remove account key from node config (MystenLabs#10523)

## Description 

As title. This is not needed when running a node.

## Test Plan 

unit tests and tested locally.

---
If your changes are not user-facing and not a breaking change, you can
skip the following section. Otherwise, please indicate what changed, and
then add to the Release Notes section as highlighted during the release
process.

### Type of Change (Check all that apply)

- [x] user-visible impact
- [ ] breaking change for a client SDKs
- [ ] breaking change for FNs (FN binary must upgrade)
- [ ] breaking change for validators or node operators (must upgrade
binaries)
- [ ] breaking change for on-chain data layout
- [ ] necessitate either a data wipe or data migration

### Release notes
Remove account key from node config.

crates/sui-config/src/node.rs

@@ -178,18 +178,10 @@ impl NodeConfig {
         }
     }
 
-    pub fn account_key_pair(&self) -> &SuiKeyPair {
-        self.account_key_pair.keypair()
-    }
-
     pub fn protocol_public_key(&self) -> AuthorityPublicKeyBytes {
         self.protocol_key_pair().public().into()
     }
 
-    pub fn sui_address(&self) -> SuiAddress {
-        (&self.account_key_pair().public()).into()
-    }
-
     pub fn db_path(&self) -> PathBuf {
         self.db_path.join("live")
     }
@@ -682,9 +674,7 @@ mod tests {
     use fastcrypto::traits::KeyPair;
     use rand::{rngs::StdRng, SeedableRng};
     use sui_keys::keypair_file::{write_authority_keypair_to_file, write_keypair_to_file};
-    use sui_types::crypto::{
-        get_key_pair_from_rng, AccountKeyPair, AuthorityKeyPair, NetworkKeyPair, SuiKeyPair,
-    };
+    use sui_types::crypto::{get_key_pair_from_rng, AuthorityKeyPair, NetworkKeyPair, SuiKeyPair};
 
     use super::Genesis;
     use crate::NodeConfig;
@@ -755,10 +745,6 @@ mod tests {
             get_key_pair_from_rng(&mut StdRng::from_seed([0; 32])).1;
         let worker_key_pair: NetworkKeyPair =
             get_key_pair_from_rng(&mut StdRng::from_seed([0; 32])).1;
-        let account_key_pair: SuiKeyPair =
-            get_key_pair_from_rng::<AccountKeyPair, _>(&mut StdRng::from_seed([0; 32]))
-                .1
-                .into();
         let network_key_pair: NetworkKeyPair =
             get_key_pair_from_rng(&mut StdRng::from_seed([0; 32])).1;
 
@@ -773,7 +759,6 @@ mod tests {
             PathBuf::from("network.key"),
         )
         .unwrap();
-        write_keypair_to_file(&account_key_pair, PathBuf::from("account.key")).unwrap();
 
         const TEMPLATE: &str = include_str!("../data/fullnode-template-with-path.yaml");
         let template: NodeConfig = serde_yaml::from_str(TEMPLATE).unwrap();
@@ -785,10 +770,6 @@ mod tests {
             template.network_key_pair().public(),
             network_key_pair.public()
         );
-        assert_eq!(
-            template.account_key_pair().public(),
-            account_key_pair.public()
-        );
         assert_eq!(
             template.worker_key_pair().public(),
             worker_key_pair.public()

crates/sui-swarm/src/memory/container.rs

@@ -6,6 +6,7 @@ use std::sync::{Arc, Weak};
 use std::thread;
 use sui_config::NodeConfig;
 use sui_node::{metrics, SuiNode, SuiNodeHandle};
+use sui_types::crypto::{AuthorityPublicKeyBytes, KeypairTraits};
 use tracing::{info, trace};
 
 use super::node::RuntimeType;
@@ -46,7 +47,7 @@ impl Container {
             let span = tracing::span!(
                 tracing::Level::INFO,
                 "node",
-                name =% config.sui_address()
+                name =% AuthorityPublicKeyBytes::from(config.protocol_key_pair().public()).concise(),
             );
             let _guard = span.enter();
 

crates/sui/src/fire_drill.rs

@@ -8,6 +8,7 @@
 //! Example usage:
 //! sui fire-drill metadata-rotation \
 //! --sui-node-config-path validator.yaml \
+//! --account-key-path account.key \
 //! --fullnode-rpc-url http://fullnode-my-local-net:9000
 
