Daml v2.0: Sandbox with authorization

Hi team,

I’m testing daml v2.0 sandbox with authorization.

Without authorization, the sandbox is started without problems.

The configuration file for authorization is like this (auth.conf)

canton.participants.sandbox.ledger-api.auth-services = [{
    type = jwt-rs-256-crt
    certificate = sandbox.crt
}]

When I start the sandbox with this

% daml sandbox --dar .daml/dist/firstdaml-0.0.1.dar -c auth.conf
Starting Canton sandbox.
Listening at port 6865
Uploading .daml/dist/firstdaml-0.0.1.dar to localhost:6865
WARN  c.d.l.a.a.Authorizer - UNAUTHENTICATED(6,0): The command is missing a (valid) JWT token, context: {participant: "sandbox", err-context: "{location=ErrorFactories.scala:244}"}
An exception was thrown during the upload-dar command
- GRPCIOBadStatusCode StatusUnauthenticated (StatusDetails {unStatusDetails = "An error occurred. Please contact the operator and inquire about the request <no-correlation-id>"})
One reason for this to occur is if the size of DAR file being uploaded exceeds the gRPC maximum message size. The default value for this is 4Mb, but it may be increased when the ledger is (re)started. Please check with your ledger operator.

I think this problem is due to the missing jwt when uploading the DAR. It is different from daml v.1, as no access token is needed

May I know how I can specify the JWT when starting the Sandbox? The daml sandbox --help seems no such parameter.

% daml sandbox --help
Usage: daml sandbox [--port ARG] [--admin-api-port ARG]
                    [--domain-public-port ARG] [--domain-admin-port ARG]
                    [--canton-port-file PATH]
                    [--static-time | --wall-clock-time] [--canton-help]
                    [-c|--config FILE] [--port-file PATH] [--dar PATH] [ARG]

Thanks.

kc

A follow-up findings.

I finally bring up the Sandbox first without the DAR specified.

daml sandbox -c auth.conf

Then prepare the JWT with user participant_admin, and perform the DAR upload using

daml ledger upload-dar --host localhost --port 6865 .daml/dist/firstdaml-0.0.1.dar --access-token-file adminjwt

See if this is the right way to upload DAR. Or alternatively, maybe adding --access-token-file can help when launching of Sandbox with DAR file.

Thanks for attention.

kc