Proposal for Adding Macaroon-Based Authorization to Yggdrasil #1247
HappyHakunaMatata
started this conversation in
Ideas
Replies: 1 comment 1 reply
-
|
This is likely more complexity than we need at this stage. What specific restrictions do you envisage being useful here? |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
In my opinion: node address, time limitation, and usage count could be used as caveats. It might also be possible to define more specific restrictions such as maximum path length (how many nodes can be between two endpoints and/or excluding certain nodes from the route). Additionally it would make sense to define which protocols are allowed. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
I propose introducing a macaroon-based authorization mechanism in Yggdrasil. This would add significant flexibility to the system through the use of caveats, and furthermore, macaroons were specifically designed with decentralized systems in mind.
From what I understand, the entire authorization logic is currently concentrated in the handler method in link.go. I suggest extending this method to create or retrieve a macaroon during the handshake process. The key benefit of this approach is that macaroons allow for more granular and dynamic control over access rights, especially with the ability to add additional caveats like address or time-based restrictions.
Once the macaroon is created or retrieved, the connection is passed to the HandleConn method, which is already responsible for handling the connection. The macaroon's validity should be checked there (in the Ironwood project), ensuring that any incoming connection is properly authorized.
Beta Was this translation helpful? Give feedback.
All reactions