | 19 ++--- .../HowTo/Limit-Access/Local-Permissioning.md | 84 +++++++++---------- .../Limit-Access/Updating-Permission-Lists.md | 20 ++--- .../Sign-Privacy-Marker-Transactions.md | 2 +- docs/Reference/API-Methods.md | 27 +++--- docs/Reference/CLI/CLI-Syntax.md | 2 +- .../Create-Permissioned-Network.md | 10 +-- .../Getting-Started-Onchain-Permissioning.md | 14 ++-- mkdocs.yml | 2 +- 9 files changed, 89 insertions(+), 91 deletions(-) diff --git a/docs/Concepts/Permissioning/Onchain-Permissioning.md b/docs/Concepts/Permissioning/Onchain-Permissioning.md index 942bf8fdb08..b388161da06 100644 --- a/docs/Concepts/Permissioning/Onchain-Permissioning.md +++ b/docs/Concepts/Permissioning/Onchain-Permissioning.md @@ -5,7 +5,7 @@ description: Onchain permissioning # Onchain permissioning Onchain permissioning uses smart contracts to store and administer the node, account, and admin -permissions. Using onchain permissioning enables all nodes to read the permissions from a single +allowlists. Using onchain permissioning enables all nodes to read the allowlists from a single source, the blockchain. !!! note @@ -23,30 +23,29 @@ repository are: * Ingress contracts for nodes and accounts - proxy contracts defined in the genesis file to defer the permissioning logic to the Node Rules and Account Rules contracts. The Ingress contracts deploy to static addresses. -* Node Rules - stores the permitted nodes and node operations (for example, add and +* Node Rules - stores the node allowlist and node sllowlist operations (for example, add and remove). -* Account Rules - stores the permitted accounts and account operations (for example, add +* Account Rules - stores the accounts allowlist and account allowlist operations (for example, add and remove). * Admin - stores the list of admin accounts and admin list operations (for example, add and remove). There is one list of admin accounts for node and accounts. ## Permissioning management Dapp -The [Permissioning Management Dapp] provides view and maintain access to the permitted nodes, -accounts, and admins. +The [Permissioning Management Dapp] provides view and maintain access to the allowlists. !!! tip Before v1.2, the management interface used Truffle, now deprecated. For an improved user experience, use the Dapp. -### Permission lists +### Allowlists -Permission lists are available for the following: +PPermissioning implements three allowlists: * Accounts, which can submit transactions to the network. * Nodes, which can join the network. -* Admins, which are accounts able to update permitted accounts and nodes. +* Admins, which are accounts able to update the accounts and nodes allowlists. !!! caution "Using account permissioning and privacy" @@ -56,7 +55,7 @@ Permission lists are available for the following: If using account permissioning and privacy, a signing key must be specified using the [`--privacy-marker-transaction-signing-key-file`] command line option and the signing key - included in the list of permitted accounts. + included in the accounts allowlist. ## Bootnodes @@ -69,7 +68,7 @@ bootnodes to rediscover peers. !!! important - All bootnodes must be on the list of permitted nodes. + All bootnodes must be on the nodes allowlist. [PegaSysEng/permissioning-smart-contracts]: https://github.com/PegaSysEng/permissioning-smart-contracts diff --git a/docs/HowTo/Limit-Access/Local-Permissioning.md b/docs/HowTo/Limit-Access/Local-Permissioning.md index 4ab2b193974..7957033dffa 100644 --- a/docs/HowTo/Limit-Access/Local-Permissioning.md +++ b/docs/HowTo/Limit-Access/Local-Permissioning.md @@ -4,55 +4,55 @@ description: Hyperledger Besu local permissioning # Local permissioning -Local permissioning supports limiting access to specific nodes and accounts. +Local permissioning supports node and account allowlisting. -## Node permissioning +## Node allowlisting You can allow access to specified nodes in the -[permissions configuration file](#permissions-configuration-file). When limiting node access, -communication is only between nodes listed in the file. +[permissions configuration file](#permissions-configuration-file). With node allowlisting +enabled, communication is only between