Transactions should Explicitly Declare Required Authority Level about eos HOT 3 CLOSED

Relevant commit: 4e59a50

from eos.

Also TODO: create configuration option to disable all auth checking (for debugging)

from eos.

@bytemaster and I just discussed this, and realized it was a mistake to move authorizations to Transaction rather than Messages. I was thinking this would work such that when the contract code executed and asserted that joe has authorized the transaction, the chain would look up what permission level joe must use to approve the message being evaluated, then check that the transaction declared an authority sufficient to confer that permission.

This approach has two major shortcomings, however:

• We can't look up what authority level joe is using until we're executing contracts, because we don't know until then which messages in the transaction joe is supposed to be authorizing
• We must look up authority information in the database after messages have begun processing, which means that one message in the block could update authorities in a way that changes the validity/behavior of a later message in the block

Instead, we have decided to move the authorizations back from Transaction to Message. In this model, we can do all authority checks in full prior to processing any transactions: we scan the declared authorities declared by all messages in all transactions in the block before processing any messages. During this scan, we first check what authority level the declared user requires to execute the message type, and check that the declared authority level is at least as high as the required authority level. Next, we check that the transaction bears signatures to access the declared authority.

Later, when we execute the messages, and the handlers emit their require_authorization calls, we simply check that the required username is in the message's declared authorities list. When we finish processing the message, we check that all of the declared authorities got used. These are both very fast checks.

This solves both of our problems: we do all the authority database lookups prior to processing transactions (which may have parallelization advantages, since no writes to the database are possible at this time), and we get all authority checking out of the way prior to evaluating any transactions, which eliminates the possibility of one message updating authorities in a way that affects another message in the same block.

from eos.