-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
lncli: add command to create new macaroon #1160
Conversation
This one actually conflicts with #1147 Would it make sense to make this into one common PR? Or merge one, then rebase/fix conflicts after that? |
If either of the two PRs is merged, I'll rebase the other one. The functionality should not conflict, both commands have their usefulness IMO, even if there is overlap in some of the command arguments. |
898a08e
to
de4c7ca
Compare
4e4cca6
to
0cd3c8a
Compare
140edb9
to
2d79147
Compare
5c0a41f
to
798db9c
Compare
f829b7e
to
b04419a
Compare
850f64b
to
6fbc5b7
Compare
ca7c476
to
e17108b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 💥
I think another nice follow-up would be to allow lncli
to use a custom macaroon through a flag as hex to prevent having to save it to a file.
@Roasbeef asked me to rename the service to |
As discussed in #1147 there is a need to create macaroons with custom permissions set since the three existing macaroon files
admin.macaroon
,invoice.macaroon
andreadonly.macaroon
aren't fine-grained enough.A new gRPC method named
NewMacaroon
is added:macaroon
(could be used for macaroon based RPCs mentioned in Add support for accounting-based macaroons #291 too).write
access to the entity macaroon is necessary to call the method NewMacaroon.admin.macaroon
getswrite
access to the entitymacaroon
.newmacaroon
that calls this gRPC method.NewMacaroon
method a list of entity/action pairs for the allowed operations can be passed.Example:
lncli newmacaroon --permission=invoices/write --permission=invoices/read --save_to=~/.lnd/custom-invoice.macaroon --timeout=10
Creates a macaroon that is valid for reading and writing invoices during the next 10 seconds.
Closes #283, #1147, #3516.
NOTE for release notes: Users will need to delete or move their
admin.macaroon
,readonly.macaroon
andinvoices.macaroon
before starting0.9
, otherwise they won't get regenerated macaroons that have the required permission (macaroon:generate
) to mint custom macaroons.