nodes in the allowlist -!!! example "Allow nodes access in the permissions configuration file" +!!! example "Nodes allowlist in the permissions configuration file" `nodes-allowlist=["enode://6f8a80d14311c39f35f516fa664deaaaa13e85b2f7493f37f6144d86991ec012937307647bd3b9a82abe2974e1407241d54947bbb39763a4cac9f77166ad92a0@192.168.0.9:4567","enode://6f8a80d14311c39f35f516fa664deaaaa13e85b2f7493f37f6144d86991ec012937307647bd3b9a82abe2974e1407241d54947bbb39763a4cac9f77166ad92a0@192.169.0.9:4568"]` -Specify node access at the node level. That is, each node in the network has a +Node allowlisting is at the node level. That is, each node in the network has a [permissions configuration file](#permissions-configuration-file) file in the [data directory](../../Reference/CLI/CLI-Syntax.md#data-path) for the node. -To update the list of allowed nodes while the node is running, use the JSON-RPC API methods: +To update the nodes allowlist while the node is running, use the JSON-RPC API methods: * [perm_addNodesToAllowlist](../../Reference/API-Methods.md#perm_addnodestoallowlist) * [perm_removeNodesFromAllowlist](../../Reference/API-Methods.md#perm_removenodesfromallowlist). You can also update the [`permissions_config.toml`](#permissions-configuration-file) file directly -and then update the permissions list using the +and then update the allowlist using the [`perm_reloadPermissionsFromFile`](../../Reference/API-Methods.md#perm_reloadpermissionsfromfile) method. Updates to the permissions configuration file persist across node restarts. -To view the allowed nodes, use the +To view the nodes allowlist, use the [perm_getNodesAllowlist](../../Reference/API-Methods.md#perm_getnodesallowlist) method. !!! note Each node has a [permissions configuration file](#permissions-configuration-file), which means - nodes can have different permission lists. This means nodes might be participating in the - network that are not on the permissions list of other nodes in the network. We recommend each node in - the network has the same permissions list. + nodes can have different nodes allowlists. This means nodes might be participating in the + network that are not on the allowlist of other nodes in the network. We recommend each node in + the network has the same nodes allowlist. - On-chain permissioning is under development. On-chain permissioning will use one on-chain - nodes permission list. + On-chain permissioning is under development. On-chain permissioning uses one on-chain + nodes allowlist. -!!! example "An example of different node permission lists" +!!! example "An example of different node allowlists" Node 1 Allowlist = [Node 2, Node 3] Node 2 Allowlist = [Node 3, Node 5] Node 5 is participating in the same network as Node 1 even though Node 1 does not have Node 5 - on their permissions list. + on their allowlist. ### Bootnodes @@ -70,9 +70,9 @@ with node permissions enabled. The `nodes-allowlist` in the [permissions configuration file](#permissions-configuration-file) must contain the specified bootnodes. -### Enabling node permissioning +### Enabling node allowlisting -To enable node permissioning, specify the +To enable node allowlisting, specify the [`--permissions-nodes-config-file-enabled`](../../Reference/CLI/CLI-Syntax.md#permissions-nodes-config-file-enabled) option when starting Besu. @@ -80,17 +80,17 @@ The `PERM` API methods are not enabled by default. To enable the `PERM` API meth [`--rpc-http-api`](../../Reference/CLI/CLI-Syntax.md#rpc-http-api) or [`--rpc-ws-api`](../../Reference/CLI/CLI-Syntax.md#rpc-ws-api) options. -## Account permissioning +## Account allowlisting -You can specify accounts in the accounts permissions list in the +You can specify accounts in the accounts allowlist in the [permissions configuration file](#permissions-configuration-file). A node with account -permissioning accepts transactions only from accounts in the accounts permission list. +permissioning accepts transactions only from accounts in the accounts allowlist. -!!! example "Accounts Permissions Configuration File" +!!! example "Accounts allowlist in the permissions configuration file" `accounts-allowlist=["0x0000000000000000000000000000000000000009"]` -Account