Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update auth_rules document to reflect the current defaults #1755

Open
WadeBarnes opened this issue May 18, 2022 · 5 comments
Open

Update auth_rules document to reflect the current defaults #1755

WadeBarnes opened this issue May 18, 2022 · 5 comments
Labels
discussing Under further discussion.

Comments

@WadeBarnes
Copy link
Member

WadeBarnes commented May 18, 2022
edited
Loading

The Default AUTH_MAP Rules document, although mostly accurate, does not fully reflect the default auth rules of a new indy-node network.

One example is the REVOC_REG_ENTRY ADD rule. The document states the owner of the corresponding REVOC_REG_DEF, regardless of role, can add new REVOC_REG_ENTRYs. The default auth_rules for the network on the other hand, indicate you need to be the owner of the corresponding REVOC_REG_DEF and have a signature from a Trustee, Steward, or Endorser.

Taken from a new network:

| REVOC_REG_ENTRY     | ADD    | *           | -             | *             | {                                |
|                     |        |             |               |               |   "auth_constraints": [          |
|                     |        |             |               |               |     {                            |
|                     |        |             |               |               |       "constraint_id": "ROLE",   |
|                     |        |             |               |               |       "metadata": {},            |
|                     |        |             |               |               |       "need_to_be_owner": true,  |
|                     |        |             |               |               |       "role": "0",               |
|                     |        |             |               |               |       "sig_count": 1             |
|                     |        |             |               |               |     },                           |
|                     |        |             |               |               |     {                            |
|                     |        |             |               |               |       "constraint_id": "ROLE",   |
|                     |        |             |               |               |       "metadata": {},            |
|                     |        |             |               |               |       "need_to_be_owner": true,  |
|                     |        |             |               |               |       "role": "2",               |
|                     |        |             |               |               |       "sig_count": 1             |
|                     |        |             |               |               |     },                           |
|                     |        |             |               |               |     {                            |
|                     |        |             |               |               |       "constraint_id": "ROLE",   |
|                     |        |             |               |               |       "metadata": {},            |
|                     |        |             |               |               |       "need_to_be_owner": true,  |
|                     |        |             |               |               |       "role": "101",             |
|                     |        |             |               |               |       "sig_count": 1             |
|                     |        |             |               |               |     }                            |
|                     |        |             |               |               |   ],                             |
|                     |        |             |               |               |   "constraint_id": "OR"          |
|                     |        |             |               |               | }                                |

It appears the rule for adding a new REVOC_REG_ENTRY was updated in mid 2019, but the documentation was not updated to reflect the change in code.
@WadeBarnes
Copy link
Member Author

The indicated discrepancy in the documentation may actually be a bug in the code. The initial code associated to the above indicated changes happened here, 8d505a9, and is associated with this Jira ticket, https://jira.hyperledger.org/browse/INDY-1554. The acceptance criteria for the ticket (in both settings cases) indicates the owner of the REVOC_REG_DEF should be allowed to write new REVOC_REG_ENTRYs.

@WadeBarnes
Copy link
Member Author

First step would be to determine if this particular discrepancy is a bug or intentional.

@WadeBarnes
Copy link
Member Author

WadeBarnes commented May 18, 2022
edited
Loading

@mac-arrap, @VladimirWork, Do either of you recall this work?

@mac-arrap
Copy link
Member

So what I remember is that this went through a lot of review by the evernym team but we didn't change the documentation. But I would feel a lot more comfortable if @ashcherbakov would confirm.

@WadeBarnes
Copy link
Member Author

WadeBarnes commented May 18, 2022
edited
Loading

@mac-arrap, What's throwing me off right now is the acceptance criteria of the jira ticket matches what is indicated in the auth_rules documentation, but it does not match the default auth_rule (included above) that was implemented in the code.

@WadeBarnes WadeBarnes added the discussing Under further discussion. label May 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discussing Under further discussion.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@WadeBarnes @mac-arrap