I know that each entity in the hyperledger network does need an Identity. This identity is given by an certificate authority. The local and channel MSP maps this identity with an organization and gives the identity a role.
A couple of questions:
What are the roles I can choose from? I know for example there is a role 'Admin', but what else?
Does each role have a specific access, or do I need to specify this somewhere?
Is this a possible scenario: A user with the role 'Reader' and a
peer with the role 'reader'? Or does identities other than users
have total different roles?
Does each node have all the channel MSP's?
Let's say I have a peer with the role 'Admin' and a user with the
role 'Admin'. What is the difference?
Q1: Different roles in the fabric
Admin
Writer
Reader
Q2: Yes, each role has specific access. While creating a channel we need to define all roles. Admin can do configuration block changes as per policies defined.
There are two types of policies
Signature Policy
ImpliciteMeta Policy
The reader can only read transactions, where the Writer can invoke a transaction. We define all policies in channel configuration block.
Q3: Only Organization(Orderer Organization, Peer Organization) has user, not for peer, so user can be one of (Admin, Reader, Writer)
Q4: There are two types of MSP
Channel MSP
Local MSP
channel configuration (channel MSPs), and locally on an actor’s premise (local MSP). Local MSPs are defined for clients (users) and for nodes (peers and orderers). Node local MSPs define the permissions for that node (who the peer admins are, for example). The local MSPs of the users allow the user side to authenticate itself in its transactions as a member of a channel (e.g. in chaincode transactions), or as the owner of a specific role into the system (an org admin, for example, in configuration transactions).
Q5: Only user of Organization have the role of Admin, I don't think peer have admin role, where as peer comes under some organization who will have some users(Admin user would be one of them)
Related
In Hyperledger, does the decentralization ends at the organization level?
or can it be also extended after the organization level i.e in the peers and client level?
According to what I understand -> if he/she wants then the Admin of an organization is able to control everything and take control of any Peer/ Client/ Member and can access their rights and do transactions by their name.
can we say that the Admin completely owns the organization?
Not sure you can say that an Admin completely owns the organization. What an admin or non-admin user can do is determined by access control lists. These determine who can do what. When combined with endorsement policies, one can ensure that changes require decentralized agreement.
We set up Hyperledger Fabric and added two channels (for two different applications). We also registered two users in our Organization (one for each application). We should restrict access to each channel so only the corresponding user can read and write based on affiliation or OU of the user.
We checked Hyperledger Fabric documentation on channel policies and did not find any indication on how to use OU or affiliation (i.e. conditions that go beyond "must be member of orgX").
From what I've read so far, I got the impression that restrictions within the organization can only be enforced in chaincode, but not by using policies (this is also indicated in this question).
Is this really the way to go? Is there no possibility to restrict access to either a OU or an attribute like affiliation by just using the channel policy?
You can define an MSP that is defined with the OU you have in mind, and then the user will have to belong to that MSP and use a certificate with that OU when it sends transactions.
In Fabric java SDK code, there are two concept for an org:
PeerAdmin: https://github.com/hyperledger/fabric-sdk-java/blob/master/src/test/java/org/hyperledger/fabric/sdkintegration/End2endIT.java#L312
Admin: https://github.com/hyperledger/fabric-sdk-java/blob/master/src/test/java/org/hyperledger/fabric/sdkintegration/End2endIT.java#L315
Could any expert tell me what is the difference between them? Thank you.
There are two planes of authentication in each Fabric peer/orderer:
Channel authentication, that is derived from the "channel MSP" which is constructed from the channel configuration (i.e from the genesis block) - Identities that are specified in the channel configuration as admins can perform administrative operations on channels, such as creating new channels, or modifying channels, etc.
Local authentication, that is derived from the "local MSP" - Identities that are specified in the local configuration (sampleconfig/msp/admincerts) can perform administrative operations that have no channel context, such as installing chaincodes, and joining peers to channels.
I read the docs on Hyperledger Fabric Membership Service Providers (MSPs) and not everything was really clear to me.
The link to the part of the docs on MSPs is this:
https://hyperledger-fabric.readthedocs.io/en/release-1.2/membership/membership.html
Quote from the docs:
This is where a Membership Service Provider (MSP) comes into play —
it identifies which Root CAs and Intermediate CAs are trusted to
define the members of a trust domain, e.g., an organization, either by
listing the identities of their members, or by identifying which CAs
are authorized to issue valid identities for their members, or — as
will usually be the case — through a combination of both.
