# ChainID 138 Access Control - Corrected Model **Date:** December 26, 2024 **Status:** Updated access control model with separate containers for Luis and Putu --- ## Access Control Model ### Ali (Dedicated Physical Proxmox Host) **Full root access** to entire Proxmox host and all ChainID 138 components: | VMID | Hostname | Role | Access Level | Notes | |------|----------|------|--------------|-------| | 1504 | `besu-sentry-5` | Besu Sentry Node | ✅ Full (root) | Own Proxmox host | | 2503 | `besu-rpc-4` | Besu RPC Node | ✅ Full (root) | Permissioned identity: 0x8a | | 2504 | `besu-rpc-4` | Besu RPC Node | ✅ Full (root) | Permissioned identity: 0x1 | | 6201 | `firefly-2` | Hyperledger Firefly | ✅ Full (root) | Firefly + API stack | **JWT Authentication:** ✅ Required for all containers **Implementation Notes:** - Ali gets root on entire Proxmox host - Independent networking, keys, and firewall rules - No shared authentication with other operators --- ### Luis (Separate RPC Containers) **Limited RPC-only access** via dedicated containers: | VMID | Hostname | Role | Access Level | Notes | |------|----------|------|--------------|-------| | 2505 | `besu-rpc-luis` | Besu RPC Node | ✅ Limited (RPC-only) | Permissioned identity: 0x8a | | 2506 | `besu-rpc-luis` | Besu RPC Node | ✅ Limited (RPC-only) | Permissioned identity: 0x1 | **Access Details:** - ✅ RPC access only (permissioned identities 0x8a and 0x1) - ✅ Access via reverse proxy / firewall-restricted RPC ports - ✅ JWT authentication required - ❌ No access to: - Besu Sentry nodes (1504) - Firefly nodes (6201) - Ali's RPC nodes (2503, 2504) - Proxmox infrastructure - Node key material **Implementation Options:** - Preferred: RPC-only exposure via reverse proxy - Firewall-restricted RPC ports - Proxmox VM.Console = No - No shell / SSH - No key material access --- ### Putu (Separate RPC Containers) **Limited RPC-only access** via dedicated containers: | VMID | Hostname | Role | Access Level | Notes | |------|----------|------|--------------|-------| | 2507 | `besu-rpc-putu` | Besu RPC Node | ✅ Limited (RPC-only) | Permissioned identity: 0x8a | | 2508 | `besu-rpc-putu` | Besu RPC Node | ✅ Limited (RPC-only) | Permissioned identity: 0x1 | **Access Details:** - ✅ RPC access only (permissioned identities 0x8a and 0x1) - ✅ Access via reverse proxy / firewall-restricted RPC ports - ✅ JWT authentication required - ❌ No access to: - Besu Sentry nodes (1504) - Firefly nodes (6201) - Ali's RPC nodes (2503, 2504) - Luis's RPC nodes (2505, 2506) - Proxmox infrastructure - Node key material **Implementation mirrors Luis exactly** (identical permission scope, separate credentials / API keys) --- ## Container Summary | VMID | Hostname | Role | Access | Permissioned Identity | JWT Auth | |------|----------|------|--------|----------------------|----------| | 1504 | besu-sentry-5 | Sentry | Ali (Full) | N/A | ✅ Required | | 2503 | besu-rpc-4 | RPC | Ali (Full) | 0x8a | ✅ Required | | 2504 | besu-rpc-4 | RPC | Ali (Full) | 0x1 | ✅ Required | | 2505 | besu-rpc-luis | RPC | Luis (RPC-only) | 0x8a | ✅ Required | | 2506 | besu-rpc-luis | RPC | Luis (RPC-only) | 0x1 | ✅ Required | | 2507 | besu-rpc-putu | RPC | Putu (RPC-only) | 0x8a | ✅ Required | | 2508 | besu-rpc-putu | RPC | Putu (RPC-only) | 0x1 | ✅ Required | | 6201 | firefly-2 | Firefly | Ali (Full) | N/A | ✅ Required | --- ## Key Differences from Previous Model ### Previous (Incorrect) - Luis & Putu shared access to VMID 2503 - Both used same container with different permissioned identities - Only one container per operator ### Current (Correct) - **Ali has two containers** (2503 with 0x8a, 2504 with 0x1) - **Luis has two containers** (2505 with 0x8a, 2506 with 0x1) - **Putu has two containers** (2507 with 0x8a, 2508 with 0x1) - **All containers require JWT authentication** - Complete isolation between operators - Each identity has its own dedicated container --- ## Security Benefits 1. **Complete Isolation** - Each operator has separate container - No shared infrastructure - No cross-contamination risk 2. **Identity Separation** - Ali: 0x8a (container 2503), 0x1 (container 2504) - Luis: 0x8a (container 2505), 0x1 (container 2506) - Putu: 0x8a (container 2507), 0x1 (container 2508) 3. **Access Control** - Luis cannot access Putu's container - Putu cannot access Luis's container - Both cannot access Ali's infrastructure --- ## Deployment Requirements ### For Luis (VMIDs 2505, 2506) - Create two separate LXC containers - Configure as permissioned RPC nodes - Set up 0x8a identity (2505) and 0x1 identity (2506) - Configure JWT authentication - Configure reverse proxy / firewall - No Proxmox console access - No SSH access - RPC-only exposure ### For Putu (VMIDs 2507, 2508) - Create two separate LXC containers - Configure as permissioned RPC nodes - Set up 0x8a identity (2507) and 0x1 identity (2508) - Configure JWT authentication - Configure reverse proxy / firewall - No Proxmox console access - No SSH access - RPC-only exposure --- ## Updated Missing Containers List **Priority 1 - ChainID 138 Critical:** 1. 1504 - besu-sentry-5 (Ali) 2. 2503 - besu-rpc-4 (Ali - 0x8a) 3. 2504 - besu-rpc-4 (Ali - 0x1) 4. **2505 - besu-rpc-luis (Luis - 0x8a)** ⬅️ NEW 5. **2506 - besu-rpc-luis (Luis - 0x1)** ⬅️ NEW 6. **2507 - besu-rpc-putu (Putu - 0x8a)** ⬅️ NEW 7. **2508 - besu-rpc-putu (Putu - 0x1)** ⬅️ NEW 8. 6201 - firefly-2 (Ali) 9. 5000 - blockscout-1 **Note:** All RPC containers (2503-2508) require JWT authentication. --- ## Related Documentation - [Missing Containers List](../../03-deployment/MISSING_CONTAINERS_LIST.md) - [ChainID 138 Configuration Guide](../../06-besu/CHAIN138_BESU_CONFIGURATION.md) - [ChainID 138 Quick Start](../../01-getting-started/CHAIN138_QUICK_START.md) --- **Last Updated:** December 26, 2024 **Status:** ✅ Corrected