permissioning is at the node level. That is, each node in the network has a +Account allowlisting is at the node level. That is, each node in the network has a [permisssions configuration file](#permissions-configuration-file) in the [data directory](../../Reference/CLI/CLI-Syntax.md#data-path) for the node. @@ -102,24 +102,24 @@ Account permissioning is at the node level. That is, each node in the network ha If using account permissioning and privacy, a signing key must be specified using the [`--privacy-marker-transaction-signing-key-file`](../../Reference/CLI/CLI-Syntax.md#privacy-marker-transaction-signing-key-file) - command line option and the signing key included in the accounts permission list. + command line option and the signing key included in the accounts allowlist. -Transaction validation against the accounts permission list occurs at the following points: +Transaction validation against the accounts allowlist occurs at the following points: * Submitted by JSON-RPC API method [`eth_sendRawTransaction`](../../Reference/API-Methods.md#eth_sendrawtransaction) * Received via propagation from another node * Added to a block by a mining node. -After adding transactions to a block, the transactions are not validated against the permissions -list when received by another node. That is, a node can synchronise and add blocks containing -transactions from accounts that are not on the accounts permission list of that node. +After adding transactions to a block, the transactions are not validated against the allowlist +when received by another node. That is, a node can synchronise and add blocks containing +transactions from accounts that are not on the accounts allowlist of that node. The following diagram illustrates applying local and onchain permissioning rules. ![Permissioning Flow](../../images/PermissioningFlow.png) -!!! example "An Example of Different Account Permission lists" +!!! example "An Example of different account allowlists" Node 1 Allowlist = [Account A, Account B] @@ -129,21 +129,21 @@ The following diagram illustrates applying local and onchain permissioning rules Account A submits a transaction on Node 1. Node 1 validates and propagates the transaction. The Mining Node receives the transaction, validates it is from an account in the Mining Node - accounts permission list, and includes the transaction in the block. Node 2 receives and adds + accounts allowlist, and includes the transaction in the block. Node 2 receives and adds the block created by the Mining Node. Node 2 now has a transaction in the blockchain from Account A, which is not on the accounts - permission list for Node 2. + allowlist for Node 2. !!! note Each node has a [permissions configuration file](#permissions-configuration-file) which means - nodes in the network can have different accounts permission lists. This means a transaction can - be successfully submitted by Node A from an account in the Node A permission list but rejected - by Node B to which it's propagated if the account is not in the Node B permission list. We - recommend each node in the network has the same accounts permission list. + nodes in the network can have different accounts allowlists. This means a transaction can + be successfully submitted by Node A from an account in the Node A allowlist but rejected + by Node B to which it's propagated if the account is not in the Node B allowlist. We + recommend each node in the network has the same accounts allowlist. -To update the accounts permission list when the node is running, use the JSON-RPC API methods: +To update the accounts allowlist when the node is running, use the JSON-RPC API methods: * [`perm_addAccountsToAllowlist`](../../Reference/API-Methods.md#perm_addaccountstoallowlist) * [`perm_removeAccountsFromAllowlist`](../../Reference/API-Methods.md#perm_removeaccountsfromallowlist). @@ -151,16 +151,16 @@ To update the accounts permission list when the node is running, use the JSON-RP You can also update the [`permissions_config.toml`](#permissions-configuration-file) file directly and use the [`perm_reloadPermissionsFromFile`](../../Reference/API-Methods.md#perm_reloadpermissionsfromfile) -method