LND マカロン
・ThunderHubで焼いたマカロンがlncli printmacaroonでどう見えるか確認した。
ThunderHub macaroon permissions
---------------------------------------------------------------
get invoices invoices:read
create invoices invoices:write
get payments offchain:read
pay invoices offchain:write
get chain transactions onchain:read
send to chain address onchain:write
create chain address address:write
get wallet info info:read
stop daemon info:write
この結果によれば、offchain:wirteとonchain:writeの権限がなければそのマカロンを使うクライアントは勝手にBTCを送金することができない。
info:writeがなければ勝手にLNDを止めたりすることができない。
・lncli printmacaroonでデフォルトで作られるmacaroonのpermissionsを調べてみた。
admin.macaroon
{
"version": 2,
"location": "lnd",
"root_key_id": "0",
"permissions": [
"address:read",
"address:write",
"info:read",
"info:write",
"invoices:read",
"invoices:write",
"macaroon:generate",
"macaroon:read",
"macaroon:write",
"message:read",
"message:write",
"offchain:read",
"offchain:write",
"onchain:read",
"onchain:write",
"peers:read",
"peers:write",
"signer:generate",
"signer:read"
],
"caveats": null
}chainnotifier.macaroon
{
"version": 2,
"location": "lnd",
"root_key_id": "0",
"permissions": [
"onchain:read"
],
"caveats": null
}invoice.macaroon
{
"version": 2,
"location": "lnd",
"root_key_id": "0",
"permissions": [
"address:read",
"address:write",
"invoices:read",
"invoices:write",
"onchain:read"
],
"caveats": null
}invoices.macaroon
{
"version": 2,
"location": "lnd",
"root_key_id": "0",
"permissions": [
"invoices:read",
"invoices:write"
],
"caveats": null
}readonly.macaroon
{
"version": 2,
"location": "lnd",
"root_key_id": "0",
"permissions": [
"address:read",
"info:read",
"invoices:read",
"macaroon:read",
"message:read",
"offchain:read",
"onchain:read",
"peers:read",
"signer:read"
],
"caveats": null
}router.macaroon
{
"version": 2,
"location": "lnd",
"root_key_id": "0",
"permissions": [
"offchain:read",
"offchain:write"
],
"caveats": null
}signer.macaroon
{
"version": 2,
"location": "lnd",
"root_key_id": "0",
"permissions": [
"signer:generate",
"signer:read"
],
"caveats": null
}walletkit.macaroon
{
"version": 2,
"location": "lnd",
"root_key_id": "0",
"permissions": [
"address:read",
"address:write",
"onchain:read",
"onchain:write"
],
"caveats": null
}・lncli listpermissions コマンドですべての RPC メソッド URI と、それらを呼び出すために必要なマカロン権限を一覧表示できる。
LND v0.18.5-betaでやると1344行ほどのJSONができる。
AddInvoiceだとinvoice:writeのpermissionを持つmacaroonを使えばインボイスを作れるようだ。
"/lnrpc.Lightning/AddInvoice": {
"permissions": [
{
"entity": "invoices",
"action": "write"
}
]
},lncli listpermissionsからentityとactionを抜き出してみた。
"entity": "address",
"entity": "info",
"entity": "invoices",
"entity": "macaroon",
"entity": "message",
"entity": "offchain",
"entity": "onchain",
"entity": "peers",
"entity": "signer",
"action": "generate"
"action": "read"
"action": "write"lncli とjqを組み合わせると例えば以下コマンドでinvoices:writeを必要とするRPCの一覧を表示できる。
invoices:writeだとAddInvoiceの他にホドルインボイス作成でも使ってるようだ。
lncli listpermissions | jq -r '.method_permissions | to_entries[]
| select(.value.permissions[] | select(.entity == "invoices" and .action == "write")) | .key'/invoicesrpc.Invoices/AddHoldInvoice
/invoicesrpc.Invoices/CancelInvoice
/invoicesrpc.Invoices/HtlcModifier
/invoicesrpc.Invoices/LookupInvoiceV2
/invoicesrpc.Invoices/SettleInvoice
/lnrpc.Lightning/AddInvoiceinvoices:readだと以下となる。
/invoicesrpc.Invoices/SubscribeSingleInvoice
/lnrpc.Lightning/ListInvoices
/lnrpc.Lightning/LookupInvoice
/lnrpc.Lightning/SubscribeInvoicesLNの主だった機能のRPCはoffchainが必要ぽいので抜き出してみた。
offchain:write
チャネルの開閉、ペイメントの送信までやってるみたい。
デフォルトのmacaroonでoffchain:writeを持ってるのはadminとrouterの2つだけ。openchannel,closechannelはonchain:writeのpermissionも必要なようだ。
