I know we can implement access control in chaincode by using ABAC.
For example, there are 2 organizations.
Org1's users have an attribute: org_id=org1.
Org2's users have an attribute: org_id=org2.
But, if fabric-ca-server doesn't have a function to make users have a designated attribute in the organization, users can disguise their attribute with the help of fabric-ca's admin.
(I mean that Org1's users can have an attribute: org_id=org2 if they really want to do.)
Ultimately, I think that ABAC in chaincode has no meaning.
How can I ABAC? Is there any suitable use case?
When users are registered in the CA they can be assigned attributes by the person/ID that is registering them - e.g. using the fabric-ca-client command line:
fabric-ca-client register --id.name clare --id.secret hellothere --id.maxenrollments -1 --id.attrs 'department=Finance:ecert,role=buyerapproval:ecert'
The attributes will be present in the Certificae when clare enrolls and can then in this example, role and department can be checked in the Smart Contract (chaincode) when Clare submits a transaction.
(it is necessary to have the flag ecert on the attribute to ensure it is included in the certificate.)
The attributes are set in the CA so only apply to a certificate that is issued at enrollment after the attributes have been set - existing certificates are not modified.
Related
What is the procedure of replacing a root CA cert with another one of a different key pair.
Q-1 : Is that required to follow config update steps to do as we do in add/remove org, since RCA need to change?
(Understood that changing the RCA require to reCreate all peers,nodes, identities as well)
When we use the default setup of fabric CA, then
it bootstraps the fabric ca server with bootstrap administrator - 'fabric-ca-server start -b admin:adminpw -d'
On enrolling the bootstrap administrator -
It creates the following in msp : cacerts, Keystore, sign certs (Set-A)
now when we have to create identities then it uses Set-A, and all such stuff also got bind to the genesis block as well, as certificate got configured via ConfigTX file, and that got stored in the config channel of fabric.
Q-2 : Now If we have to change the RCA's cacerts, Keystore, sign certs (Set-B), then what is the procedure to do that ?
Not found any guidelines or documents on this, It's just logically understood if that is possible then maybe follow the similar steps as we do in add/remove orgs.
Q-3: But even to replace all identities with new RCA along with RCA's cert, key pair etc, then I don't think existing data may work?
if the live network already has x data, but RCA's cacerts, Keystore, sign certs and all identities got changed and also updated the config file with config-update way as we do in add/remove orgs so it has new certificate info ?
I am trying to make following function with customized tokens. The goal is to mint tokens including metadata which is only exposed to the owner of token. This means that no one is permitted to read the metadata other than the owner. Is it possible to create such tokens?
Thank you.
You can implement that with Attribute Based Access Control with the help of Hyperledger Fabric CA, Chaincode's client identity library and some programming related key management techniques.
In Chaincode Side:
To store metadata, the chaincode will get the owner/user certificate with the help of client identity library and by parsing that certificate, chaincode will get certificate user's/owner's public key and hold the public key with a variable named as "variablePublicKey" and after that will store it's metadata with key "variablePublicKey.metadata".
To read the metadata, the chaincode will get the owner/user certificate with the help of client identity library and by parsing that certificate, chaincode will get certificate user's/owner's public key and hold the public key with a variable named as "variablePublicKey" and after that will get it's metadata with key "variablePublicKey.metadata".
To ensure security with this system, your chaincode must need to add some substring with each of user Input key. For example if user want to invoke or to query a car type asset, the chaincode will always add a substring with that user input, like user input key is "xyz" so the chaincode will add a substring with that like "xyz.car" and store/update value against the "xyz.car" key. To query a car, if the user give the input as "xyz", the chaincode will add a substring with that like "xyz.car" and query value against the "xyz.car" key
I want 4 intermediate CAs for a peer organization: ICA1, ICA2, ICA3 and ICA4 - one for every Node OU (peer, orderer, admin and client).
Let's say if I place ICA1 as the cacerts attribute in the Peer Node OU of the channel configuration, then will a peer identity under a different ICA (ICA2, ICA3 or ICA4), be able to satisfy a policy which says signature of "OrgMSP.peer"?
