lncli: add command to create new macaroon

[guggero]

As discussed in #1147 there is a need to create macaroons with custom permissions set since the three existing macaroon files admin.macaroon, invoice.macaroon and readonly.macaroon aren't fine-grained enough.

A new gRPC method named NewMacaroon is added:

• Introduces a new permission entity named macaroon (could be used for macaroon based RPCs mentioned in Add support for accounting-based macaroons #291 too).
• write access to the entity macaroon is necessary to call the method NewMacaroon.
• The admin.macaroon gets write access to the entity macaroon.
• A new command is added to lncli named newmacaroon that calls this gRPC method.
• As parameters to the NewMacaroon method a list of entity/action pairs for the allowed operations can be passed.

Example:

lncli newmacaroon --permission=invoices/write --permission=invoices/read --save_to=~/.lnd/custom-invoice.macaroon --timeout=10

Creates a macaroon that is valid for reading and writing invoices during the next 10 seconds.

Closes #283, #1147, #3516.

NOTE for release notes: Users will need to delete or move their admin.macaroon, readonly.macaroon and invoices.macaroon before starting 0.9, otherwise they won't get regenerated macaroons that have the required permission (macaroon:generate) to mint custom macaroons.

[vegardengen]

This one actually conflicts with #1147

Would it make sense to make this into one common PR? Or merge one, then rebase/fix conflicts after that?

[guggero]

If either of the two PRs is merged, I'll rebase the other one. The functionality should not conflict, both commands have their usefulness IMO, even if there is overlap in some of the command arguments.

[joostjager]

During testing I noticed that all of the main macaroons (not just admin.macaroon) need to be removed in order to trigger regeneration. Idk if there is a reason for that.

[joostjager]

If you'd be following up this PR with more granular macaroon baking on the individual call level, how would that map to bakery.Ops?

[wpaulino]

Do you mean being able to create a macaroon for a RPC call that shares permissions with another, but the macaroon is only allowed for the first one?

[guggero]

My idea for the follow-up PR would be that we would use a constant for the entity (for example "rpc") and the full RPC URL (as seen in rpcserver.go, for example "/lnrpc.Lightning/SendCoins") as the action. This would result in quite large macaroons but would offer most flexibility.

[joostjager]

Have we already heard of a use case where our partitioning is insufficient and this fine granularity is required?

[guggero]

Not yet. But I can think of multiple use cases for this. For example being able to estimate a fee through lnd but not being able to see the wallet balance.

[wpaulino]

During testing I noticed that all of the main macaroons (not just admin.macaroon) need to be removed in order to trigger regeneration. Idk if there is a reason for that.

Don't know why either, it should regenerate any that don't already exist. See

lnd/lnd.go

Line 360 in 254de64

if !fileExists(cfg.AdminMacPath) && !fileExists(cfg.ReadMacPath) &&

.

Great work @guggero! I know many users have requested this feature in the past, so it's nice to finally be able to push this forward.

[wpaulino]

Do you mean being able to create a macaroon for a RPC call that shares permissions with another, but the macaroon is only allowed for the first one?

[guggero]

Thank you @joostjager and @wpaulino for the reviews!
I addressed everything unless explicitly commented above.
As discussed offline, I moved the list of permissions that exist to the server side and removed it from the command documentation text. The full list of supported actions and entities is returned in the error message if a user specifies something incorrect.

Will introduce a RPC call to get all supported permissions in the follow-up PR that also introduces fine-grained permissions on individual RPC method level.

[wpaulino]

LGTM 💥

I think another nice follow-up would be to allow lncli to use a custom macaroon through a flag as hex to prevent having to save it to a file.

[guggero]

@Roasbeef asked me to rename the service to BakeMacaroon.