Welcome to the new Provenance Blockchain developer documentation portal!
logo
The Provenance Blockchain metadata module implements authorization capabilities through the authz system, which checks for granted permissions when there are missing signatures in metadata operations. The system uses GenericAuthorization with message type URLs and supports hierarchical message authorization where grants on parent message types automatically work for their subtypes, enabling flexible permission management for complex metadata operations while maintaining security through one-way authorization inheritance.

Implementation

The authz implementation in the metadata module checks for granted permission in cases when there are missing signatures.
A GenericAuthorization should be used using the message type URLs documented in the messages specification.

Code Examples

Grant

go
// Source: https://github.com/provenance-io/provenance granter := ... // Bech32 AccAddress grantee := ... // Bech32 AccAddress a := authz.NewGenericAuthorization(types.TypeURLMsgWriteScopeRequest) err := s.app.AuthzKeeper.SaveGrant(s.ctx, grantee, granter, a, now.Add(time.Hour))

Delete

go
// Source: https://github.com/provenance-io/provenance err := s.app.AuthzKeeper.DeleteGrant(s.ctx, grantee, granter, types.TypeURLMsgWriteScopeRequest)

Revoke

go
// Source: https://github.com/provenance-io/provenance granter := ... // Bech32 AccAddress grantee := ... // Bech32 AccAddress msgRevoke := authz.NewMsgRevoke(granter, grantee, types.TypeURLMsgWriteScopeRequest) res, err := s.app.AuthzKeeper.Revoke(s.ctx, msgRevoke)

CLI Commands

Grant

shell
$ provenanced tx authz grant <grantee> <authorization_type> --from <granter>

Revoke

shell
$ provenanced tx authz revoke <grantee> <msg-type-url> --from <granter>

Special Allowances

Some messages in the metadata module have hierarchies. A grant on a parent message type will also work for any of its message subtypes, but not the other way around. Therefore, authorizations on these messages are one way.

MsgWriteScopeRequest

An authorization on MsgWriteScopeRequest works for any of the listed message subtypes:
  • MsgAddScopeDataAccessRequest
  • MsgDeleteScopeDataAccessRequest
  • MsgAddScopeOwnerRequest
  • MsgDeleteScopeOwnerRequest

MsgWriteSessionRequest

An authorization on MsgWriteSessionRequest works for any of the listed message subtypes:
  • MsgWriteRecordRequest

MsgWriteScopeSpecificationRequest

An authorization on MsgWriteScopeSpecificationRequest works for any of the listed message subtypes:
  • MsgAddContractSpecToScopeSpecRequest
  • MsgDeleteContractSpecFromScopeSpecRequest

MsgWriteContractSpecificationRequest

An authorization on MsgWriteContractSpecificationRequest works for any of the listed message subtypes:
  • MsgWriteRecordSpecificationRequest

MsgDeleteContractSpecificationRequest

An authorization on MsgDeleteContractSpecificationRequest works for any of the listed message subtypes:
  • MsgDeleteRecordSpecificationRequest

Important Notes

An authorization on a Write endpoint for an entry/spec will NOT work for its Delete endpoint.

Related Resources