rpc+lnd: add new invoice-only macaroon #904
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Is there any read only macaroon permission level in the roadmap? Such as access to see the stats without being able to perform actions (open/close channels, sendcoins)? |
|
@joaodealmeida that already exists. It's called |
|
awesome! |
…acaroon In this commit, we add a new invoicePermissions slice. This contains all the permission that a holder of an invoice.macaroon is able to access, and no others. We also include read and write access to addresses as this may be useful from the PoV of a merchant or exchange.
In the prior commit, we added a new set of permissions and also a new entity: “invoices”. We’ll add this set of entities to the read and write permissions accordingly as well to ensure that the existing macaroons have access to all the items that the invoice.macaroon does.
… entity In this commit, we modify the existing invoice RPC macaroon permissions to target a more specific entity: “invoices”. As a result of this commit, once node operators update, they’ll need to regenerate their readonly.macaroon as it now needs this additional entity encoded within it.
In this commit, we wrap up the prior ones and introduce config settings, as well as proper generation for a new invoice-only macaroon. All prior invoice path rules are also properly enforced of this new invoice.macaroon.
Roasbeef
force-pushed
the
invoice-macaroon
branch
from
9fdf6cf to
4c0dcda
Compare
|
Pushed to resolve the conflict, waiting on built, then will merge! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In this PR, we add a new default macaroon type:
invoice.macaroon. The capabilities that this macaroon can unlock are restricted only to: listing invoices, generating invoices, subscribing for invoice notifications, and also generating new addresses.We've received several requests from those working to integrate
lndinto their exchange or merchant workflow to have an macaroon that can only generate invoices. The advantage of this is that a developer can provision a box or process, that can speak tolndbut only to generate new invoices, or to poll for the status of existing invoices. This is a boon for security as it implements a strict separation of invoices, allowing services to create isolated instances with locked down permission only sufficient to carry out their task.NOTE: as implemented now, users will need to regenerate their existing read and write macaroons due to the addition of a more specific entity.
One other thing to note is that we'll only generate the invoice macaroon if none of the macaroons are found. This mirrors the existing behavior to allow an instance to be spun up, only having a particular macaroon in its data directory.
This replaces #496.