My understanding of this paragraph is this: An MSP of OrgX either has a list of OrgX's members (so a participant on the network can simply be checked against the list) or, alternatively, the MSP defines which Certificate Authority is allowed to issue identities for members of OrgX.
Is this understanding correct?
If an MSP of OrgX defines the Certificate Authority that is allowed to issue identities to members of OrgX, then how does this protect the network from unwanted participants entering? Let's say that the MSP of OrgX uses "Symantec" as its CA. So everybody with a certificate from Symantec is regarded as member of OrgX and can participate in the network. But what if I (who is not a member of OrgX) get myself a certificate from "Symantec"? Am I now automatically considered a ember of OrgX and can join the network?
There are channel MSPs and local MSPs. According to the docs, both the channel MSP and the local MSP define which identities belong to a certain organisation (for example, OrgX). But what's the point of instantiating the channel MSP to nodes, if the channel MSP contains the same information as the local MSP (namely basically a list of identities)?
My understanding of this paragraph is this: An MSP of OrgX either has
a list of OrgX's members (so a participant on the network can simply
be checked against the list) or, alternatively, the MSP defines which
Certificate Authority is allowed to issue identities for members of
OrgX. Is this understanding correct?
Correct. But... in practice, the only certificates that are explicitly configured in the MSP, are administrator certificates. The rest are not configured, and are verified by standard x509 PKI validation (finding a validation path to some intermediate or root CA), while the admin certificates are identified by a byte-by-byte comparison.
If an MSP of OrgX defines the Certificate Authority that is allowed to
issue identities to members of OrgX, then how does this protect the
network from unwanted participants entering?
Unwanted participants are not expected to have a private key that has a corresponding certificate that is ussed by OrgX.
Let's say that the MSP of OrgX uses "Symantec" as its CA. So everybody
with a certificate from Symantec is regarded as member of OrgX and can
participate in the network. But what if I (who is not a member of
OrgX) get myself a certificate from "Symantec"? Am I now automatically
considered a ember of OrgX and can join the network?
If you get a private key corresponding to the public key of a certificate that is issued by Symantec's CA, and the CA has a certificate that is configured as a root CA or intermediate CA in the fabric channel config, then - you can authenticate as a member of OrgX.
There are channel MSPs and local MSPs. According to the docs, both the
channel MSP and the local MSP define which identities belong to a
certain organisation (for example, OrgX). But what's the point of
instantiating the channel to nodes, if the channel MSP contains the
same information as the local MSP (namely basically a list of
identities)?
the channel MSP doesn't contain the same information as the local MSP.
The local MSP, contains only information regarding the organization that the local MSP's node (peer, orderer) belongs to.
However - a channel MSP, can contain information about any organization that is a member of the channel.
Actually, a channel has several MSPs - 1 for each organization!
Consider an example - you have orgs A, B C in channel Foo.
So, the channel configuration would have 3 MSPs - each used to verify an identity belonging to the corresponding organization.
I wanted to understand how are participants tied with Organization when we define the model.
For example if I have 3 participants(Grower, Shipper, Trader) and have a network of 3 organization(OrgGrower,OrgShipper, OrgTrader)
then will adding participants how is the one to one relationship mapped between Participants and Organization.
I want to do all this via Web site and give access to administrator for adding only there participants and but also want to
have a super admin which has access to all the organization. Is this achievable via Hyperledger composer
Answered same posting on Rocket Chat:
In Composer a Participant is just a data item, specifically an object in a Participant Registry. A Participant cannot access the Business Network on the Fabric until an Identity has been Issued to and bound to that Participant. Identities are generated by the CA which belongs to an Organisation. A user (administrator) with an Identity can create Participants if they have the ACL access to do so, but only an Identity with specific rights in the CA can issue Identities. This doc describes Participants and Identities in more detail: https://hyperledger.github.io/composer//managing/participantsandidentities
I don't know if CAs can 'cross certify' to allow your Super Admin to issue identities for the 3 CAs (Organizations). There is a #fabric-ca channel that should be able to answer that question.