I would like to use roles to identify what an organization can do in my hyperledger fabric blockchain, so, if org1 is an distributor it can call the contract1 and the contract2 but org2 that has an auditor role can only call contract2.
I am planning of doing it, by storing the msp roles in the blockchain and querying them in the contract to do the validation, and this roles can be stored in the blockchain on the instantiate method.
Something like this:
public async contract1(ctx: context) {
const cid = ctx.clientIdentity;
const role = await ctx.stub.getState(cid);
if (role === 'auditor') {
throw new Error('An Auditor can not issue a transference');
}
....
return response;
}
Is there a better way to associate a role to an mspid? Like directly on the certificate? But if the organization manages the CA, how can I warranty that they don't give themselves super powers and super roles? Or should I check directly on my code for each mspId?
Thanks
I am planning of doing it, by storing the msp roles in the blockchain
and querying them in the contract to do the validation, and this roles
can be stored in the blockchain on the instantiate method.
I think your approach is reasonable. It's open to changes and extensions later on.
Is there a better way to associate a role to an mspid? Like directly
on the certificate?
Embedding Attributes in Certs: As you mentioned, we cannot trust attributes on certificates on organization-wise roles. Our system knows about the root certificate of organizations, so only these can be our reference for such solution. Since client certificates are sighed with these root certificates, we can reach these certificate's issuer certificate as well. If we enforce organizations to put some attributes there, this would bring us a solution. This enforcement occurs during on-boarding time and validated manually by admins. Obviously this is a bad approach. Because it's static and we enforce some certificate actions for our custom solution, etc.
Here is a quick and dirty solution method I used before:
Embedding roles on MSP IDs: This is really a quick and dirty solution. i.e. MSP ID will be set as Org1_xyz where x, y and z are the different roles. You can easily get client's MSP ID and extract the organization's roles from here. It's a safe method since MSP ID is assigned to an organization by the admins during introducing the organization to the system channel. Afterwards it's not changeable at all and also this is information is very dependent on a chaincode logic, where MSP IDs are on higher level definition.
Relying on the contents of an enrollment certificate does indeed introduce a lot of trust on the CA issuing the cert. I know this is the idea behind attribute based access control (ABAC), and in some cases will work, but the trust issues are significant as any CA can issue a certificate with arbitrary "roles". I think the only real way to handle this is to maintain in chaincode a list of identities that you want to grant access to certain functions. Basically create your own access control lists that are maintained onchain.
Related
I need to know about Hyperledger fabric and fabric CA
1. How to create the orderer and peer certificate and key pair using fabric-ca
2. How to query the affiliation and CA name using fabric, do we need to write chain code and query them, or can I query them without using chain code through fabric node js.
3. I see Domain in crypto-config file. Do I need run any domain service or need to buy some domain name. If I am using fabric ca is there anything equivalent to a cryoto-config domain?
4. Is it possible to update the member details once it's created? If it's possible, if I change the password of the member or affiliation of the member does the certificate will get reflect to?
By registering entities, enrolling both MSP and TLS profiles, and copying missing stuff between folders. Make your own scripts if you wish. https://hyperledger-fabric-ca.readthedocs.io/en/release-1.4/users-guide.html#fabric-ca-client https://hyperledger-fabric-ca.readthedocs.io/en/latest/clientcli.html
https://fabric-sdk-node.github.io/release-1.4/FabricCAServices.html https://godoc.org/github.com/hyperledger/fabric-sdk-go/pkg/client/msp
That domain in crypto-config is used to compound peer and orderer domain/names, as you should have observed. As always, you can buy a domain, use docker internal name services or work directly with IP addresses if you wish. Everything works if you configure it correctly. Be careful that TLS certificates include the domain name or IP used in CN or SAN fields (--csr.hosts parameter in fabric-ca-client).
You can edit an identity, enroll the new certificates that reflect those changes and update your nodes with them whenever you want. Be careful that certificates inside admin folder define which certificates are recognised as admin (the admin role is per certificate, not per identity), so re-enrolling an admin certificate can be tiresome.
We set up Hyperledger Fabric and added two channels (for two different applications). We also registered two users in our Organization (one for each application). We should restrict access to each channel so only the corresponding user can read and write based on affiliation or OU of the user.