/autopilotrpc.Autopilot/ModifyStatus
/autopilotrpc.Autopilot/SetScores
/lnrpc.Lightning/AbandonChannel
/lnrpc.Lightning/BatchOpenChannel
/lnrpc.Lightning/ChannelAcceptor
/lnrpc.Lightning/CloseChannel
/lnrpc.Lightning/DeleteAllPayments
/lnrpc.Lightning/DeletePayment
/lnrpc.Lightning/FundingStateStep
/lnrpc.Lightning/OpenChannel
/lnrpc.Lightning/OpenChannelSync
/lnrpc.Lightning/RestoreChannelBackups
/lnrpc.Lightning/SendCustomMessage
/lnrpc.Lightning/SendPayment
/lnrpc.Lightning/SendPaymentSync
/lnrpc.Lightning/SendToRoute
/lnrpc.Lightning/SendToRouteSync
/lnrpc.Lightning/UpdateChannelPolicy
/routerrpc.Router/HtlcInterceptor
/routerrpc.Router/ResetMissionControl
/routerrpc.Router/SendPayment
/routerrpc.Router/SendPaymentV2
/routerrpc.Router/SendToRoute
/routerrpc.Router/SendToRouteV2
/routerrpc.Router/SetMissionControlConfig
/routerrpc.Router/UpdateChanStatus
/routerrpc.Router/XAddLocalChanAliases
/routerrpc.Router/XDeleteLocalChanAliases
/routerrpc.Router/XImportMissionControl
/wtclientrpc.WatchtowerClient/AddTower
/wtclientrpc.WatchtowerClient/DeactivateTower
/wtclientrpc.WatchtowerClient/RemoveTower
/wtclientrpc.WatchtowerClient/TerminateSession "/lnrpc.Lightning/OpenChannel": {
"permissions": [
{
"entity": "onchain",
"action": "write"
},
{
"entity": "offchain",
"action": "write"
}
]
},offchain:read
readの方はチャネルやインボイスの状態を確認するためのpermissionのようだ。
/lnrpc.Lightning/ChannelBalance
/lnrpc.Lightning/ClosedChannels
/lnrpc.Lightning/DecodePayReq
/lnrpc.Lightning/ExportAllChannelBackups
/lnrpc.Lightning/ExportChannelBackup
/lnrpc.Lightning/FeeReport
/lnrpc.Lightning/ForwardingHistory
/lnrpc.Lightning/GetDebugInfo
/lnrpc.Lightning/ListAliases
/lnrpc.Lightning/ListChannels
/lnrpc.Lightning/ListPayments
/lnrpc.Lightning/LookupHtlcResolution
/lnrpc.Lightning/PendingChannels
/lnrpc.Lightning/SubscribeChannelBackups
/lnrpc.Lightning/SubscribeChannelEvents
/lnrpc.Lightning/SubscribeCustomMessages
/lnrpc.Lightning/VerifyChanBackup
/routerrpc.Router/BuildRoute
/routerrpc.Router/EstimateRouteFee
/routerrpc.Router/GetMissionControlConfig
/routerrpc.Router/QueryMissionControl
/routerrpc.Router/QueryProbability
/routerrpc.Router/SubscribeHtlcEvents
/routerrpc.Router/TrackPayment
/routerrpc.Router/TrackPaymentV2
/routerrpc.Router/TrackPayments
/wtclientrpc.WatchtowerClient/GetTowerInfo
/wtclientrpc.WatchtowerClient/ListTowers
/wtclientrpc.WatchtowerClient/Policy
/wtclientrpc.WatchtowerClient/Stats・おまけ1
RPCメソッド名にopenを含む要素を抽出するコマンド
lncli listpermissions | jq '.method_permissions | to_entries[] | select(.key | test("open"; "i"))'{
"key": "/lnrpc.Lightning/BatchOpenChannel",
"value": {
"permissions": [
{
"entity": "onchain",
"action": "write"
},
{
"entity": "offchain",
"action": "write"
}
]
}
}
{
"key": "/lnrpc.Lightning/OpenChannel",
"value": {
"permissions": [
{
"entity": "onchain",
"action": "write"
},
{
"entity": "offchain",
"action": "write"
}
]
}
}
{
"key": "/lnrpc.Lightning/OpenChannelSync",
"value": {
"permissions": [
{
"entity": "onchain",
"action": "write"
},
{
"entity": "offchain",
"action": "write"
}
]
}
}・おまけ2
thunderhubで作ったmacaroonはテキストで出力されコピペして使うもので、macaroonファイルになってない。
HEXをmacaroonファイルにするには以下コマンドでできる。HEXをコピペして置換する。またYOURSの箇所を自分でわかりやすい名称に置換すると良い。
echo -n "HEX" | xxd -r -p > YOURS.macaroonthunderhubで"Create Invoices, Get Invoices, Get Wallet Info, Get Payments, Pay Invoices"をチェックして作ったmacaroonのpermissionsは以下となる。
{
"version": 2,
"location": "lnd",
"root_key_id": "0",
"permissions": [
"info:read",
"invoices:read",
"invoices:write",
"offchain:read",
"offchain:write"
],
"caveats": null
}offchain:writeはあるがonchain:writeがないのでチャネル開閉はできないはず。