If yes, then how can I make sure that only the set of roles under a specific department can satisfy a policy given by OrgMSP.<role>? I do not wish to create an MSP definition for every department or team in the organization. So, is it achievable without that?
If no, then can I also specify a group of ICAs in the Node OU configuration of the channel for a particular OU so that I can leverage very complex policies like "Signature of one-of 'OrgMSP.peer'" and let's say that here, cacerts property for the peer OU will be ICA1 and ICA3. Is this achievable?
When you specify the nodeOU configuration, you may simply supply the OU name corresponding to the role (it sounds like this is what you've done), or you may specify the OU name and an issuing certificate. This could be a root CA, or an intermediate CA, but in either case, in order to satisfy that role, the certificate must have both the OU specified and be issued by the specified CA.
Note: Each role/certificate pair informs the MSP of a valid issuer for certificates satisfying a role. So, if you have CA1, CA2, ICA1, and ICA2, you may specify a given role twice, once for CA1 and once for ICA2. Then only certificates (directly) issued by either CA1 or ICA2 may satisfy the role.
If you look in the sample MSP configuration, you can see that certificate may be specified, but is omitted by default.
You can see more details about how this certificate is used in the actual proto documentation.
I develop an application on hyperledger fabric with "IBM Blockchain Platform" extension and nodejs. I use "fabric-ca-client v1.3.0" module to enroll users and admins certificate. I want to add roles to users and have access control based on user roles on my chaincode. I try to enroll multiple certificate but always this module enroll certificate with empty roles and affiliation like this:
{"name":"admin","mspid":"Org1MSP","roles":null,"affiliation":"","enrollmentSecret":"","enrollment":{"signingIdentity":"...","identity":{"..."}}}
I found this on this on hyperledger shim documentation about use of roles on chaincode:
const ClientIdentity = require('fabric-shim').ClientIdentity;
let cid = new ClientIdentity(stub);
object passed to Init() and Invoke() methods
if (cid.assertAttributeValue('hf.role', 'auditor')) {
// proceed to carry out auditing
}
but I didn't find any solution to how I can register and enroll user that have 'hf.role' attribute
you have to register user 1st and then enroll the user. You can do this via cmdline as well as REST. For cmdline while registering user you need to pass additional attributes as:
--id.attrs 'role=writer:ecert,email=user1#gmail.com'
then at the time of enroll:
--enrollment.attrs "role=writer,email,phone:opt"
In the chaincode you can access the attribute as:
let cid = new ClientIdentity(stub);
if (cid.assertAttributeValue('role', 'writer')) { .. }
I will ask you thought Endorsement Policy example below
peer chaincode instantiate -C <channelid> -n mycc -P "AND('Org1.member', 'Org2.member')"
My understanding(Promise)
Org1.member or Org2.member refer to Peer.
The example means that Org1.member and Org2.member should have to get the same result as instantiating mycc.
Question
If Org1.member and Org2.member have same chaincode, could their
result be different?
Are Org1.member and Org2.member refer to one peer of Organization?
(2-1. If so, does the peer be set on organization randomly?)
Can I use regular expressions like "AND('Org1.member > 10', 'Org2.member > 10')"
I hope you have referred to the fabric documentation on endorsement already. If not, then please find it here endorsement-policies
A principal is described in terms of the MSP that is tasked to validate the identity of the signer and of the role that the signer has within that MSP. Currently, two roles are supported: member and admin. Principals are described as MSP.ROLE, where MSP is the MSP ID that is required, and ROLE is either one of the two strings member and admin. Examples of valid principals are 'Org0.admin' (any administrator of the Org0 MSP) or 'Org1.member' (any member of the Org1 MSP).
AND (Org1.member, Org2.member) means that for successful endorsement, the transaction proposal response which is sent to Orderer ( from the client SDK) is expected to be signed by the member certificate of Peer of org1 and member certificate of the Peer of org2
It is possible to have different result if your chaincode is Non-Deterministic ( ie, say its getting current time etc and putState() ). So write sets can be different.
Org1.member & Org2.member are two different Peers. One peer belonging to Org1 and another peer belonging to Org2. [ You cannot have the Peer belonging to two organizations randomly ]
I am not sure. Please check the link of Fabric Documentation above.