Node: Add a CLI option to allow all RPCs on a listening point.
Context
Follow-up on !3164 (merged). With the advent of RPC ACLs some inconvenience has been created for those using Docker containers. On one hand the ACL is less important in Docker virtual networks, as they are safe by themselves. On the other hand it's inconvenient to manually modify configuration files inside Docker containers. Therefore a more CLI-based way of controlling ACLs is required. This MR starts building such an interface by introducing an option --allow-all-rpc
to the tezos-node
command. Just like --rpc-addr
it can be used when configuring the node to put an allow-all policy automatically in the config file; or when running a node to override the config for this particular run.
Note that due to a bug, until !3218 (merged) is merged, the address in the ACL must match exactly (i.e. be the same string) the given --rpc-addr
address, or otherwise the ACL might not apply.
Manually testing the MR
Run:
$ ./tezos-node config init --rpc-addr <public address> --allow-all-rpc <public address>
and verify that proper ACL has been put in config.json
.
$ ./tezos-node run --rpc-addr <a public address> --allow-all-rpc <a public address>
and verify that config.json
has not changed, yet the unsafe RPCs are indeed open on the given address.
An endpoint blocked by default, which can be used to test the public address might be /fetch_protocol/PtGRANADsDU8R9daYKAgWnQYAJ64omN1o3KMGVCykShA97vQbvV
.
Checklist
-
Document any change to the user interface, including configuration parameters (see node configuration) -
For new features and bug fixes, add an item in the appropriate changelog ( docs/protocols/alpha.rst
for the protocol and the environment, theDevelopment Version
section ofCHANGES.md
for everything else). -
Select suitable reviewers using the Reviewers
field below. -
Select as Assignee
the next person who should take action on that MR