Script running with authentication
Hi Team,
I am using the sample daml code with a script here:
setup : Script AssetId
setup = script do
-- user_setup_begin
alice <- allocatePartyWithHint "Alice" (PartyIdHint "Alice")
bob <- allocatePartyWithHint "Bob" (PartyIdHint "Bob")
aliceId <- validateUserId "alice"
bobId <- validateUserId "bob"
createUser (User aliceId (Some alice)) [CanActAs alice]
createUser (User bobId (Some bob)) [CanActAs bob]
-- user_setup_end
aliceTV <- submit alice do
createCmd Asset with
issuer = alice
owner = alice
name = "TV"
bobTV <- submit alice do
exerciseCmd aliceTV Give with newOwner = bob
submit bob do
exerciseCmd bobTV Give with newOwner = alice
This script runs well in Sandbox without authentication.
Once we enable authentication with this
daml sandbox -c auth.conf
daml ledger upload-dar --access-toke-file adminjwt .daml/dist/seconddaml-0.0.1.dar>
When we run the script (adminjwt works fine in uploading the DAR)
daml script --dar .daml/dist/seconddaml-0.0.1.dar --script-name Main:setup --ledger-host localhost --ledger-port 6865 --acce
ss-token-file adminjwt
We get authentication problems
Exception in thread "main" com.daml.lf.engine.script.ScriptF$FailedCmd: Command submit failed: PERMISSION_DENIED: An error occurred. Please contact the operator and inquire about the request <no-correlation-id>
My observation is that the first part of script “user setup” works well with the adminjwt (with userid set participant_admin), but this token cannot be used when representing alice and bob, despite the fact that alice and bob as users are defined already in the ledger.
What is the best way in this case? Ideally we can use participant_admin to create users alice and bob, then we can use alice and bob to execute the remaining of the script.
Thanks in advance.
KC
I would say that the best thing to do is to split the script in three, run the setup as an admin, output the party identifiers for the users and use those in two further scripts which can be run with a token for alice and bob respectively.
Thanks @stefanobaghino-da I also thought of this. But by breaking the script into parts, there’s a challenge to link the right parties between the scripts. Can you share more ideas how this can be done?
Also if this can be highlighted in the documentation that will be better. There are a lot of scripts written in this way prior to v2.0. When moving to v2.0 we will have this challenge.
Many thanks again.
kc
kctam:Thanks @stefanobaghino-da I also thought of this. But by breaking the script into parts, there’s a challenge to link the right parties between the scripts. Can you share more ideas how this can be done?
The documentation of Daml Script shows an example of having party identifiers as output of a script. The file at the path provided as part of --output-file will contain the relevant party identifiers. The file can be then fed to the other scripts using --input-file.
The initialization script already creates an alice and bob user, which can respectively act as the Alice and Bob party. So you’ll need to point to a file where the token with the appropriate fields are populated. You’ll need the user names in there, so you don’t need to bootstrap the process using party identifiers.
