whenever I look for a new blockchain project it is asked to make an admin first before adding any other members. And also whenever I instantiate a new build I have to create an admin. Why is it required? Why can't I directly create members and start my nodes?
HF is an permissioned network, the only Admin has permission to install query and upgrade the chain code ,similarly every member have to register himself with admin as know user inside fabric before doing any transaction. it is predefined in architecture.
Related
I have recently started to learn the Hyperledger Besu, and what I am trying to do is actually compare Besu with Fabric and see if it is compatible with my already finished Fabric project.
I know from Fabric that using the CA from an organization we can create new users that are under that org. Also, there is the option to name this user with a username and add some custom attributes that can be used in the chaincode like attribute role for example.
Now, in Besu I have only discovered so far that only with some third party tools like MetaMask and the js library web3j we can create accounts. Although, those accounts are in the form of Public Key/Address & Private Key.
Is there something that I have missed out?
Is it possible to have somehow similar user accounts in Besu like Fabric?
Thank you
After my own research I have concluded that these are the only ways to create accounts for Hyperledger Besu:
MetaMask Wallet
web3 js library through javascript
In order to have more specific accounts that may be connected with some user information or roles that could determine various things in the application, the most suitable option is the following:
Use a centralized database to store the user information and associate it with the users address. This database could be used from a client application where the user can login with his/her credentials or using a third-party wallet like MetaMask.
Also, to distinguish the users inside the smart contracts the best option so far seems to be the library of OpenZeppelin Ownable
I want to create a UI where i want to login the user which is already created in fabric.Tried using this(https://github.com/hyperledger/fabric-samples/tree/release-1.3/balance-transfer) but as per the login request sample API, it is always creating a new user.
Any sample or ideas to login the existing users with fabric node SDK.
The new user will be created if it does not find the same user in the wallet. Make sure when you create a user, you are keeping the identity in the wallet.
In Hyperledger, does the decentralization ends at the organization level?
or can it be also extended after the organization level i.e in the peers and client level?
According to what I understand -> if he/she wants then the Admin of an organization is able to control everything and take control of any Peer/ Client/ Member and can access their rights and do transactions by their name.
can we say that the Admin completely owns the organization?
Not sure you can say that an Admin completely owns the organization. What an admin or non-admin user can do is determined by access control lists. These determine who can do what. When combined with endorsement policies, one can ensure that changes require decentralized agreement.
I have an API with an endpoint creating a channel, joining a peer to it and instantiating chaincodes on it. While coding the process I encountered some interrogations about how things are done.
An organization admin certificate is tested byte per byte while other roles use OUs. Do we have an explication to why the admin verification behaves this way?
I could never manage to enroll and submit the exact same certificate for an organization admin. Due to the above problem, it means that the only solution I found to be able to perform admin operations was to copy the admin cert/key to the sdk crypto-{msp,store}. Is there a way to avoid doing the copy of the admin certificate and private key using fabric-ca?
I could not manage to instantiate a chaincode on a newly created channel without having an entry for it in the sdk config file due to the fact that the sdk does not find any channelPeer for it. Is there a way to avoid the config file update if we can programmatically know which peer has the channel?
If anyone has an hint on how to solve any of the above question I would appreciate it.
Thanks!
I want to use Access control functionality in Fabric (like permission.acl in Hyperledger Composer), so how to achieve this in Fabric? and how to specify the user while accessing chaincode to test the Access controls provided for that user from node SDK.
eg:(like Tuna-network example in Composer) I want to give different CRUD access to chaincode functions to different participants/users.
There is no direct equivalent in hyperledger fabric for the Composer ACL functionality.
First you should look at access control lists in fabric to ensure that your fabric network has the correct level of security
https://hyperledger-fabric.readthedocs.io/en/release-1.3/access_control.html
(You would have to have done this anyway as even if you used composer ACLs to ensure a participant could not read something, if that pariticpant had the ability to query the ledger or is able to listen for block events they could still infer the data, unless encrypted, regardless of the Composer ACL denying read access).
The other fabric capability you could look at is what's termed "Attribute Based Access Control". This is where attributes with values are associated with a certificate and the fabric shims for each language provide a utility library to allow chaincode to extract those attribute values and then the chaincode implementation can make a decision on whether the identity making the request has the appropriate authority to perform whatever it has requested.
More details can be found here
https://hyperledger-fabric.readthedocs.io/en/release-1.3/chaincode4ade.html?highlight=client%20identity#chaincode-api