Sandbox options in 2.4.0

nagendra · January 5, 2023, 7:53am

Hello, i am working on DAML upgrade from 1.16.0 to 2.4.0 and my old daml.yaml looks like this:

sdk-version: 1.16.0
name: xyz
source: daml
parties:
  - Party1
  - Party2
version: 1.0.0
init-script: Setup:setup
sandbox-options:
 - --ledgerid=xyz
 - --w
dependencies:
  - daml-prim
  - daml-stdlib
  - daml-script

Now i see that in 2.4.0, --ledgerId and --w is not supported thanks to this article. What i wan’t to know is that how does commenting out sandbox-options affect my project as it is in production already and has a lot of data on DAML. I see that DAML starts by default in static time mode and not in wall clock mode, is there a new way to tell DAML to start in wall clock time mode?

Also, the ledgerId seems to be picked up from participantId, hence is there a way to set participantId in the daml.yaml file?

cocreature · January 5, 2023, 8:09am

Hi @nagendra,

Wall clock mode is the default so you can safely omit that. As for the ledger ID, that field has been deprecated in Daml 2.0 and you can omit it from requests. So rather than trying to change it, I would just use the default one and ignore it wherever you currently rely on it.

nagendra · January 5, 2023, 12:50pm

Hi @cocreature,

I tried to hit /query JSON API without ledgerId in the JWT, i get below error. Am i missing something?

{
    "errors": [
        "ledgerId missing in access token"
    ],
    "status": 401
}

i have started daml without ledgerId, also seems like ledgerId is defaulting to “sandbox” as i get below error when i send ledgerId as xyz

{
    "result": [],
    "errors": [
        "Endpoints.ParticipantServerError: NOT_FOUND: LEDGER_ID_MISMATCH(11,0): Ledger ID 'xyz' not found. Actual Ledger ID is 'sandbox'."
    ],
    "status": 501
}

cocreature · January 5, 2023, 1:43pm

You need to use one of the new user tokens instead of the old custom scope tokens. Take a look at Authorization — Daml SDK 2.5.0 documentation.

nagendra · January 5, 2023, 2:09pm

Yes, i am trying new access token formats, but still see same issue.

First format:

{
  "aud": "com:org:xyz",
  "iat": 1672924351,
  "exp": 1672927951,
  "nbf": 1672924351,
  "sub": "user@user.com",
  "https://daml.com/ledger-api": {
    "actAs": [
      "Party1"
    ],
    "role": [
      "abc"
    ],
    "admin": true,
    "applicationId": "efg"
  }
}

second format[since the documentation suggests we can bring out the nested attributes to same level as exp]:

{
  "aud": "com:org:xyz",
  "iat": 1672918005,
  "exp": 1672921605,
  "auth_time": 1672918000,
  "sub": "user@user.com",
  "actAs": [
    "Party1"
  ],
  "role": [
    "abc"
  ],
  "admin": true,
  "applicationId": "efg",
  "party": "Party1",
  "group": "Group1"
}

cocreature · January 5, 2023, 2:10pm

That’s still the old format, the whole section under https://daml.com/ledger-api should go away.

nagendra · January 5, 2023, 2:16pm

Ok, i will try the below format and see if it works.

{
   "aud": "someParticipantId",
   "sub": "someUserId",
   "exp": 1300819380,
   "scope": "daml_ledger_api"
}

nagendra · January 5, 2023, 2:20pm

One query on the below format though.

{
   "aud": "someParticipantId",
   "sub": "someUserId",
   "exp": 1300819380,
   "scope": "daml_ledger_api"
}

We use okta for authentication which gives the JWT we pass on to DAML JSON APIs. We have few scopes defined on okta, for example ledger, migration, user etc. How does DAML derive actAs, role, party etc properties from the given scope?

cocreature · January 5, 2023, 4:00pm

The actAs and readAs rights are derived from the rights you’ve given to the user as specified in sub Take a look at the docs for user management for more details.

nagendra · January 6, 2023, 6:36am

Ok, this requires users to be stored on DAML. The thing is our users are stored on OKTA and authenticated on OKTA, only user’s contracts are stored on DAML, so we cannot use audience and scope based tokens in our project[at least at this point of time]. Any suggestions on ledgerId now? Will it default to sandbox always so that i can use the same in my access token?

cocreature · January 6, 2023, 1:09pm

If you go through daml sandbox then yes it should always be sandbox. As mentioned in the docs sandbox is a wrapper around Canton that configures one in-memory participant called sandbox.

Keep in mind though that Sandbox i(as the name suggests) is not a production ledger. For that you want to run Canton directly. As part of that you can then chose the participant name which maps to the ledger ID.

I do recommend putting in the effort to migrate to user management though. It can simplify things a fair bit in most cases.

nagendra · January 6, 2023, 1:32pm

You are right, we are thinking of migrating to user management to make things simpler. Thanks a lot for your inputs.

Topic		Replies	Views
Is it possible to specify the ledger id when using 'daml start'? Questions	3	185	April 14, 2022
Is it possible to change navigator date in a sandbox ledger? Questions	2	220	June 7, 2021
JWT auth questions Questions daml , sdk	4	482	April 27, 2021
Check Ledger Id of Sandbox Ledger Questions daml , ledger , ledger-api	2	223	May 20, 2022
How to set authentication on production not sandbox environment? Questions	3	430	August 11, 2020

Sandbox options in 2.4.0

Related Topics