We checked Hyperledger Fabric documentation on channel policies and did not find any indication on how to use OU or affiliation (i.e. conditions that go beyond "must be member of orgX").
From what I've read so far, I got the impression that restrictions within the organization can only be enforced in chaincode, but not by using policies (this is also indicated in this question).
Is this really the way to go? Is there no possibility to restrict access to either a OU or an attribute like affiliation by just using the channel policy?
You can define an MSP that is defined with the OU you have in mind, and then the user will have to belong to that MSP and use a certificate with that OU when it sends transactions.
Background
I am studying the hyperledger fabic tutorial: Building Your First Network (BYFN), and studying the details of the scripts. The source codes can be found here.
Question
The commandbyfn.sh generate runs cryptogen generate ./config=./crypto-config.yaml and then generates certificates. A directory crypto-config/ is produced with sub-directories ordererOrganization/ and peerOrganizations/.
In the path crypto-config/peerOrganizations/org1.example.com/. It consists of
ca/
msp/
peers
tlsca/
users/
I have difficulties in understanding the structures in this directory.
Q1: There are certs and private keys in ca/, msp/ and tlsa/. But what are they representing? and why do we need them? It confuses me because inside directory of peer/, there are also msp/ and tls/.
Q2: What is the purpose of users/ directory? (I only know the network has peers and orderers). Are user and admin representing the end-users for this organization? and what is the difference between user and admin? Take this network picture for example, where are user and admin?
Many Thanks
So, public channel configuration is loaded only with what is found under msp/.
This is used to verify certificates of clients, and network nodes (peers, orderers).
The ca/ folder just represents what a CA would have had it exited.
The tlsca/ folder is basically used to define the same thing the ca/ folder, only for TLS certificates. In fabric, there is a different certificate chain for TLS and for enrollment certificates.
Now, the peers, orderers , users contain the material for the local MSP of the node, as well as its signing identity (certificate, and private key).
The user is basically anyone that can authenticate to fabric as a client, and an admin is a special type of users who is authorized to sign transactions that have administrative changes on the organization it belongs to, like - adding anchor peers when sending a configuration transaction to the orderer, or - instantiating chaincode.
I wanted to understand how are participants tied with Organization when we define the model.
For example if I have 3 participants(Grower, Shipper, Trader) and have a network of 3 organization(OrgGrower,OrgShipper, OrgTrader)
then will adding participants how is the one to one relationship mapped between Participants and Organization.
I want to do all this via Web site and give access to administrator for adding only there participants and but also want to
have a super admin which has access to all the organization. Is this achievable via Hyperledger composer
Answered same posting on Rocket Chat:
In Composer a Participant is just a data item, specifically an object in a Participant Registry. A Participant cannot access the Business Network on the Fabric until an Identity has been Issued to and bound to that Participant. Identities are generated by the CA which belongs to an Organisation. A user (administrator) with an Identity can create Participants if they have the ACL access to do so, but only an Identity with specific rights in the CA can issue Identities. This doc describes Participants and Identities in more detail: https://hyperledger.github.io/composer//managing/participantsandidentities
I don't know if CAs can 'cross certify' to allow your Super Admin to issue identities for the 3 CAs (Organizations). There is a #fabric-ca channel that should be able to answer that question.
I do want to implement my own identity version of MSP. I mean instead of default PKI based Identity validation, signature verification, I would like to do that using token based identity validation and signature verification.
Please let me know if it is possible to override the default certificate based authentication/validation with custom authentication and validation in MSP.
Regards,
vdr
Yes, it is possible to support multiple types of MSPs. The design is to support multiple types of identities (i.e. MSP types) concurrently, not just one at a time. This means that one organization may use the default X509-based type of identities, another organization may use the idemix (short for "Identity Mixer") type of identities, and another organization may use yet another type. These three organizations can transact on a single channel.
An idemix MSP type is currently being implemented which supports advanced crypto based on zero-knowledge proof. You can look at fabric/msp/idemixmsp.go in the master branch to get a feel for how to implement your own MSP type. But before starting, I would encourage you to see if idemix will meet your needs. You could also ask more specific questions on the #fabric-crypto rocket chat channel if you want to learn more about idemix.