Skip to content

serviceability: authorize device and interface instructions via Permission accounts#3980

Open
juan-malbeclabs wants to merge 2 commits into
mainfrom
perm-devices
Open

serviceability: authorize device and interface instructions via Permission accounts#3980
juan-malbeclabs wants to merge 2 commits into
mainfrom
perm-devices

Conversation

@juan-malbeclabs

@juan-malbeclabs juan-malbeclabs commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Summary

Gate Device and device-interface instructions on NETWORK_ADMIN (and HEALTH_ORACLE for sethealth) via authorize(), preserving the contributor-owner path:

  • Device: create, update, delete, resume, sethealth
  • Interface: create, update, delete

Owner-or-admin handlers become owner OR authorize(NETWORK_ADMIN); sethealth composes HEALTH_ORACLE | NETWORK_ADMIN to keep both the oracle and foundation paths. Internal foundation-only sub-gates (contributor binding, privileged-field edits, status transitions) are extended to NETWORK_ADMIN holders. interface/update uses split_trailing_permission so the optional segment-routing/topology accounts stay unambiguous vs the SDK-appended Permission PDA.

Behavior is preserved via the legacy foundation/health-oracle fallback while RequirePermissionAccounts is off. One PR per domain; see PERMISSION.md.

Testing Verification

  • Full device/interface integration suites (create/update/delete/onchain-allocation/contributor-binding/mgmt-vrf/location-update) and SDK command tests pass.
  • cargo test -p doublezero-serviceability, cargo test -p doublezero_sdk, make rust-lint pass.

Permission migration series

One of 8 per-domain PRs migrating serviceability instructions to the Permission (authorize()) system. The branches partition the change set with no overlap and can be reviewed and merged independently (only the CHANGELOG entry conflicts trivially).

PR Domain Flag(s)
#3977 Governance (globalstate/globalconfig/allowlists) GLOBALSTATE_ADMIN
#3978 Contributor CONTRIBUTOR_ADMIN
#3979 Infra (location/exchange) INFRA_ADMIN
#3980 Devices + interfaces NETWORK_ADMIN, HEALTH_ORACLE ← this PR
#3981 Links NETWORK_ADMIN, HEALTH_ORACLE
#3982 Multicast MULTICAST_ADMIN, ACCESS_PASS_ADMIN
#3983 Tenant TENANT_ADMIN
#3984 User (update / check_access_pass / check_status) USER_ADMIN, ACTIVATOR

…ssion accounts

Migrate Device create/update/delete/resume/sethealth and device interface
create/update/delete to authorize(). Owner-or-privileged instructions accept
the contributor owner OR NETWORK_ADMIN (foundation legacy); sethealth accepts
HEALTH_ORACLE|NETWORK_ADMIN. Internal foundation-only sub-gates now also accept
NETWORK_ADMIN holders (is_privileged). interface/update uses
split_trailing_permission to disambiguate optional accounts from the trailing
Permission PDA. Behavior preserved via the legacy fallback.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant