Skip to content

feat: Check subnet admins in deterministic state machine#8912

Open
dsarlis wants to merge 23 commits intodfinity:masterfrom
dsarlis:dimitris/check-super-users
Open

feat: Check subnet admins in deterministic state machine#8912
dsarlis wants to merge 23 commits intodfinity:masterfrom
dsarlis:dimitris/check-super-users

Conversation

@dsarlis
Copy link
Contributor

@dsarlis dsarlis commented Feb 18, 2026

This PR builds on top of #8731 to add the checks related to the new subnet admins field and actions they can perform on canisters. Specifically, the subnet admins can stop, start, uninstall, delete and get the status of canisters but they cannot for example install_code on them.

The field is read from the registry and stored in the NetworkTopology which can then be read by the Deterministic State Machine to perform any necessary checks. A new function validate_controller_or_subnet_admin is added that performs the required checks. This function replaces the old one in the endpoints that are allowed to be called by subnet admins. In case the subnet admins field is empty, this function returns the same error as before (for backward compatibility), otherwise a new error is returned that captures the fact that the caller is neither a controller or subnet admin.

Given that the ability to update the admins list is still under development (see #8911), this PR should currently act a no-op as all subnets have an empty subnet admins list.

@dsarlis dsarlis requested a review from a team as a code owner February 18, 2026 08:55
@github-actions github-actions bot added the feat label Feb 18, 2026
@github-actions
Copy link
Contributor

@basvandijk basvandijk added the security-review-passed IDX or InfraSec have concluded it's safe to run CI on the external PR. label Feb 18, 2026
@dsarlis
Copy link
Contributor Author

dsarlis commented Feb 18, 2026

Related spec change: dfinity/portal#6196.

Copy link
Contributor

@mraszyk mraszyk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd introduce a dedicated CanisterManagerError (since the subnet record is public anyway) and harden the unit test. Otherwise LGTM

@dsarlis dsarlis changed the title feat: Check super users in deterministic state machine feat: Check subnet admins in deterministic state machine Feb 18, 2026
@dsarlis dsarlis requested a review from a team as a code owner February 19, 2026 13:54
@dsarlis dsarlis requested a review from mraszyk February 19, 2026 14:14
@dsarlis
Copy link
Contributor Author

dsarlis commented Feb 19, 2026

Note that I had to move the subnet_admins field from RegistryExecutionSettings to NetworkTopology since we need access to it in the query handler (for canister_status query calls). It comes with the usual set of changes in protobuf structs and what not.

One thing I do not recall, is whether this change requires a new version of canonical state -- no tests failed there which would seem to indicate that we don't need one?

@mraszyk
Copy link
Contributor

mraszyk commented Feb 19, 2026

One thing I do not recall, is whether this change requires a new version of canonical state -- no tests failed there which would seem to indicate that we don't need one?

We are not mapping anything new in the state tree so no new version is needed.

dsarlis and others added 3 commits February 20, 2026 11:23
Co-authored-by: mraszyk <31483726+mraszyk@users.noreply.github.com>
Co-authored-by: mraszyk <31483726+mraszyk@users.noreply.github.com>
Co-authored-by: mraszyk <31483726+mraszyk@users.noreply.github.com>
dsarlis and others added 5 commits February 20, 2026 11:30
Co-authored-by: mraszyk <31483726+mraszyk@users.noreply.github.com>
Co-authored-by: mraszyk <31483726+mraszyk@users.noreply.github.com>
Co-authored-by: mraszyk <31483726+mraszyk@users.noreply.github.com>
Co-authored-by: mraszyk <31483726+mraszyk@users.noreply.github.com>
@dsarlis dsarlis requested a review from mraszyk February 20, 2026 10:17
Copy link
Contributor

@mraszyk mraszyk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also realized we don't have tests that subnet admins could use the query endpoint for canister status, but I don't have a strong opinion on the necessity of such a test.

@dsarlis
Copy link
Contributor Author

dsarlis commented Feb 20, 2026

I also realized in a live discussion with @nathanosdev that I missed updating the ingress filter check to not allow ingress messages to the subnet admin endpoints if a subnet admin is not the sender. I'll also fix that.

@mraszyk
Copy link
Contributor

mraszyk commented Feb 20, 2026

I missed updating the ingress filter check to not allow ingress messages to the subnet admin endpoints if a subnet admin is not the sender

Don't you need to relax this:

                        match canister.controllers().contains(&sender.get()) {
                            true => Ok(()),
                            false => Err(UserError::new(
                                ErrorCode::CanisterInvalidController,
                                format!(
                                    "Only controllers of canister {canister_id} can call ic00 method {method_name}",
                                ),
                            )),
                        }

@dsarlis
Copy link
Contributor Author

dsarlis commented Feb 20, 2026

I missed updating the ingress filter check to not allow ingress messages to the subnet admin endpoints if a subnet admin is not the sender

Don't you need to relax this:

                        match canister.controllers().contains(&sender.get()) {
                            true => Ok(()),
                            false => Err(UserError::new(
                                ErrorCode::CanisterInvalidController,
                                format!(
                                    "Only controllers of canister {canister_id} can call ic00 method {method_name}",
                                ),
                            )),
                        }

Yes, I meant I'll need to update the check to be "controller or subnet admin is allowed" for the methods that this applies to.

@dsarlis dsarlis requested a review from a team as a code owner February 20, 2026 15:35
@github-actions github-actions bot added the @idx label Feb 20, 2026
@github-actions
Copy link
Contributor

@dsarlis dsarlis requested a review from basvandijk February 20, 2026 16:01
@github-actions
Copy link
Contributor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

external-contributor feat @ic-interface-owners @idx security-review-passed IDX or InfraSec have concluded it's safe to run CI on the external PR.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants

Comments