TL;DR: Configure the tezos-node RPC port with
--rpc-addr localhost:8732 rather than (or in addition to, if providing remote RPC access)
Default ACL for RPC
The v10.1 release of the Octez software adds a new default ACL for RPC feature, and the way it works is subtle.
If the listening address resolves to the loopback network interface, then full access to all endpoints is granted
If the listening address is a network address, then a more restrictive policy applies.
The upshot of these is that specifying the node’s RPC listening address as
:8732 – as it does not explicitly mention
127.0.0.1 – is treated as the network address case and the restrictive default policy applies, even when the client is connecting to
localhost. The baker and endorser clients connect to
localhost:8732 by default and are thus blocked by the default restrictive policy, resulting in messages that include:
error: The server doesn't authorize this endpoint (ACL filtering).
What to do if you get the ACL error
If your node’s RPC is not accessed from outside the server, then you probably want to restrict the RPC port to listen only on
localhost (or, equivalently,
If you manage your node’s config file you can do this and restart tezos-node:
tezos-node config update --rpc-addr localhost:8732
If you use the default config file, setting options on the run command line, then you could start tezos-node this way:
tezos-node run --rpc-addr localhost:8732 ...other options here...
If your node’s RPC is accessed remotely then (per Pierre Boutillier) you probably want to set up two RPC listeners, one for
localhost and one for remote access. For the latter you will probably want to set up explicit ACL rules to allow/deny specific RPCs to protect the node (which is beyond the scope of this posting). The
--rpc-addr option can be specified multiple times to
tezos-node run or
tezos-node config update to specify multiple listeners:
... --rpc-addr localhost:8732 --rpc-addr :8732
A quick and insecure way to allow all RPCs for remote access is by adding the
--allow-all-rpc :8732 option to the above.
Here is how Pierre Boutillier puts it on the Baking Slack (lightly edited by me):
If you configured
--rpc-addr to something else than
localhost:... and want to do something forbidden by the ACL, you have two possibilities:
if your baker/endorser/accusser/client/… is actually on the same machine, add an extra
--rpc-addr localhost:...in addition of your old
localhostas the target of your RPCs. This configuration is safe (as long as access on your machine is secured)
if not; use
[XXX]being the exact same string as what you put as
--rpc-addrargument. This configuration may not be safe.