slides-06-macaroons.md

Barcamp session: Macaroons

Oliver Gugger, Puzzle ITC

@gugol
github.com/guggero

Slides on guggero.github.io

Agenda

• What are macaroons?
• How do they work?
• How are they used in LND?
• What features am I working on?
• Questions/discussion

What are macaroons?

• "Cookies with Contextual Caveats..."
• Paper from 2014 by Google employees and Brown university students
• https://ai.google/research/pubs/pub41892

How do they work?

Macaroons are based on a construction that uses nested, chained MACs (e.g., HMACs) in a manner that is highly efficient...

How do they work?

How do they work?

How do they work?

Online demo

How do they work?

How are they used in LND?

• Root Key is stored in macaroons.db
• Identifier contains nonce and read/write permissions
  
• Location is always lnd
• Three pre-generated macaroons:
  readonly, invoice, admin

How are they used in LND?

• Supported caveat conditions:
  • time-before <utc-timestamp>
  • ipaddr <client-ip-address>
• Can be declared with lncli parameters

--macaroontimeout <in seconds, default 60>
--macaroonip <ip-address, default not set>

What am I working on?

• Submitted PRs:
  • delegate macaroon #1147
  • integration tests for macaroons #1152
  • create custom macaroon #1160
  • request hash caveat #1181
  • stateless initialization #1288
  • macaroon based accounting #2390

What am I working on?

• Ideas:
  • permissions for single RPC calls not just groups
  • recurring payments (based on accounts)
  • third party caveats

Questions?