Skip to content

serviceability: authorize multicast instructions via Permission accounts#3982

Open
juan-malbeclabs wants to merge 2 commits into
mainfrom
perm-multicast
Open

serviceability: authorize multicast instructions via Permission accounts#3982
juan-malbeclabs wants to merge 2 commits into
mainfrom
perm-multicast

Conversation

@juan-malbeclabs

@juan-malbeclabs juan-malbeclabs commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Summary

Gate MulticastGroup instructions via authorize(), preserving the group-owner path:

  • Group CRUD (create/update/suspend/reactivate/delete) on MULTICAST_ADMIN
  • Publisher allowlist add/remove: mgroup.owner OR MULTICAST_ADMIN
  • Subscriber allowlist add/remove: mgroup.owner OR ACCESS_PASS_ADMIN (foundation/sentinel/feed legacy)

The add handlers carry an optional user_payer account; they use split_trailing_permission so the SDK-appended Permission PDA is distinguished by PDA match rather than a fragile total-account-count heuristic (which fixes a latent ambiguity).

Behavior preserved via the legacy fallback while RequirePermissionAccounts is off. One PR per domain; see PERMISSION.md.

Testing Verification

  • MulticastGroup CRUD, publisher-allowlist, and subscriber-allowlist integration suites (incl. with/without user_payer, sentinel, feed-authority, allow_multiple_ip) and SDK command tests pass.
  • cargo test -p doublezero-serviceability, cargo test -p doublezero_sdk, make rust-lint pass.

Permission migration series

One of 8 per-domain PRs migrating serviceability instructions to the Permission (authorize()) system. The branches partition the change set with no overlap and can be reviewed and merged independently (only the CHANGELOG entry conflicts trivially).

PR Domain Flag(s)
#3977 Governance (globalstate/globalconfig/allowlists) GLOBALSTATE_ADMIN
#3978 Contributor CONTRIBUTOR_ADMIN
#3979 Infra (location/exchange) INFRA_ADMIN
#3980 Devices + interfaces NETWORK_ADMIN, HEALTH_ORACLE
#3981 Links NETWORK_ADMIN, HEALTH_ORACLE
#3982 Multicast MULTICAST_ADMIN, ACCESS_PASS_ADMIN ← this PR
#3983 Tenant TENANT_ADMIN
#3984 User (update / check_access_pass / check_status) USER_ADMIN, ACTIVATOR

Migrate MulticastGroup create/update/suspend/reactivate/delete to authorize()
with MULTICAST_ADMIN, and the publisher/subscriber allowlist add/remove to
'mgroup owner OR MULTICAST_ADMIN' (publisher) / 'mgroup owner OR
ACCESS_PASS_ADMIN' (subscriber), preserving the mgroup-owner path. The add
handlers use split_trailing_permission to disambiguate the optional user_payer
account from the trailing Permission PDA. Behavior preserved via the legacy
foundation/sentinel/feed fallback.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant