One-time command to upload the current idgraph to parachain #3131
Conversation
…-idgraph-to-parachain
…-idgraph-to-parachain
…-idgraph-to-parachain
…-idgraph-to-parachain
…d-to-upload-the-current-idgraph-to-parachain
…-idgraph-to-parachain
…-idgraph-to-parachain
…-idgraph-to-parachain
Kailai-Wang
requested review from
silva-fj,
kziemianek,
felixfaisal and
a team
There was a problem hiding this comment.
If we decide to keep it as it is we need to call it ultimately one more time once sidechai's IMP becomes immutable (trusted call are not touching idgraps) and before IMP pallet storage is removed so I assume there will be worker version supporting this command and disabling IMP's related trusted calls.
| let local_state = state.clone(); | ||
|
|
||
| io_handler.add_sync_method("omni_UploadIDGraph", move |params: Params| { | ||
| debug!("worker_api_direct rpc was called: omni_UploadIDGraph"); |
There was a problem hiding this comment.
I would suggest putting this in startup code, guarded by CLI argument.
Currently anybody can call this method - it will flood parachain.
Another thing is: upload should be triggered after sidechain's imp pallet becomes immutable and before parachain storage becomes mutable - otherwise there will be conflicts/outdated account stores.
There was a problem hiding this comment.
I didn't go for this as I wanted to save the communication between non-enclave and enclave, as it's a one-time thing. omni_UploadIDGraph could be called multiple times - e.g. right before we switch to the new on-chain IDGraph, the whole process should be done within 1 minute - like it's hard for any abusers to predict when we are going to do the upgrade.
Let me change it to start-up sub-command. In that way we'll stop worker, do the upload (so that nothing changes at the same time), and restart it with newer version that supports on-chain Graph
There was a problem hiding this comment.
start-up sub-command that would be a better solution. Completely offline. No worries for any potential hacks.
tee-worker/identity/enclave-runtime/src/initialization/global_components.rs
Outdated
Show resolved
Hide resolved
tee-worker/bitacross/enclave-runtime/src/initialization/global_components.rs
Outdated
Show resolved
Hide resolved
| @@ -171,7 +172,7 @@ pub mod pallet { | |||
| who: omni_account, | |||
| result: result.map(|_| ()).map_err(|e| e.error), | |||
| }); | |||
| Ok(()) | |||
| Ok(Pays::No.into()) | |||
There was a problem hiding this comment.
I've also noticed it missing but in my case I had to:
https://github.com/litentry/litentry-parachain/pull/3132/files#diff-960f61f16faf996e829d1decb06b54fb404525cc02cdc585b9e8db86d596014dR344
Otherwise all extrinsincs signed by newly generated account were rejected (low funds)
…-idgraph-to-parachain
Kailai-Wang
deleted the
p-1085-one-time-command-to-upload-the-current-idgraph-to-parachain
branch
Context
As topic.
We just stop the worker and do
RUST_LOG=info ./litentry-worker upload-id-graph -m <shard>- it will not return before all txs are finalised on-chain.-m <shard>is optional if the shard (mrenclave) is the same as where IDGraph is stored.Locally tested ok