New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Simplify permission parent model to a permission owner model #155
Comments
I like the new
Was there a use case for this initially? The notion of two permission instances that grant the same capability but are different because they come from different parents feels very artificial. And, as I'm understanding it, the current proposal would make each permission ownable by only a single entity; what about multiple owners of a permission? |
I agree.
That can be achieved at a second layer setting the permission owner as a Group app or another forwarder. |
I'm really excited that we'll get to re-write this line (it even has a circular dependency in English!):
Small nomenclature suggestion: does "manager" or "controller" make more sense than "owner"? I don't mind "owner" that much, but it does usually suggest a different concept in smart contracts ("owning" the actual contract; yet permissions are not contracts themselves) and may also be slightly confusing in the UNIX analogy. |
That's true, I think "manager" conveys the concept well without confusion like "owner" |
Update aragonOS doc to reflect aragon/aragonOS#155 changes
In the current iteration of the Kernel ACL, every permission instance has its own 'parent'. A more detailed explanation can be found in the ACL section of the AragonOS doc. In this model the parent of a permission instance means two different things:
The problem with this permission model is that in case a permission has been granted to an entity that cannot do arbitrary calls (i.e. Finance or Fundraising), the process for granting the permission to another entity (i.e. wanting to install another app that needs vault access) involves revoking the permission in a complex workflow like this:
Problems:
Y
doesn't have permission to dokernel.createPermission
, two different entities need to coordinate their actions. The permission cannot be created again while the Finance app has it.Z
needs to be trusted to perform all three actions (easily solvable makingZ
a contract that executes aEVMCallScript
)Proposed new model
Introduce a permission
owner
at the permission level and remove the permissionparent
from the permission instance level. Theowner
is able togrant
orrevoke
an arbitrary number of permission instances of that permission.createPermission(address entity, address app, bytes32 role, address newOwner)
: protected behind the ACL. Creates a new permission setting an owner. Permission is granted toentity
. If permission has already been created, it fails.grantPermission(address entity, address app, bytes32 role)
: Grants a permission instance for entity. Only callable by permission owner.revokePermission(address entity, address app, bytes32 role)
: Revokes a permission instance for entity. Only callable by permission owner.transferOwnership(address app, bytes32 role, address newOwner)
: only callable by permission owner, new owner will be able to revoke all previous permission instances too (impossible under current system).This model still allows every permission to have a different
owner
, which is a very important security feature since some permissions need to be more protected than others.The only disadvantage compared to the current model is that it won't be possible to have two different permission instances anymore (i.e. token transfers can be done by entity A and B) that could be revoked by different entities (entity A can be revoked its permission by C and B by D).
The text was updated successfully, but these errors were encountered: