-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Minimal x/gov & x/group Alignment #9438
Comments
Tagging as "Needs Architecture Review" to remind me to present this at this Friday's architecture call. |
@cmwaters green light to move forward on this. We will need to write an ADR to document the changes. Let's chat to coordinate the on that. |
In the use cases in #9708 which I believe are mostly covered by this design, the idea that an admin might want to change a test account balance is proposed. I wonder, should we allow root to execute any arbitrary sdk.Msg regardless of the signer, and in turn delegate this through x/authz? I think maybe yes since that's what governance should be able to do, right? It could on the other hand increase attack surface area. I realize that changing an account balance still wouldn't quite be possible because coins would need to be minted and currently there is no way to do this with If we were going to implement this, my current thought is that maybe |
This is definitely a cool approach to achieving the same result in the admin module but I'm wondering how to achieve this while maintaining security best practices. Is there a way to prevent the hub from using this functionality or limit any risk of exploit? Ideally authz would let us leverage our capability model to only allow the most granular permission required. Until recently I didn't think the admin module would ever run on a production chain, so the security model didn't matter as much. On the last interchain staking call @okwme saw some utility for an admin module running on a baby chain where an interchain account from the hub's gov module could modify baby chain gov params, thereby allowing the baby chain to operate without its own token. I don't love this approach tbh, kind of a backdoor that breaks the sdk's security model. |
The x/authz approach allows for configurable granularity and I think that's definitely preferable for production use cases. |
Currently, I've swapped out the gov router for Also, the way I understand On a different note, I'm not sure what the security model is with MsgServiceRouter. It seems like any module is able to send messages to any other module. |
I think we covered most of this in our sync, but just for others in this thread, yes root could use |
I wanted to follow up with @cmwaters 's question about permissions around other module accounts like distribution. The feature I'm mostly thinking about was outlined in this issue #9689. Essentially for Interchain Accounts to be leveraged by the governance module two things would need to happen: 1) the gov module needs to create outgoing Interchain Account messages (I expected this to be a custom proposal type but could also be taken care of by this work) and 2) the ability for the community pool to execute IBC transfers so that funds can be moved across chains into the interchain account that is controlled by the origin chain. Both of these would be possible with this work but only if the community pool was held by the root account. Currently the community pool funds are held by the distribution module account. Is there a plan in place to ensure that the execution of messages on behalf of this root account by Groups subcommittees can also access the community pool? Also I'd just like to confirm whether it's possible to create a group that completely replicates (and stays in sync) with the delegated voting capabilities of the gov module? |
also, is the upgrade proposal going to become a standard message type as part of this? |
I think the main thing is to allow x/gov to control multiple addresses, which is straightforward. It's either a list of allowed addresses or x/gov can send any message at all. Maybe this is a configurable param that provides some control over x/gov's authority. x/gov could theoretically execute any message at all and make an authorization grant on behalf of any address.
I'm not understanding. Can you explain more?
yes |
ok cool, I discussed this a bit more with @cmwaters today too and i'm getting a better picture of how this covers all the bases (but after writing through the story below I'm afraid there may be issues).
I had it backwards, please ignore that question. I'm very wary of the gov module being able to out of the gate execute messages from any account, but I like the idea of a configured list of accounts that could be set at genesis (or potentially voted in). I can see how authz is a solution for this. My assumption is that even if prop 52 fails there will be more and more opportunities for the community pool to participate in interchain defi and making this non-custodial will become important as the stakes get higher. For the user story of replacing prop 52 with a non-custodial version it might look like:
Actually I think this won't work. First off, IBC messages would need to wait until the entire sequence is complete before executing follow up messages. Secondly, it actually requires the results of some initial transactions to be used as parameters of the follow up transactions. I'd imagine that would get really messy to try to do programatically @seantking can you confirm whether the What are the other use stories that these changes are prioritizing? I can think of a couple now but I'd be curious as to the others i'm missing:
|
Some cool ideas.
I remember Sean telling me that anyone can create an interchain account but only gov can register it. So I would assume it would be known in advance.
Are you not able to bundle a set of transactions into a single IBC packet and make it atomic since it's all going to the same chain.
basically. Although the distribution module has this blocklist that prevents money going to certain accounts |
If the interchain account address were deterministic, that could work but I have no idea. An IBC bundle packet also sounds like it could help. It almost sounds like this use case needs some lightweight scripting support where you can get the return value of It may be though that you need to split it up into two proposals - one to create the account and the other to perform actions. Maybe the second at least can be atomic.
we have explored ways to convert existing accounts to group accounts via ADR 032 (account rekeying) and it's in the roadmap, just not right away |
## Description Ref: #9438 This PR performs the major work of swapping out the v1beta1 msg server and query server for the new one which can process a proposal as an array of messages. This PR still retains the legacy servers which simply wrap around the new ones, providing the same interface as before. In order to keep backwards compatibility, a new msg, `MsgExecLegacyContent` has been created which allows `Content` to become a `Msg` type and still be used as part of the new implementation. --- ### Author Checklist *All items are required. Please add a note to the item if the item is not applicable and please add links to any relevant follow up issues.* I have... - [ ] included the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title - [ ] added `!` to the type prefix if API or client breaking change - [ ] targeted the correct branch (see [PR Targeting](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#pr-targeting)) - [ ] provided a link to the relevant issue or specification - [ ] followed the guidelines for [building modules](https://github.com/cosmos/cosmos-sdk/blob/master/docs/building-modules) - [ ] included the necessary unit and integration [tests](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#testing) - [ ] added a changelog entry to `CHANGELOG.md` - [ ] included comments for [documenting Go code](https://blog.golang.org/godoc) - [ ] updated the relevant documentation or specification - [ ] reviewed "Files changed" and left comments if necessary - [ ] confirmed all CI checks have passed ### Reviewers Checklist *All items are required. Please add a note if the item is not applicable and please add your handle next to the items reviewed if you only reviewed selected items.* I have... - [ ] confirmed the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title - [ ] confirmed `!` in the type prefix if API or client breaking change - [ ] confirmed all author checklist items have been addressed - [ ] reviewed state machine logic - [ ] reviewed API design and naming - [ ] reviewed documentation is accurate - [ ] reviewed tests and test coverage - [ ] manually tested (if applicable)
@blushi could this be closed? |
We just finished audit and QA tests on both gov and group, so let's close this! 🎉 |
## Description Ref: cosmos#9438 This PR performs the major work of swapping out the v1beta1 msg server and query server for the new one which can process a proposal as an array of messages. This PR still retains the legacy servers which simply wrap around the new ones, providing the same interface as before. In order to keep backwards compatibility, a new msg, `MsgExecLegacyContent` has been created which allows `Content` to become a `Msg` type and still be used as part of the new implementation. --- ### Author Checklist *All items are required. Please add a note to the item if the item is not applicable and please add links to any relevant follow up issues.* I have... - [ ] included the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title - [ ] added `!` to the type prefix if API or client breaking change - [ ] targeted the correct branch (see [PR Targeting](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#pr-targeting)) - [ ] provided a link to the relevant issue or specification - [ ] followed the guidelines for [building modules](https://github.com/cosmos/cosmos-sdk/blob/master/docs/building-modules) - [ ] included the necessary unit and integration [tests](https://github.com/cosmos/cosmos-sdk/blob/master/CONTRIBUTING.md#testing) - [ ] added a changelog entry to `CHANGELOG.md` - [ ] included comments for [documenting Go code](https://blog.golang.org/godoc) - [ ] updated the relevant documentation or specification - [ ] reviewed "Files changed" and left comments if necessary - [ ] confirmed all CI checks have passed ### Reviewers Checklist *All items are required. Please add a note if the item is not applicable and please add your handle next to the items reviewed if you only reviewed selected items.* I have... - [ ] confirmed the correct [type prefix](https://github.com/commitizen/conventional-commit-types/blob/v3.0.0/index.json) in the PR title - [ ] confirmed `!` in the type prefix if API or client breaking change - [ ] confirmed all author checklist items have been addressed - [ ] reviewed state machine logic - [ ] reviewed API design and naming - [ ] reviewed documentation is accurate - [ ] reviewed tests and test coverage - [ ] manually tested (if applicable)
There is a longer conversation happening in #9066 around integration and de-duplication of x/gov and x/group, however, in order to bring some immediate benefit from x/authz and x/group to on-chain governance, I propose the following "minimal" changes to x/gov:
root
account that x/gov controlssdk.Msg
s which are only executable byroot
in their respective modules (i.e. x/param, x/upgrade, etc.)This will allow x/gov to use x/authz to delegate permissions from
root
to other "working groups" managed by x/group./cc @cmwaters @hxrts @blushi
The text was updated successfully, but these errors were encountered: