Hi Team,
I am testing DAR upload in a canton participant node with authorization enabled, with command participant1.dars.upload(<a dar file>.
I found that the upload is successful when it is done directly in interactive mode (the console with the canton process), but fails when it is done through a remote console, with error unauthenticated.
I suspect it is because the remote console is using ledger-api for DAR upload, such that authorization (a signed JWT) is needed.
I have generated that signed JWT and tested it with daml ledger upload-dar with daml sdk. May I know how to specify that JWT in the configuration of the remote canton console?
Right now, there are two ways to upload to canton via the console: participant.dars.upload and participant.ledger_api.upload_dar. Which one are you using? Generally, if your remote console works, then participant.dars.upload should work. In a subsequent version of the Ledger API, we’ll see to unify them again, but for now, we need to keep both, as the dars.upload has some additional control and preserves the DAR (you can list it via participant.dars.list()).
You can define the JWT token for the ledger api using
canton.remote-participants.myparticipant.token = "JWT TOKEN AS A STRING"
However, please note that the whole participant.ledger_api command section is for convenience only and we don’t currently guarantee that the interface will remain stable, as our ultimate goal is to strive for uniform user experience across all integrations.
I’m using particpant.dars.upload and not using the ledger_api one.
The configuration canton.remote-participants.myparticipant.token works fine. That’s what i need. Thanks again.
What interests me is that the console directly attached on participant node doesn’t require the token, while the remote console needs the token. My guess is that the direct console doesn’t use ledger-api when uploading the DAR, while remote console the upload is done through ledger-api (but not admin-api).
The participant.upload.dar does some synchronisation to ensure that the upload DAR is usable once the call terminates. This synchronisation is looking at the ledger-api as well and because of that it needs the auth token.