diff --git a/docs/macaroons.md b/docs/macaroons.md index 7386f7d5..aae12d1d 100644 --- a/docs/macaroons.md +++ b/docs/macaroons.md @@ -119,6 +119,11 @@ A very simple example using `curl` may look something like this: Have a look at the [Java GRPC example](/docs/grpc/java.md) for programmatic usage details. +## Creating macaroons with custom permissions + +The macaroon bakery is described in more detail in the +[README in the macaroons package](../macaroons/README.md). + ## Future improvements to the `lnd` macaroon implementation The existing macaroon implementation in `lnd` and `lncli` lays the groundwork @@ -131,8 +136,6 @@ such as: * Root key rotation and possibly macaroon invalidation/rotation -* Tools to allow you to easily delegate macaroons in more flexible ways - * Additional restrictions, such as limiting payments to use (or not use) specific routes, channels, nodes, etc. diff --git a/macaroons/README.md b/macaroons/README.md index 6de7d8c1..67ef9ab4 100644 --- a/macaroons/README.md +++ b/macaroons/README.md @@ -87,3 +87,30 @@ be found in `constraints.go`: * `IPLockConstraint`: Locks the macaroon to a specific IP address. This constraint can be set by adding the parameter `--macaroonip a.b.c.d` to the `lncli` command. + +## Bakery + +As of lnd `v0.9.0-beta` there is a macaroon bakery available through gRPC and +command line. +Users can create their own macaroons with custom permissions if the provided +default macaroons (`admin`, `invoice` and `readonly`) are not sufficient. + +For example, a macaroon that is only allowed to manage peers would be created +with the following command: + +`lncli bakemacaroon peers:read peers:write` + +A full and up-to-date list of available entity/action pairs can be found by +looking at the `rpcserver.go` in the root folder of the project. + +### Upgrading from v0.8.0-beta or earlier + +Users upgrading from a version prior to `v0.9.0-beta` might get a `permission +denied ` error when trying to use the `lncli bakemacaroon` command. +This is because the bakery requires a new permission (`macaroon/generate`) to +access. +Users can obtain a new `admin.macaroon` that contains this permission by +removing all three default macaroons (`admin.macaroon`, `invoice.macaroon` and +`readonly.macaroon`, **NOT** the `macaroons.db`!) from their +`data/chain///` directory inside the lnd data directory and +restarting lnd.