The Provenance Blockchain metadata module implements authorization capabilities through the authz system, which checks for granted permissions when there are missing signatures in metadata operations. The system uses GenericAuthorization with message type URLs and supports hierarchical message authorization where grants on parent message types automatically work for their subtypes, enabling flexible permission management for complex metadata operations while maintaining security through one-way authorization inheritance.
Implementation
The authz implementation in the metadata module checks for granted permission in cases when there are missing signatures.
A GenericAuthorization should be used using the message type URLs documented in the messages specification.
Code Examples
Grant
go// Source: https://github.com/provenance-io/provenance granter := ... // Bech32 AccAddress grantee := ... // Bech32 AccAddress a := authz.NewGenericAuthorization(types.TypeURLMsgWriteScopeRequest) err := s.app.AuthzKeeper.SaveGrant(s.ctx, grantee, granter, a, now.Add(time.Hour))
Delete
go// Source: https://github.com/provenance-io/provenance err := s.app.AuthzKeeper.DeleteGrant(s.ctx, grantee, granter, types.TypeURLMsgWriteScopeRequest)
Revoke
go// Source: https://github.com/provenance-io/provenance granter := ... // Bech32 AccAddress grantee := ... // Bech32 AccAddress msgRevoke := authz.NewMsgRevoke(granter, grantee, types.TypeURLMsgWriteScopeRequest) res, err := s.app.AuthzKeeper.Revoke(s.ctx, msgRevoke)
CLI Commands
Grant
shell$ provenanced tx authz grant <grantee> <authorization_type> --from <granter>
Revoke
shell$ provenanced tx authz revoke <grantee> <msg-type-url> --from <granter>
Special Allowances
Some messages in the metadata module have hierarchies. A grant on a parent message type will also work for any of its message subtypes, but not the other way around. Therefore, authorizations on these messages are one way.
MsgWriteScopeRequest
An authorization on
MsgWriteScopeRequest
works for any of the listed message subtypes:MsgAddScopeDataAccessRequest
MsgDeleteScopeDataAccessRequest
MsgAddScopeOwnerRequest
MsgDeleteScopeOwnerRequest
MsgWriteSessionRequest
An authorization on
MsgWriteSessionRequest
works for any of the listed message subtypes:MsgWriteRecordRequest
MsgWriteScopeSpecificationRequest
An authorization on
MsgWriteScopeSpecificationRequest
works for any of the listed message subtypes:MsgAddContractSpecToScopeSpecRequest
MsgDeleteContractSpecFromScopeSpecRequest
MsgWriteContractSpecificationRequest
An authorization on
MsgWriteContractSpecificationRequest
works for any of the listed message subtypes:MsgWriteRecordSpecificationRequest
MsgDeleteContractSpecificationRequest
An authorization on
MsgDeleteContractSpecificationRequest
works for any of the listed message subtypes:MsgDeleteRecordSpecificationRequest
Important Notes
An authorization on a
Write
endpoint for an entry/spec will NOT work for its Delete
endpoint.Related Resources
- GitHub Repository: provenance-io/provenance
- GenericAuthorization Specification: Cosmos SDK Authz Documentation
- Message Types: Metadata Messages Documentation