refactor(permissions): define default permission set #5075
Conversation
mversic
requested review from
s8sato,
SamHSmith,
outoftardis,
Erigara,
0x009922,
DCNick3 and
dima74
as code owners
mversic
force-pushed
the
default_permission_set
branch
3 times, most recently
from
8bc8495
to
208c2f0
Compare
mversic
force-pushed
the
default_permission_set
branch
from
208c2f0
to
371e332
Compare
github-actions
bot
added
the
config-changes
mversic
force-pushed
the
default_permission_set
branch
from
371e332
to
7e9d7a2
Compare
mversic
force-pushed
the
default_permission_set
branch
7 times, most recently
from
906bb5b
to
502a580
Compare
mversic
changed the title
mversic
force-pushed
the
default_permission_set
branch
2 times, most recently
from
d88ccc4
to
cd94357
Compare
mversic
force-pushed
the
default_permission_set
branch
5 times, most recently
from
e1dc255
to
feafd4d
Compare
| /// First owner | ||
| pub grant_to: AccountId, |
There was a problem hiding this comment.
When role is first registered it has to be given to someone who's the initial owner and can then transitively grant the role to others #5078. An alternative would be to grant role to the account that registers the role, but I felt that complicates things because I would have to track and limit how many new roles has each account created. Instead I introduced CanManageRoles permission
mversic
force-pushed
the
default_permission_set
branch
from
feafd4d
to
c9365d5
Compare
| let mut tokens = self | ||
| .account_inherent_permissions(account_id) | ||
| .collect::<BTreeSet<_>>(); | ||
|
|
||
| for role_id in self.account_roles_iter(account_id) { | ||
| if let Some(role) = self.roles().get(role_id) { | ||
| tokens.extend(role.permissions.iter()); | ||
| } | ||
| } | ||
|
|
||
| Ok(tokens.into_iter()) |
There was a problem hiding this comment.
I decided to remove this and have FindPermissions return only inherent permissions because I was hitting a bug where executor would query all permissions of an account and would then try to revoke them but some of the returned permissions were inside roles and not inherent so the revoke instruction would fail. This was happening with is_permission_domain_associated and the likes
Alternatively, I could have taken an approach where this query returns inherent and role permissions but clearly separated so that the caller can know how to work with each and only revoke the inherent ones.
mversic
force-pushed
the
default_permission_set
branch
from
c9365d5
to
f2a7e5c
Compare
There was a problem hiding this comment.
a reminder that if I revert this, we should also emit Account::PermissionChanged on every Grant<Permission, Role> or Revoke<Permission, Role>
mversic
force-pushed
the
default_permission_set
branch
4 times, most recently
from
817ec0c
to
45edafa
Compare
Signed-off-by: Marin Veršić <marin.versic101@gmail.com>
nxsaken
force-pushed
the
default_permission_set
branch
from
45edafa
to
fd4dd86
Compare
| @@ -12,7 +12,7 @@ use iroha::{ | |||
| }, | |||
| }; | |||
| use iroha_config::parameters::actual::Root as Config; | |||
| use iroha_executor_data_model::permission::asset::CanTransferUserAsset; | |||
| use iroha_executor_data_model::permission::asset::CanModifyAsset; | |||
There was a problem hiding this comment.
What is the reason for combining this permissions?
We can emulate CanModifyAsset as role with 3 permissions.
There was a problem hiding this comment.
ok, but is this granularity necessary? Do you want to give someone the privilege to Burn but not Mint and Transfer?
There was a problem hiding this comment.
I'm not insisting on granularity, but trying to understand is it possible use case to allow only transfers for example.
It feels like minting asset should be prohibited almost always.
There was a problem hiding this comment.
I understand now, I'll restore this
| let role = match crate::data_model::query::builder::QueryBuilderExt::execute_single( | ||
| iroha_smart_contract::query(FindRoles) | ||
| .filter_with(|role| role.id.eq(role_id.clone())), | ||
| ) { |
There was a problem hiding this comment.
If user has many roles we introduce a lot of repeated FindRoles queries.
We can avoid that by query FindRoles only once and provide complex filter with or of all required roles.
Context
CanManagePeers,CanRegisterDomainandCanManageRolespermissionsCanSetKeyValueXXX+CanRemoveKeyValueXXX=CanModifyXXXMetadataCanMintAsset+CanBurnAsset+CanTransferAsset=CanModifyAssetFindPermissionsso it returns only inherent permissions, not from rolescloses #4206
Solution
Review notes (optional)
Checklist
CONTRIBUTING.md.