-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EPIC: Accounts #14900
Comments
With EPICs such as these, it's a good idea to explain the (1) rationale/why and (2) what are the high-level goals we're trying to solve for. E.g. for auth, based on various discussions, it seems that we want to:
These are all the general ideas I can think of. |
My general idea around auth would be to have it be divided in 2 different modules (3 if we count vesting). The division would be authv2Domain
Consequencescosmos-sdk are abstracted in such a way that authentication can be handled by something else which is not elliptic curves cryptography. This brings us to say that: cosmos-sdk chains share the same tx anatomy, represented by
This distinction might allow us to plug in different accounts types (accounts as defined by the accountsDomain
features
modules vs accountsI'd like I see modules as a super-set of accounts. What they share:
What they don't share:
towards a more extendable and safer state transition execution modelThis section justifies why we want accounts to be able to be made aware of state transitions whose subject is the account itself, we make distinction between subject and sender. In the context of a There has been desire to enhance and extend limitations and features of accounts, the proposed implementations try to address the limitations and capabilities by extending module's functionality, when in reality they belong to the accounts themselves. For example: #14224 wants to allow developers to inject restrictions on how an account can spend its money, but is this What happens when tomorrow developers will want to impose limitations on governance votes, staking rewards, etc. In my opinion these limitations should be handled by accounts themselves and not by modules. ADR-033Generally speaking,
A problem which |
Thanks for writing this up @testinginprod. I'm having a bit of trouble understanding the distinction betweeen x/accounts and x/auth v2. I wonder if you could describe the state that is managed by these two modules and also the API that they expose in a bit more detail? I can share what I've had in mind for auth v2 (or authn as it probably should be called to distinguish it from authz/authorization). Basically, authn would have two tables:
I think the auto-generated As for credential/pubkey, this has been discussed in other places, but I think we can start with a credential abstraction which is a type that defines an address, and then pubkey extends credential by being able to verify signatures. Credentials that aren't pubkeys could be used to represent module owned addresses and used to authenticate ADR 033 intermodule messages. Credentials which also implement pubkey can verify transactions. In go this would be something like: type Credential interface {
Address() []byte
}
type PubKey interface
Credential
VerifySignature(msg, sig []byte) bool
} |
Yeah @aaronc this is what I had in mind. I think separating out accounts is pretty straight forward and non-contentious. What we really need to explore is the capability layer. |
I'd like to address this part as I feel it's missing a point:
The bank module is responsible for managing balances, including the transfer of funds from one account to another. The need to transfer funds is common both for users and for other modules, and is one of the core functionalities in a blockchain. What is needed is that the same set of restrictions are applied to a transfer whether it's coming directly from a Take a look at the troubles that the As the creator/maintainer of a module, I need to be able to define a restriction that is applied every time funds are being transferred, regardless of the source of that request (e.g. As the creator/maintainer of a blockchain, I want the addition of those restrictions as simple as adding the module(s) to my app. I guess I'm having trouble picturing how restrictions-as-accounts would work. A specific complex example would be useful. Something like this:
Questions:
|
Thank you @SpicyLemon for the insightful comment.
Bank serves the sole purpose of being a bookkeeper. It keeps track of balance changes (with respect to denoms), and enforces some simple invariances: eg a balance cannot hold amounts smaller than zero.
This is where the fallacies of the current execution model come in the transfer scope:
It will eventually need to: you cannot pile restrictions and be confident that some will not conflict with the other. There needs to be awareness of restrictions applied.
But this is orthogonal to the accounts issue (unless you're saying that denoms should be implemented as accounts and implement an ERC20-esque interface), this is bank documentation issue?
But who/what/when/why are you restricting? Will you be implementing a
In the same way as Ethereum implements vesting (as smart contracts) without the need of modifying anything of the core. Old model: graph LR
A[MyExternallyOwnedAccount] -->|MsgDelegate| B[StakingModule]
Possible model: graph LR
A[MyExternallyOwnedAccount] -->|ExecuteMsgDelegate| B[MyVestingAccount]
B -->|MsgDelegate| C[StakingModule]
When OFC the proposed accounts model is fully backwards compatible and even if I am strongly against continuing to extend and implement things as we currently do (hooks/middlewares into modules) you'd still be free to implement things as you did. As it was mentioned in the call, the scope of work does not consider only vesting and limitations on transfer, we want to get more from accounts, like recoverability capabilities, group management of accounts, creating more extendable authorisation accounts, etc. |
When accounts lands, we should disable vesting account creation in the current vesting module. |
#12597 was closed in favor of this epic. |
2 years ago we were researching with @aaronc how to model authentication and addresses with respect to DIDs / IIDs, Group Accounts and Internal Accounts. |
closing in favour of #17786 |
Summary
This issue is meant to facilitate discussion, feature requests and proposals. There have been many discussions on the auth module and how it could be improved. The current design is 5+ years old and there have been countless learnings on the limitations of the current system and how the account module has evolved in the greater cosmos ecosystem.
ref #7091
Work Breakdown
TBD
cc @testinginprod
We would love to hear from others on designs you have in mind for auth and accounts.
The text was updated successfully, but these errors were encountered: