Skip to main content

Changelog

  • 2019-11-06: Initial Draft
  • 2020-10-12: Updated Draft
  • 2020-11-13: Accepted
  • 2020-05-06: proto API updates, use sdk.Msg instead of sdk.ServiceMsg (the latter concept was removed from Cosmos SDK)
  • 2022-04-20: Updated the SendAuthorization proto docs to clarify the SpendLimit is a required field. (Generic authorization can be used with bank msg type url to create limit less bank authorization)

Status

Accepted

Abstract

This ADR defines the x/authz module which allows accounts to grant authorizations to perform actions on behalf of that account to other accounts.

Context

The concrete use cases which motivated this module include:
  • the desire to delegate the ability to vote on proposals to other accounts besides the account which one has delegated stake
  • “sub-keys” functionality, as originally proposed in #4480 which is a term used to describe the functionality provided by this module together with the fee_grant module from ADR 029 and the group module.
The “sub-keys” functionality roughly refers to the ability for one account to grant some subset of its capabilities to other accounts with possibly less robust, but easier to use security measures. For instance, a master account representing an organization could grant the ability to spend small amounts of the organization’s funds to individual employee accounts. Or an individual (or group) with a multisig wallet could grant the ability to vote on proposals to any one of the member keys. The current implementation is based on work done by the Gaian’s team at Hackatom Berlin 2019.

Decision

We will create a module named authz which provides functionality for granting arbitrary privileges from one account (the granter) to another account (the grantee). Authorizations must be granted for a particular Msg service methods one by one using an implementation of Authorization interface.

Types

Authorizations determine exactly what privileges are granted. They are extensible and can be defined for any Msg service method even outside of the module where the Msg method is defined. Authorizations reference Msgs using their TypeURL.

Authorization

For example a SendAuthorization like this is defined for MsgSend that takes a SpendLimit and updates it down to zero:
A different type of capability for MsgSend could be implemented using the Authorization interface with no need to change the underlying bank module.
Small notes on AcceptResponse
  • The AcceptResponse.Accept field will be set to true if the authorization is accepted. However, if it is rejected, the function Accept will raise an error (without setting AcceptResponse.Accept to false).
  • The AcceptResponse.Updated field will be set to a non-nil value only if there is a real change to the authorization. If authorization remains the same (as is, for instance, always the case for a GenericAuthorization), the field will be nil.

Msg Service

Router Middleware

The authz Keeper will expose a DispatchActions method which allows other modules to send Msgs to the router based on Authorization grants:

CLI

tx exec Method

When a CLI user wants to run a transaction on behalf of another account using MsgExec, they can use the exec method. For instance gaiacli tx gov vote 1 yes --from <grantee> --generate-only | gaiacli tx authz exec --send-as <granter> --from <grantee> would send a transaction like this:

tx grant <grantee> <authorization> --from <granter>

This CLI command will send a MsgGrant transaction. authorization should be encoded as JSON on the CLI.

tx revoke <grantee> <method-name> --from <granter>

This CLI command will send a MsgRevoke transaction.

Built-in Authorizations

SendAuthorization

GenericAuthorization

Consequences

Positive

  • Users will be able to authorize arbitrary actions on behalf of their accounts to other users, improving key management for many use cases
  • The solution is more generic than previously considered approaches and the Authorization interface approach can be extended to cover other use cases by SDK users

Negative

Neutral

References

  • Initial Hackatom implementation: Link
  • Post-Hackatom spec: Link
  • B-Harvest subkeys spec: Link