AuthZ

The Provenance Blockchain metadata module implements authorization capabilities through the authz system, which checks for granted permissions when there are missing signatures in metadata operations. The system uses GenericAuthorization with message type URLs and supports hierarchical message authorization where grants on parent message types automatically work for their subtypes, enabling flexible permission management for complex metadata operations while maintaining security through one-way authorization inheritance.

Implementation

The authz implementation in the metadata module checks for granted permission in cases when there are missing signatures.

A GenericAuthorization should be used using the message type URLs documented in the messages specification.

Code Examples

Grant

go
// Source: https://github.com/provenance-io/provenance

granter := ... // Bech32 AccAddress
grantee := ... // Bech32 AccAddress
a := authz.NewGenericAuthorization(types.TypeURLMsgWriteScopeRequest)
err := s.app.AuthzKeeper.SaveGrant(s.ctx, grantee, granter, a, now.Add(time.Hour))

Delete

go
// Source: https://github.com/provenance-io/provenance

err := s.app.AuthzKeeper.DeleteGrant(s.ctx, grantee, granter, types.TypeURLMsgWriteScopeRequest)

Revoke

go
// Source: https://github.com/provenance-io/provenance

granter := ... // Bech32 AccAddress
grantee := ... // Bech32 AccAddress
msgRevoke := authz.NewMsgRevoke(granter, grantee, types.TypeURLMsgWriteScopeRequest)
res, err := s.app.AuthzKeeper.Revoke(s.ctx, msgRevoke)

CLI Commands

Grant

shell
$ provenanced tx authz grant <grantee> <authorization_type> --from <granter>

Revoke

shell
$ provenanced tx authz revoke <grantee> <msg-type-url> --from <granter>

Special Allowances

Some messages in the metadata module have hierarchies. A grant on a parent message type will also work for any of its message subtypes, but not the other way around. Therefore, authorizations on these messages are one way.

MsgWriteScopeRequest

An authorization on MsgWriteScopeRequest works for any of the listed message subtypes:

MsgAddScopeDataAccessRequest

MsgDeleteScopeDataAccessRequest

MsgAddScopeOwnerRequest

MsgDeleteScopeOwnerRequest

MsgWriteSessionRequest

An authorization on MsgWriteSessionRequest works for any of the listed message subtypes:

MsgWriteRecordRequest

MsgWriteScopeSpecificationRequest

An authorization on MsgWriteScopeSpecificationRequest works for any of the listed message subtypes:

MsgAddContractSpecToScopeSpecRequest

MsgDeleteContractSpecFromScopeSpecRequest

MsgWriteContractSpecificationRequest

An authorization on MsgWriteContractSpecificationRequest works for any of the listed message subtypes:

MsgWriteRecordSpecificationRequest

MsgDeleteContractSpecificationRequest

An authorization on MsgDeleteContractSpecificationRequest works for any of the listed message subtypes:

MsgDeleteRecordSpecificationRequest

Important Notes

An authorization on a Write endpoint for an entry/spec will NOT work for its Delete endpoint.

Related Resources

GitHub Repository: provenance-io/provenance

GenericAuthorization Specification: Cosmos SDK Authz Documentation

Message Types: Metadata Messages Documentation