 use anyhow::bail;
@@ -22,6 +23,7 @@ use sui_config::utils;
 use sui_config::{node::AuthorityKeyPairWithPath, Config, NodeConfig, PersistedConfig};
 use sui_framework::{SuiSystem, SystemPackage};
 use sui_json_rpc_types::{SuiExecutionStatus, SuiTransactionBlockResponseOptions};
+use sui_keys::keypair_file::read_keypair_from_file;
 use sui_sdk::{rpc_types::SuiTransactionBlockEffectsAPI, SuiClient, SuiClientBuilder};
 use sui_types::base_types::{ObjectRef, SuiAddress};
 use sui_types::crypto::{generate_proof_of_possession, get_key_pair, SuiKeyPair};
@@ -38,9 +40,12 @@ pub enum FireDrill {
 
 #[derive(Parser)]
 pub struct MetadataRotation {
-    /// Path to the existing sui node config.
+    /// Path to sui node config.
     #[clap(long = "sui-node-config-path")]
     sui_node_config_path: PathBuf,
+    /// Path to account key file.
+    #[clap(long = "account-key-path")]
+    account_key_path: PathBuf,
     /// Jsonrpc url for a reliable fullnode.
     #[clap(long = "fullnode-rpc-url")]
     fullnode_rpc_url: String,
@@ -58,9 +63,10 @@ pub async fn run_fire_drill(fire_drill: FireDrill) -> anyhow::Result<()> {
 async fn run_metadata_rotation(metadata_rotation: MetadataRotation) -> anyhow::Result<()> {
     let MetadataRotation {
         sui_node_config_path,
+        account_key_path,
         fullnode_rpc_url,
     } = metadata_rotation;
-
+    let account_key = read_keypair_from_file(&account_key_path)?;
     let config: NodeConfig = PersistedConfig::read(&sui_node_config_path).map_err(|err| {
         err.context(format!(
             "Cannot open Sui Node Config file at {:?}",
@@ -69,13 +75,14 @@ async fn run_metadata_rotation(metadata_rotation: MetadataRotation) -> anyhow::R
     })?;
 
     let sui_client = SuiClientBuilder::default().build(fullnode_rpc_url).await?;
-    let sui_address = config.sui_address();
+    let sui_address = SuiAddress::from(&account_key.public());
     let starting_epoch = current_epoch(&sui_client).await?;
     info!("Running Metadata Rotation fire drill for validator address {sui_address} in epoch {starting_epoch}.");
 
     // Prepare new metadata for next epoch
     let new_config_path =
-        update_next_epoch_metadata(&sui_node_config_path, &config, &sui_client).await?;
+        update_next_epoch_metadata(&sui_node_config_path, &config, &sui_client, &account_key)
+            .await?;
 
     let current_epoch = current_epoch(&sui_client).await?;
     if current_epoch > starting_epoch {
@@ -114,6 +121,7 @@ async fn update_next_epoch_metadata(
     sui_node_config_path: &Path,
     config: &NodeConfig,
     sui_client: &SuiClient,
+    account_key: &SuiKeyPair,
 ) -> anyhow::Result<PathBuf> {
     // Save backup config just in case
     let mut backup_config_path = sui_node_config_path.to_path_buf();
@@ -122,14 +130,14 @@ async fn update_next_epoch_metadata(
     let backup_config = config.clone();
     backup_config.persisted(&backup_config_path).save()?;
 
-    let sui_address = config.sui_address();
+    let sui_address = SuiAddress::from(&account_key.public());
 
     let mut new_config = config.clone();
 
     // protocol key
     let new_protocol_key_pair = get_authority_key_pair().1;
     let new_protocol_key_pair_copy = new_protocol_key_pair.copy();
-    let pop = generate_proof_of_possession(&new_protocol_key_pair, config.sui_address());
+    let pop = generate_proof_of_possession(&new_protocol_key_pair, sui_address);
     new_config.protocol_key_pair = AuthorityKeyPairWithPath::new(new_protocol_key_pair);
 
     // network key
@@ -217,81 +225,74 @@ async fn update_next_epoch_metadata(
 
     // update protocol pubkey on chain
     update_metadata_on_chain(
-        config,
+        account_key,
         "update_validator_next_epoch_protocol_pubkey",
         vec![
             CallArg::Pure(
                 bcs::to_bytes(&new_protocol_key_pair_copy.public().as_bytes().to_vec()).unwrap(),
             ),
             CallArg::Pure(bcs::to_bytes(&pop.as_bytes().to_vec()).unwrap()),
         ],
-        config.sui_address(),
         sui_client,
     )
     .await?;
 
     // update network pubkey on chain
     update_metadata_on_chain(
-        config,
+        account_key,
         "update_validator_next_epoch_network_pubkey",
         vec![CallArg::Pure(
             bcs::to_bytes(&new_network_key_pair_copy.public().as_bytes().to_vec()).unwrap(),
         )],
-        config.sui_address(),
         sui_client,
     )
     .await?;
 
     // update worker pubkey on chain
     update_metadata_on_chain(
-        config,
+        account_key,
         "update_validator_next_epoch_worker_pubkey",
         vec![CallArg::Pure(
             bcs::to_bytes(&new_worker_key_pair_copy.public().as_bytes().to_vec()).unwrap(),
         )],
-        config.sui_address(),
         sui_client,
     )
     .await?;
 
     // update network address
     update_metadata_on_chain(
-        config,
+        account_key,
         "update_validator_next_epoch_network_address",
         vec![CallArg::Pure(bcs::to_bytes(&new_network_address).unwrap())],
-        config.sui_address(),
         sui_client,
     )
     .await?;
 
     // update p2p address
     update_metadata_on_chain(
-        config,
+        account_key,
         "update_validator_next_epoch_p2p_address",
         vec![CallArg::Pure(bcs::to_bytes(&new_external_address).unwrap())],
-        config.sui_address(),
         sui_client,
     )
     .await?;
 
     // update primary address
     update_metadata_on_chain(
-        config,
+        account_key,
         "update_validator_next_epoch_primary_address",
         vec![CallArg::Pure(
             bcs::to_bytes(&new_primary_addresses).unwrap(),
         )],
-        config.sui_address(),
         sui_client,
     )
     .await?;
 
     // update worker address
     update_metadata_on_chain(
-        config,
+        account_key,
         "update_validator_next_epoch_worker_address",
         vec![CallArg::Pure(bcs::to_bytes(&new_worker_addresses).unwrap())],
-        config.sui_address(),
         sui_client,
     )
     .await?;
@@ -300,12 +301,12 @@ async fn update_next_epoch_metadata(
 }
 
 async fn update_metadata_on_chain(
-    config: &NodeConfig,
+    account_key: &SuiKeyPair,
     function: &'static str,
     call_args: Vec<CallArg>,
-    sui_address: SuiAddress,
     sui_client: &SuiClient,
 ) -> anyhow::Result<()> {
+    let sui_address = SuiAddress::from(&account_key.public());
     let gas_obj_ref = get_gas_obj_ref(sui_address, sui_client, 10000 * 100).await?;
     let mut args = vec![CallArg::Object(ObjectArg::SharedObject {
         id: SUI_SYSTEM_STATE_OBJECT_ID,
@@ -314,7 +315,7 @@ async fn update_metadata_on_chain(
     })];
     args.extend(call_args);
     let tx_data = TransactionData::new_move_call(
-        config.sui_address(),
+        sui_address,
         SuiSystem::ID,
         ident_str!("sui_system").to_owned(),
         ident_str!(function).to_owned(),
@@ -325,23 +326,20 @@ async fn update_metadata_on_chain(
         1,
     )
     .unwrap();
-    execute_tx(config, sui_client, tx_data, function).await?;
+    execute_tx(account_key, sui_client, tx_data, function).await?;
     tokio::time::sleep(tokio::time::Duration::from_secs(5)).await;
     Ok(())
 }
 
 async fn execute_tx(
-    config: &NodeConfig,
+    account_key: &SuiKeyPair,
     sui_client: &SuiClient,
     tx_data: TransactionData,
     action: &str,
 ) -> anyhow::Result<()> {
-    let tx = Transaction::from_data_and_signer(
-        tx_data,
-        Intent::sui_transaction(),
-        vec![config.account_key_pair()],
-    )
-    .verify()?;
+    let tx =
+        Transaction::from_data_and_signer(tx_data, Intent::sui_transaction(), vec![account_key])
+            .verify()?;
     info!("Executing {:?}", tx.digest());
     let tx_digest = *tx.digest();
     let resp = sui_client

crates/sui/src/sui_commands.rs

@@ -222,7 +222,7 @@ impl SuiCommand {
                         println!(
                             "{} - {}",
                             validator.network_address(),
-                            validator.sui_address()
+                            validator.protocol_key_pair().public(),
                         );
                     }
                 }