to update the permission lists. +method to update the allowlists. Updates to the permissions configuration file persist across node restarts. -To view the accounts permission list, use the +To view the accounts allowlist, use the [`perm_getAccountsAllowlist`](../../Reference/API-Methods.md#perm_getaccountsallowlist) method. -### Enabling account permissioning +### Enabling account allowlisting -To enable account permissioning, specify the +To enable account allowlisting, specify the [`--permissions-accounts-config-file-enabled`](../../Reference/CLI/CLI-Syntax.md#permissions-accounts-config-file-enabled) option when starting Besu. @@ -170,14 +170,14 @@ The `PERM` API methods are not enabled by default. To enable the `PERM` API meth ## Permissions configuration file -The permissions configuration file contains the nodes and accounts permission lists. If the +The permissions configuration file contains the nodes and accounts allowlists. If the [`--permissions-accounts-config-file`](../../Reference/CLI/CLI-Syntax.md#permissions-accounts-config-file) and [`--permissions-nodes-config-file`](../../Reference/CLI/CLI-Syntax.md#permissions-nodes-config-file) options are not specified, the name of the permissions configuration file must be [`permissions_config.toml`](#permissions-configuration-file) and must be in the [data directory](../../Reference/CLI/CLI-Syntax.md#data-path) for the node. -You can specify the accounts and nodes permissions in the same file or in separate files for +You can specify the accounts and nodes allowlists in the same file or in separate files for accounts and nodes. To specify a permissions configuration file (or separate files for accounts and nodes) in any diff --git a/docs/HowTo/Limit-Access/Updating-Permission-Lists.md b/docs/HowTo/Limit-Access/Updating-Permission-Lists.md index bce20d920ab..e223126d131 100644 --- a/docs/HowTo/Limit-Access/Updating-Permission-Lists.md +++ b/docs/HowTo/Limit-Access/Updating-Permission-Lists.md @@ -1,19 +1,19 @@ --- -description: Updating Hyperledger Besu onchain permission lists +description: Updating Hyperledger Besu onchain allowlists --- -# Updating node and account permission lists +# Updating nodes and accounts allowlists -## Update node permission lists +## Update nodes allowlists -To add a node to the Hyperledger Besu nodes permission list: +To add a node to the Hyperledger Besu nodes allowlist: 1. On the _Whitelisted Nodes_ tab of the Permissioning Management Dapp, click the _Add Whitelisted Nodes_ button. The Add Node window displays. 1. Enter the [enode URL](../../Concepts/Node-Keys.md#enode-url) of the node you are adding and click the _Add Whitelisted Node_ button. -To remove a node from the nodes permission list: +To remove a node from the nodes allowlist: 1. On the _Whitelisted Nodes_ tab of the Permissioning Management Dapp, hover over the row of the node you are removing. A trash can displays. @@ -22,23 +22,23 @@ To remove a node from the nodes permission list: !!! tip If you add a running node, the node does not attempt to reconnect to the bootnode and - synchronize until peer discovery restarts. To add an allowed node as a peer without waiting + synchronize until peer discovery restarts. To add a allowlisted node as a peer without waiting for peer discovery to restart, use [`admin_addPeer`](../../Reference/API-Methods.md#admin_addpeer). - If you add the node to the permission list before starting the node, using `admin_addPeer` is not + If you add the node to the allowlist before starting the node, using `admin_addPeer` is not required because peer discovery is run on node startup. -## Update account permission lists +## Update account allowlists -To add an account to the accounts permission list: +To add an account to the accounts allowlist: 1. On the _Whitelisted Accounts_ tab of the Permissioning Management Dapp, click the _Add Whitelisted Account_ button. The add Account Window displays. 