-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create limited RPC user. #363
Conversation
I haven't reviewed the code yet, but I did notice there are several documentation updates that will be needed that I don't see here:
|
"getrawmempool": struct{}{}, | ||
"getrawtransaction": struct{}{}, | ||
"gettxout": struct{}{}, | ||
"ping": struct{}{}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This one isn't read-only.
@aakselrod: Thanks for the PR. It looks good overall. I think we'll want to debate the specific command list. I think |
48eb5ec
to
f3f129e
Compare
} | ||
if cfg.RPCLimitUser != "" && cfg.RPCLimitPass != "" { | ||
login := cfg.RPCLimitUser + ":" + cfg.RPCLimitPass | ||
roauth := "Basic " + base64.StdEncoding.EncodeToString([]byte(login)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a big deal, but roauth
should probably just be auth
here as well since it's not read-only anymore.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed to auth
from roauth
.
Alright, everything looks good! If you can squash/rebase it, I'll merge it. |
9607cbe
to
1f2fdf9
Compare
The limited user is specified with the --rpclimituser and --rpclimitpass options (or the equivalent in the config file). The config struct and loadConfig() are updated to take the new options into account. The limited user can have neither the same username nor the same password as the admin user. The package-level rpcLimit map in rpcserver.go specifies the RPC commands accessible by limited users. This map includes both HTTP/S and websocket commands. The checkAuth function gets a new return parameter to signify whether the user is authorized to change server state. The result is passed to the jsonRPCRead function and to the WebsocketHandler function in rpcwebsocket.go. The wsClient struct is updated with an "isAdmin" field signifying that the client is authorized to change server state, written by WebsocketHandler and handleMessage. The handleMessage function also checks the field to allow or disallow an RPC call. The following documentation files are updated: - doc.go - sample-btcd.conf - docs/README.md - docs/json_rpc_api.md - docs/configure_rpc_server_listen_interfaces.md
I've tested the following:
|
The limited user is specified with the --rpclimituser and
--rpclimitpass options (or the equivalent in the config file).
The config struct and loadConfig() are updated to take the
new options into account. The limited user can have neither
the same username nor the same password as the admin user.
The package-level rpcLimit map in rpcserver.go specifies
the RPC commands accessible by limited users. This map
includes both HTTP/S and websocket commands.
The checkAuth function gets a new return parameter to
signify whether the user is authorized to change server
state. The result is passed to the jsonRPCRead function and
to the WebsocketHandler function in rpcwebsocket.go.
The wsClient struct is updated with an "isAdmin" field
signifying that the client is authorized to change server
state, written by WebsocketHandler and handleMessage.
The handleMessage function also checks the field to
allow or disallow an RPC call.
The following documentation files are updated: