akovalenko/lnd.xprv
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

docs/macaroons: add reference to invoice.macaroon

Browse Source
This commit is contained in:
Francisco Calderon 2018-04-12 21:25:52 -03:00 committed by Olaoluwa Osuntokun
parent 26bf3fcb1c
commit f61a71b6fc
1 changed files with 17 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
docs/macaroons.md
View File

@ -49,19 +49,22 @@ user must remember several things:
person receiving it cannot remove the caveat. person receiving it cannot remove the caveat.
This is used in `lnd` in an interesting way. By default, when `lnd` starts, it This is used in `lnd` in an interesting way. By default, when `lnd` starts, it
creates two files which contain macaroons: a file called `admin.macaroon`, creates three files which contain macaroons: a file called `admin.macaroon`,
which contains a macaroon with no caveats, and a file called which contains a macaroon with no caveats, a file called `readonly.macaroon`,
`readonly.macaroon`, which is the *same* macaroon but with an additional caveat which is the *same* macaroon but with an additional caveat, that permits only
that permits only methods that don't change the state of `lnd`. methods that don't change the state of `lnd`, and `invoice.macaroon`, which
only has access to invoice related methods.
## How macaroons are used by `lnd` and `lncli`. ## How macaroons are used by `lnd` and `lncli`.
On startup, `lnd` checks to see if the `admin.macaroon` and `readonly.macaroon` On startup, `lnd` checks to see if the `admin.macaroon`, `readonly.macaroon`
files exist. If they *both* don't exist, `lnd` updates its database with a new and `invoice.macaroon` files exist. If they don't exist, `lnd` updates its
macaroon ID, generates the `admin.macaroon` file with that ID, and generates database with a new macaroon ID, generates the three files `admin.macaroon`,
the `readonly.macaroon` file with the same ID but an additional caveat which `readonly.macaroon` and `invoice.macaroon`, all with the same ID. The
restricts the caller to using only read-only methods. This means a few `readonly.macaroon` file has an additional caveat which restricts the caller
important things: to using only read-only methods and the `invoice.macaroon` also has an
additional caveat which restricts the caller to using only invoice related
methods. This means a few important things:
* You can delete the `admin.macaroon` and be left with only the * You can delete the `admin.macaroon` and be left with only the
`readonly.macaroon`, which can sometimes be useful (for example, if you want `readonly.macaroon`, which can sometimes be useful (for example, if you want
@ -69,10 +72,10 @@ important things:
change its state). change its state).
* If you delete the data directory which contains the `macaroons.db` file, this * If you delete the data directory which contains the `macaroons.db` file, this
invalidates the `admin.macaroon` and `readonly.macaroon` files. Invalid invalidates the `admin.macaroon`, `readonly.macaroon` and `invoice.macaroon`
macaroon files give you errors like `cannot get macaroon: root key with id 0 files. Invalid macaroon files give you errors like `cannot get macaroon: root
doesn't exist` or `verification failed: signature mismatch after caveat key with id 0 doesn't exist` or `verification failed: signature mismatch
verification`. after caveat verification`.
You can also run `lnd` with the `--no-macaroons` option, which skips the You can also run `lnd` with the `--no-macaroons` option, which skips the
creation of the macaroon files and all macaroon checks within the RPC server. creation of the macaroon files and all macaroon checks within the RPC server.