Adding Authorized Users for Settings Proposals
Sawtooth supports on-chain settings to configure validator behavior,
consensus, permissions, and more. The Settings transaction processor (or
an equivalent) handles these on-chain settings. The on-chain setting
sawtooth.settings.vote.authorized_keys
contains the public keys of
validators and users who are allowed to propose and vote on settings
changes.
By default, settings changes are restricted to the owner of the private
key used to create the genesis block, as specified by the
--key privatekeyfile
option for the sawswet genesis
command. The
associated public key is stored in
sawtooth.settings.vote.authorized_keys
when the genesis block is
created.
If the validator key was used to create the genesis block, we strongly recommend adding one or more user keys to this setting. Otherwise, if the first node becomes unavailable, no settings changes can be made.
This procedure describes how to add a user key to
sawtooth.settings.vote.authorized_keys
.
-
Log into the Sawtooth node that has your private key file.
Important
If the genesis block was created with the first validator's key, and no user keys are authorized to change settings, you must run this procedure on the same node that created the genesis block. The
sawset proposal create
command requires the private validator key that was generated on that node. -
Make sure that the Settings transaction processor (or an equivalent) and the REST API are running, as described in Running Sawtooth as a Service.
-
Display the existing setting.
$ sawtooth settings list sawtooth.settings.vote.authorized_keys
The output will resemble this example:
sawtooth.settings.vote.authorized_keys: 0276023d4f7323103db8d8683a4b7bc1eae1f66...
If you want to add a key to the existing list, copy the key strings for the next step.
-
Add the new user's public key to the list of those allowed to change settings.
$ sawset proposal create --key {PRIVATE-KEY} \ sawtooth.settings.vote.authorized_keys='{OLDLIST},{NEWKEY}'
Note
- For
{PRIVATE-KEY}
, specify the path to your private key file (or the validator's private key file, if it was used to create the genesis block). - For
{OLDLIST}
, use the list of existing keys from step 2. To delete a key, omit it from this list. - For
{NEWKEY}
, use the public key of the user you want to add.
- For
-
To see the changed setting, run
sawtooth settings list
again.$ sawtooth settings list sawtooth.settings.vote.authorized_keys
Check that the new user key appears on the list.
About proposal voting
Each settings change must receive a certain amount of votes in order to be accepted. By default, only one vote is required, and the settings proposal contains an automatic "yes" vote from the user (or validator) who submitted the proposal. For information on configuring more complex voting schemes, see Settings Transaction Family.