RPC permissions #1535
Description
I've been using Lightning Charge a fair bit, but I don't like that it has full control over the lightning node. It would be nice to have a way to limit RPC permissions, for instance just the ability to create and check the status of invoices.
One approach could be to have to multiple --rpc-file like arguments, each with their own set of permissions. The default RPC socket is owned by the user/group that launched the process, and permissions are set to 600. The additional RPC sockets should allowing specifying the group owner and set permission to 660. That way e.g. a system could have a group lightning_rpc_invoices whose users can use the RPC to create invoices.
Specifically this group should have access to: help, decodepay, getinfo, invoice, listinvoices, delinvoice (?), waitanyinvoice (?), waitinvoice, .
The above would go a long way. Some additional ideas:
-
individual RPC users can "own" invoices. With the example of Lightning Charge that would allow it to delete its own invoices, while not being able to mess with - or even see - invoices it doesn't own. That would suggest creating user (in stead of group) specific RPC interfaces, or moving to an authentication model more like what
bitcoinduses. -
a group that can manage channels, but not spend funds:
help,decodepay,getinfo,connect,listnodes,listpeers,disconnect,getroute,listchannels,fundchannel,close,newaddr -
a group that can withdraw funds (on chain and off chain): same as channel manager, plus
sendpay,waitsendpay,pay,withdraw. Although that's a lot of permissions, at least it can't sabotage the node by physically reading the database from disk and broadcasting illegal states. It could be additionally constrained through an address (and destination node public key) whitelist.