1. Enter the account address in the _Account Address_ field and click the _Add Whitelisted Account_ button. -To remove an account from the accounts permission list: +To remove an account from the accounts allowlist: 1. On the _Whitelisted Accounts_ tab of the Permissioning Management Dapp, hover over the row of the account you are removing. A trash can displays. diff --git a/docs/HowTo/Use-Privacy/Sign-Privacy-Marker-Transactions.md b/docs/HowTo/Use-Privacy/Sign-Privacy-Marker-Transactions.md index fc1dc6f02eb..ef47f09c7bd 100644 --- a/docs/HowTo/Use-Privacy/Sign-Privacy-Marker-Transactions.md +++ b/docs/HowTo/Use-Privacy/Sign-Privacy-Marker-Transactions.md @@ -23,7 +23,7 @@ command line option when starting Besu. If using account permissioning and privacy, a signing key must be specified using the [`--privacy-marker-transaction-signing-key-file`](../../Reference/CLI/CLI-Syntax.md#privacy-marker-transaction-signing-key-file) - command line option and the signing key included in the accounts permission list. + command line option and the signing key included in the accounts allowlist. !!! note diff --git a/docs/Reference/API-Methods.md b/docs/Reference/API-Methods.md index 11623e87e66..987084a8e16 100644 --- a/docs/Reference/API-Methods.md +++ b/docs/Reference/API-Methods.md @@ -4119,7 +4119,7 @@ Adds accounts (participants) to the #### Returns `result` - `Success` or `error`. Errors include attempting to add accounts already on the -permissions list or including invalid account addresses. +allowlist or including invalid account addresses. !!! example @@ -4150,7 +4150,7 @@ None #### Returns -`result: list` - Accounts (participants) in the accounts permissions list. +`result: list` - Accounts (participants) in the accounts allowlist. !!! example @@ -4189,8 +4189,8 @@ Removes accounts (participants) from the #### Returns -`result` - `Success` or `error`. Errors include attempting to remove accounts not on the permissions -list or including invalid account addresses. +`result` - `Success` or `error`. Errors include attempting to remove accounts not on the allowlist +or including invalid account addresses. !!! example @@ -4213,7 +4213,7 @@ list or including invalid account addresses. ### perm_addNodesToAllowlist Adds nodes to the -[nodes permissions list](../HowTo/Limit-Access/Local-Permissioning.md#node-permissioning). +[nodes allowlist](../HowTo/Limit-Access/Local-Permissioning.md#node-allowlisting). #### Parameters @@ -4226,8 +4226,8 @@ Adds nodes to the #### Returns -`result` - `Success` or `error`. Errors include attempting to add nodes already on the permissions -list or including invalid enode URLs. +`result` - `Success` or `error`. Errors include attempting to add nodes already on the allowlist or +including invalid enode URLs. !!! example @@ -4250,7 +4250,7 @@ list or including invalid enode URLs. ### perm_getNodesAllowlist Lists nodes in the -[nodes permissions list](../HowTo/Limit-Access/Local-Permissioning.md#node-permissioning). +[nodes allowlist](../HowTo/Limit-Access/Local-Permissioning.md#node-allowlisting). #### Parameters @@ -4258,8 +4258,7 @@ None #### Returns -`result: list` - [Enode URLs](../Concepts/Node-Keys.md#enode-url) of nodes in the nodes permissions -list. +`result: list` - [Enode URLs](../Concepts/Node-Keys.md#enode-url) of nodes in the nodes allowlist. !!! example @@ -4285,7 +4284,7 @@ list. ### perm_removeNodesFromAllowlist Removes nodes from the -[nodes permissions list](../HowTo/Limit-Access/Local-Permissioning.md#node-permissioning). +[nodes allowlist](../HowTo/Limit-Access/Local-Permissioning.md#node-allowlisting). #### Parameters @@ -4298,8 +4297,8 @@ Removes nodes from the #### Returns -`result` - `Success` or `error`. Errors include attempting to remove nodes not on the permissions -list or including invalid enode URLs. +`result` - `Success` or `error`. Errors include attempting to remove nodes not on the allowlist +or including invalid enode URLs. !!! example @@ -4321,7 +4320,7 @@ list or including invalid enode URLs. ### perm_reloadPermissionsFromFile -Reloads the accounts and nodes permission lists from the [permissions configuration file]. +Reloads the accounts and nodes allowlists from the [permissions configuration file]. #### Parameters diff --git a/docs/Reference/CLI/CLI-Syntax.md b/docs/Reference/CLI/CLI-Syntax.md index 350178f366c..e43a2eb3fa4 100644 --- a/docs/Reference/CLI/CLI-Syntax.md +++ b/docs/Reference/CLI/CLI-Syntax.md @@ -1240,7 +1240,7 @@ you do not specify this option, Besu signs each transaction with a different ran key. If using [account permissioning] and privacy, you must specify a private key file and the signing -key included in the list of allowed accounts. +key included in the accounts allowlist. ### privacy-multi-tenancy-enabled diff --git a/docs/Tutorials/Permissioning/Create-Permissioned-Network.md b/docs/Tutorials/Permissioning/Create-Permissioned-Network.md index 441a8310256..beda790273c 100644 --- a/docs/Tutorials/Permissioning/Create-Permissioned-Network.md +++ b/docs/Tutorials/Permissioning/Create-Permissioned-Network.md @@ -131,7 +131,7 @@ In `extraData`, replace `` with the ### 4. Create the permissions configuration file -The permissions configuration file defines the nodes and accounts permission lists. +The permissions configuration file defines the nodes and accounts whitelists. Copy the following permissions configuration to a file called `permissions_config.toml` and save a copy in the `Node-1/data`, `Node-2/data`, and `Node-3/data` directories: @@ -154,7 +154,7 @@ Use the JSON-RPC API to add permissioned nodes after starting the nodes. data directory for each node. On-chain permissioning is under development. On-chain permissioning will use one on-chain nodes - and accounts permission lists. + whitelist and accounts allowlist. ### 5. Start Node-1 @@ -321,7 +321,7 @@ Node-3): } ``` -#### Send a transaction from an account in the permissions list +#### Send a transaction from an account in the allowlist Import the first account from the genesis file into MetaMask and send transactions, as described in [Private network example tutorial]: @@ -337,7 +337,7 @@ Import the first account from the genesis file into MetaMask and send transactio Besu does not support [private key management](../../HowTo/Send-Transactions/Account-Management.md). -### Try sending a transaction from an account not in the accounts permission list +### Try sending a transaction from an account not in the accounts allowlist Import the last account from the genesis file into MetaMask and try to send a transactions, as described in [Private Network Example Tutorial]: @@ -348,7 +348,7 @@ described in [Private Network Example Tutorial]: * Private key : `0xae6ae8e5ccbfb04590405997ee2d52d2b330726137b875053c36d94e974d162f` * Initial balance : `0x90000000000000000000000` (2785365088392105618523029504 in decimal) -### Start a node not on the nodes permission list +### Start a node not on the nodes allowlist In your `Permissioned-Network` directory, create a `Node-4` directory and `data` directory inside it. diff --git a/docs/Tutorials/Permissioning/Getting-Started-Onchain-Permissioning.md b/docs/Tutorials/Permissioning/Getting-Started-Onchain-Permissioning.md index d3132f06af0..954c48c4b9f 100644 --- a/docs/Tutorials/Permissioning/Getting-Started-Onchain-Permissioning.md +++ b/docs/Tutorials/Permissioning/Getting-Started-Onchain-Permissioning.md @@ -21,7 +21,7 @@ To start a network with onchain permissioning: 1. [Build the project](#build-the-project) 1. [Deploy the permissioning contracts](#deploy-the-contracts) 1. [Start the webserver for the Permissioning Management Dapp] -1. [Add the first node to the nodes permission list](#add-the-first-node-to-the-permission-list). +1. [Add the first node to the nodes allowlist](#add-the-first-node-to-the-allowlist). ## Prerequisites @@ -142,7 +142,7 @@ The migration logs the addresses of the Admin and Rules contracts. !!! important The account that deploys the contracts is automatically an - [admin account](#update-accounts-or-admin-accounts-permission-lists). + [admin account](#update-accounts-or-admin-accounts-allowlists). ## Start the webserver for the Permissioning Management Dapp @@ -171,16 +171,16 @@ The migration logs the addresses of the Admin and Rules contracts. !!! note - Only [admin accounts](#update-accounts-or-admin-accounts-permission-lists) can add or remove nodes + Only [admin accounts](#update-accounts-or-admin-accounts-allowlists) can add or remove nodes from the permission list. -## Add the first node to the permission