What is the Lisk RBAC Module?
The Lisk RBAC Module provides a lightweight implementation of role-based access controls for a Lisk blockchain application. This enables any custom application to conveniently integrate a robust and flexible authorization engine to control access to assets stored on the blockchain.
The slidedeck used in the video presentation can be found here.
- Lisk Module containing 7 transactions, 8 actions, 6 commands, 3 reducers
- HTTP Rest API plugin, including a spec file in OpenAPI 3.0 format.
- Slim demo application including both,
- Define custom sets of roles and permissions for your blockchain application.
- The module provides actions and reducers to validate every account's permissions. This API is designed to be extremely fast as this can be the Achilles' heel for any scaled-out authorization use case.
- Assign / remove roles to user accounts using transactions. This can be done also in batches to not be required to submit a transaction for a single account-role assignment.
- Add and remove role and permissions on the running blockchain through transactions.
- Roles can inherit from each other without any performance loss when solving
hasPermissionrequests for a given account.
- Grant and revoke permissions for certain roles on the running blockchain through transactions.
- The module provides an api to get all accounts which are assigned a certain role.
- The module includes various actions and reducers to fetch roles and permissions which allows other modules and plugins to build logic on top of this.
- All changes to the RBAC configuration is versioned on the chain and can be restored at any time.
- Very little integration effort to get going 🤓 🥳
The Lisk ecosystem encourages developers to run a custom blockchain to build their own blockchain application on top of it. For many use cases one of the very early challenges is to implement robust and secure mechanisms to authorize actions happening on the blockchain. The problem of authorization is usually very specific to a certain use case. That's why there are no all-on-one implementations out there - not even for regular web applications.
With this module I hope to reduce the barrier of entry for new developers and teams by providing them with a slim & lightweight RBAC implementation to get them going more quickly.
The Authorization Problem & Blockchain
In part the motivation for this project was the hypothesis that authorization as an IT challenge might benefit from the characteristics of a blockchain.
When building distributed IT systems, while aiming for maximum independence and high velocity, it is often a good idea to enforce the same mechanisms for authentication (AuthN) and authorization (AuthZ) in every part of the system for security reasons. This can become a challenge when the business is scaling a lot or generally operating at scale.
The downside when enforcing one-way / one-system for Authentication and Authorization is that one enacts a single-point-of-failure. Today this is generally accepted because it becomes increasingly easier to protect crucial the AuthN & AuthZ entities. But it is still very expensive to operate and comes with high risks by design.
But what if the single-point-of-failure is not a single point?
With a blockchain application and its concept of cheap interconnected nodes providing the same access to the data stored from anywhere, this seems like an inexpensive yet very robust and scalable solution for bringing AuthZ to every edge of a distributed system.
How we built it
Utilizing a set of transactions the module manages database tables in the StateStore on the chain. I modified SkeLLLa's Fast RBAC package to fit into a blockchain architecture. This package takes care of compiling a relational ruleset into a look-up table which results in O(1) time complexity for checking rules.
The HTTP Rest API plugin which comes together with the module provides a simplified abstraction of the underlying data structure and follows API design recommendations of leading industry solutions like Auth0.
The Lisk RBAC Console is a ReactJS frontend to be used to configure the on-chain Ruleset. It uses purely the Lisk RBAC HTTP Rest API to interact with the blockchain and can therefore be deployed anywhere. The frontend shall be considered a UX prototype because one week was not sufficient thinking it through in full.
All code was built using Typescript. At this time no automated tests are part of the contribution but they are developed on a branch and will be merged to main when the hackathon has ended.
Challenges we ran into
The biggest challenge was the domain of Identitiy and Access Management itself. A lot of time went into the concept of how to structure data on chain and the logic around to always guarantee the correctness of the responses given to incoming requests. I want other teams to fully trust the module's capabilities for this business critical domain.
Another big challenge I had to overcome was understanding the SDK itself. To name a few terms / concepts which I found very hard to understand: Schemas, StateStore, Assets vs. Transactions (I will continue using transactions preferably)
Accomplishments that we're proud of
I am very proud I could provide a complete standalone Lisk Module to the community in this short amount of time. While there are certainly a lot of things I want to add later, for now version 1.2 already provides a feature set that can be used by 3rd party blockchain apps to delegate authorization to this module.
What took a lot of time to figure out was how to design the "module onboarding" into a new blockchain application. It should be as simple as possible for developers to implement this module into their application. I am very proud that the only thing that needs to happen is that the developer sets starting accounts for the three default roles.
What we learned
Personally the most valuable learnings were the many concepts of the Lisk SDK. I truly feel it is well rounded and mature; I don't fear the breaking changes ahead since I can't imagine them being big and complicated to include.
What's next for Lisk RBAC
This submission is supposed to only be the starting point. Lisk RBAC is the first 'application building block', my goal is to gather a crowd to start building more of these in a longer & larger campaign. This is something I want to reveal in August / September. 😎
But next for Lisk RBAC:
- Better test coverage to gain trust about the module's capabilities by developers
- User groups and group policies
- Wildcard operators
- Ruleset rollback
- A much more capable frontend:
- Separate forms for submitting transactions
- Visualization of the ruleset history
- Audit trails
- Improved codebase
- Improved UX Design