-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
lncli: add command to delegate macaroons #1147
Conversation
There is definitely a need for option two. For example in the woocommerce LND plugin, there is the need for invoice macaroon rights plus some other read-rights. For now, that means we need to give it the admin macaroon, which is not too good security wise. |
I see, thanks for your input! In that case I propose to add a new gRPC method named
What do you think? |
ffba6ef
to
fbc8844
Compare
2eb1898
to
5c1749e
Compare
4183739
to
585a488
Compare
726b942
to
a580366
Compare
c7c6d8b
to
06ff9b8
Compare
3bbd316
to
2449a9d
Compare
94c6ec6
to
7346a67
Compare
6bf6300
to
c7b8f70
Compare
c7b8f70
to
9a4dfc2
Compare
Tested the new changes (rebased on current master). This LGTM. |
f75c424
to
4dde55d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested ACK. LGTM, again. Rebases on current master with no issues AFAICT.
4dde55d
to
d2934d5
Compare
d2934d5
to
4a86d01
Compare
4a86d01
to
c3feaba
Compare
f3df516
to
18cfc3f
Compare
12153de
to
85647f4
Compare
85647f4
to
abdc63d
Compare
abdc63d
to
bb940fa
Compare
bb940fa
to
4c752cc
Compare
4c752cc
to
fc42658
Compare
fc42658
to
50534a0
Compare
Now that #1160 is merged, this doesn't offer any new functionality. Closing as redundant. |
This PR addresses #283 and introduces the new command
delegatemacaroon
to thelncli
tool.Currently, this just exposes the functionality that the
lncli
already uses internally to the command line interface:--macaroonpath
, default is~/.lnd/admin.macaroon
)--timeout
)--ip_address
)Depending on the
--format
parameter, the following output is produced (truncated for brevity):lncli delegatemacaroon --format=json --timeout=3600 --ip_address=123.123.123.123
:lncli delegatemacaroon --format=hex --timeout=3600 --ip_address=123.123.123.123
:Once new first-party caveats are introduced, they can be implemented here as well.
@aakselrod:
Does this cover your idea as described in #283?
As I see it, there are at least two ways to delegate macaroons in
lnd
:admin.macaroon
,invoice.macaroon
andreadonly.macaroon
) and add first-party caveats to them (as implemented in this PR).macaroons.db
and define custom operations/permissions. Then add first-party caveats to those newly baked macaroons.The second option has the advantage that the user can customize the allowed operations/permissions. But the big disadvantage that the
macaroons.db
need to be unlocked (lnd
needs to be stopped) and decrypted with the wallet password.Am I correct in the assumption that you meant to implement option 1 in your issue, instead of option 2?
Thanks for your feedback!