list +## Add the first node to the allowlist -The first node must [add itself to the permission list] before adding other nodes. +The first node must [add itself to the allowlist] before adding other nodes. [Start first node with onchain permissioning and the JSON-RPC HTTP service enabled]: #onchain-permissioning-command-line-options [Clone the permissioning contracts repository and install dependencies]: #clone-the-contracts-and-install-dependencies [Start the webserver for the Permissioning Management Dapp]: #start-the-webserver-for-the-permissioning-management-dapp -[add itself to the permission list]: ../../HowTo/Limit-Access/Updating-Permission-Lists.md#update-node-permission-lists - +[add itself to the allowlist]: ../../HowTo/Limit-Access/Updating-Permission-Lists.md#update-node-permission-lists +[admin accounts]: ../../HowTo/Limit-Access/Updating-Permission-Lists.md#update-node-permission-lists diff --git a/mkdocs.yml b/mkdocs.yml index 09b62abb286..ab0722507fb 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -105,7 +105,7 @@ nav: - Include Revert Reason in Transaction Receipts: HowTo/Send-Transactions/Revert-Reason.md - Limit Access to Node: - Use Local Permissioning: HowTo/Limit-Access/Local-Permissioning.md - - Update Onchain Permissioning Lists: HowTo/Limit-Access/Updating-Permission-Lists.md + - Update Onchain Allowlists: HowTo/Limit-Access/Updating-Permission-Lists.md - Use Privacy Features: - Use EEA-compliant Privacy: HowTo/Use-Privacy/EEA-Compliant.md - Use Besu-extended Privacy: HowTo/Use-Privacy/Privacy.md From 1fe1837f114768448fc9b70c081b09431e8070cf Mon Sep 17 00:00:00 2001 From: Byron Gravenorst Date: Wed, 29 Jul 2020 09:18:59 +1000 Subject: [PATCH 5/7] Fix typos. Signed-off-by: Byron Gravenorst --- docs/Concepts/Permissioning/Onchain-Permissioning.md | 4 ++-- .../Permissioning/Getting-Started-Onchain-Permissioning.md | 6 ++---- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/docs/Concepts/Permissioning/Onchain-Permissioning.md b/docs/Concepts/Permissioning/Onchain-Permissioning.md index b388161da06..e63691c4049 100644 --- a/docs/Concepts/Permissioning/Onchain-Permissioning.md +++ b/docs/Concepts/Permissioning/Onchain-Permissioning.md @@ -23,7 +23,7 @@ repository are: * Ingress contracts for nodes and accounts - proxy contracts defined in the genesis file to defer the permissioning logic to the Node Rules and Account Rules contracts. The Ingress contracts deploy to static addresses. -* Node Rules - stores the node allowlist and node sllowlist operations (for example, add and +* Node Rules - stores the node allowlist and node allowlist operations (for example, add and remove). * Account Rules - stores the accounts allowlist and account allowlist operations (for example, add and remove). @@ -41,7 +41,7 @@ The [Permissioning Management Dapp] provides view and maintain access to the all ### Allowlists -PPermissioning implements three allowlists: +Permissioning implements three allowlists: * Accounts, which can submit transactions to the network. * Nodes, which can join the network. diff --git a/docs/Tutorials/Permissioning/Getting-Started-Onchain-Permissioning.md b/docs/Tutorials/Permissioning/Getting-Started-Onchain-Permissioning.md index 954c48c4b9f..806a3797a2b 100644 --- a/docs/Tutorials/Permissioning/Getting-Started-Onchain-Permissioning.md +++ b/docs/Tutorials/Permissioning/Getting-Started-Onchain-Permissioning.md @@ -141,8 +141,7 @@ The migration logs the addresses of the Admin and Rules contracts. !!! important - The account that deploys the contracts is automatically an - [admin account](#update-accounts-or-admin-accounts-allowlists). + The account that deploys the contracts is automatically an [admin account]. ## Start the webserver for the Permissioning Management Dapp @@ -171,8 +170,7 @@ The migration logs the addresses of the Admin and Rules contracts. !!! note - Only [admin accounts](#update-accounts-or-admin-accounts-allowlists) can add or remove nodes - from the permission list. + Only [admin accounts] can add or remove nodes from the permission list. ## Add the first node to the allowlist From a319babc831dc42a27d35f9113618fd338171cdb Mon Sep 17 00:00:00 2001 From: Byron Gravenorst Date: Tue, 9 Feb 2021 14:10:40 +1000 Subject: [PATCH 6/7] Add new debug RPCs to display the block trace. Signed-off-by: Byron Gravenorst --- docs/Reference/API-Methods.md | 94 +++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) diff --git a/docs/Reference/API-Methods.md b/docs/Reference/API-Methods.md index c4dd12f60b0..a4a9d01f3a3 100644 --- a/docs/Reference/API-Methods.md +++ b/docs/Reference/API-Methods.md @@ -4046,6 +4046,100 @@ Returns the accounts for a specified block. } ``` +### `debug_standardTraceBlockToFile` + +Generates files containing the block trace. A separate file is generated for each +transaction in the block. + +You can also specify a trace file for a specific transaction in a block. + +Use [`debug_standardTraceBadBlockToFile`](#debug_standardtracebadblocktofile) to view the trace for +an invalid block. + +#### Parameters + +`blockHash` : `data` - Block hash. + +`txHash` : `data` - The transaction hash. Optional. If ommitted, then a trace file is generated for each +transaction in the block. + +`disableMemory` : `boolean` - Specify whether to capture EVM memory during the trace. +Defaults to `true`. + +#### Returns + +`result` : `data` - Location of the generated trace files. + +!!! example + + === "curl HTTP request" + + ```bash + curl -X POST --data '{"jsonrpc":"2.0","method":"debug_standardTraceBlockToFile","params":["0x2dc0b6c43144e314a86777b4bd4f987c0790a6a0b21560671d221ed81a23f2dc", { + "txHash": "0x4ff04c4aec9517721179c8dd435f47fbbfc2ed26cd4926845ab687420d5580a6", "disableMemory": false}], "id":1}' http://127.0.0.1:8545 + ``` + + === "wscat WS request" + + ```bash + {"jsonrpc":"2.0","method":"debug_standardTraceBlockToFile","params":["0x2dc0b6c43144e314a86777b4bd4f987c0790a6a0b21560671d221ed81a23f2dc", { + "txHash": "0x4ff04c4aec9517721179c8dd435f47fbbfc2ed26cd4926845ab687420d5580a6", "disableMemory": false}], "id":1} + ``` + + === "JSON result" + + ```json + { + "jsonrpc": "2.0", + "id": 1, + "result": [ + "/Users/me/mynode/goerli/data/traces/block_0x2dc0b6c4-4-0x4ff04c4a-1612820117332" + ] + } + ``` + +### `debug_standardTraceBadBlockToFile` + +Generates files containing the block trace of invalid blocks. A separate file is generated for each +transaction in the block. + +Use [`debug_standardTraceBlockToFile`](#debug_standardtraceblocktofile) to view the trace for a +valid block. + +#### Parameters + +`blockHash` : `data` - Block hash. + +#### Returns + +`result` : `data` - Location of the generated trace files. + +!!! example + + === "curl HTTP request" + + ```bash + curl -X POST --data '{"jsonrpc":"2.0","method":"debug_standardTraceBadBlockToFile","params":["0x53741e9e94791466d117c5f9e41a2ed1de3f73d39920c621dfc2f294e7779baa"], "id":1}' http://127.0.0.1:8545 + ``` + + === "wscat WS request" + + ```bash + {"jsonrpc":"2.0","method":"debug_standardTraceBadBlockToFile","params":["0x53741e9e94791466d117c5f9e41a2ed1de3f73d39920c621dfc2f294e7779baa"], "id":1} + ``` + + === "JSON result" + + ```json + { + "jsonrpc": "2.0", + "id": 1, + "result": [ + "/Users/me/mynode/goerli/data/traces/block_0x53741e9e-0-0x407ec43d-1600951088172" + ] + } + ``` + ### `debug_storageRangeAt` [Remix](https://remix.ethereum.org/) uses `debug_storageRangeAt` to implement debugging. Use the From ad09249d1545e10d517a894ade8da76ad46774dc Mon Sep 17 00:00:00 2001 From: Byron Gravenorst Date: Wed, 10 Feb 2021 10:47:14 +1000 Subject: [PATCH 7/7] Fix markdown issues. Signed-off-by: Byron Gravenorst --- docs/Reference/API-Methods.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/Reference/API-Methods.md b/docs/Reference/API-Methods.md index a4a9d01f3a3..9384cfac342 100644 --- a/docs/Reference/API-Methods.md +++ b/docs/Reference/API-Methods.md @@ -4060,11 +4060,11 @@ an invalid block. `blockHash` : `data` - Block hash. -`txHash` : `data` - The transaction hash. Optional. If ommitted, then a trace file is generated for each +`txHash` : `data` - The transaction hash. Optional. If omitted, then a trace file is generated for each transaction in the block. `disableMemory` : `boolean` - Specify whether to capture EVM memory during the trace. -Defaults to `true`. +Defaults to `true`. #### Returns