In hyperledger fabric, suppose there is a channel, 'channel_12' between org1 and org2 and another channel, 'channel_13' between org1 and org3. Suppose there are 2 users, 'Org1User1' & 'Org1User2' in org1. Can we restrict the access of Org1User1 to channel_12 and that of Org1User2 to channel_13?
One way with which we can achieve this is:
While enrolling the user we can set the attributes in the X509 certificate for the user about which channel he has access to. For this, we need to generate a CSR with these details and send it to the CA server.
Now, when the user is submitting the transaction, we can check the value of this attribute on either the client side or within the chaincode. Based on this attribute we can control the access to the channel.
P.S: This is on the certificate level. Would love to know if there are any methods/apis that fabric provides for the same.
Related
I am new to hyperledger so sorry for the silly question.
In the transaction flow
1)How does the endorsing peer/any peer know the transaction is signed by the authorized peer/correct key?
Can anyone help me understand the steps of validations and how does it come to know if the transaction is signed by correct key/incorrect key?
2)does the orderer also validates the transaction or just creates blocks and forwards the blocks to the leader peer?
3)What is the role of BCCSP in the network?
1)How does the endorsing peer/any peer know the transaction is signed by the authorized peer/correct key?
Can anyone help me understand the steps of validations and how does it come to know if the transaction is signed by correct key/incorrect key?
Each transaction contains SerializedIdentity, which for example in case of conventional MSP (based on X.509) it contains certificate signed by CA. Root ca certificates preloaded in genesis blocks. Therefore when it comes to transaction validation it extracts certificate verifies CA signature on this certificate, next gets public key from certificate and validates signature on transaction.
2)does the orderer also validates the transaction or just creates blocks and forwards the blocks to the leader peer?
Orderes validate ACL to check that whoever submit transaction has channel write privileges. Also orderers validates and checks transaction which deals with channel configuration, since they also have might have to apply it. Other than these transactions content completely opaque to ordering nodes and in particular ordering nodes are not trying to verify endorsement policy for example.
3)What is the role of BCCSP in the network?
BCCSP stand for BlockChain Crypto Service Provider essentially this is only an abstraction aims to provide more plugability and flexibility. The key essence is to present an API which brings implementation of crypto primitives such as signatures, signatures verification and hashing algorithms in abstract way allowing easy replacement of such if needed.
We are using Hyperledger fabric to develop an application.
In the endorsement policies, we are seeing multiple options like below
Org1MSP.member
Org1MSP.peer
Org1MSP.client
Org1MSP.admin.
What is the difference and what benefits it is giving in chaincode endorsement validation?
Also, what is the setting to start the peer's nodes as either
member
peer
client
admin and where to do that?
Please help us understand.
What is the difference and what benefits it is giving in chaincode endorsement validation?
In your organization you will have roles, and every role will have their privileges. For policy endorsement, there are only 4 types of roles:
member, client, peer and admin
And the endorsement policy can be:
OR('Org1.admin', AND('Org1.member', 'Org1.member'))
That mean, a chaincode transaction previusly instantiated in the Org1, can be endorsement by one admin or two members of the Org1. In a Fabric Enviorment, you can set wich peers can validated and endorsement transaction, and with the MSP provided by Fabric CA, you set witch role will be have your peer.
You can read more about that here.
Also, what is the setting to start the peer's nodes as either member, peer, client, admin and where to do that?
In Fabric CA you can register and enroll new identities in your Org. Every identity has a role and an attributes, for example, you as admin of Amazon.ProgramingDepartment, you can register me and giving me a role and the attributes to enroll new users in the ProgrammingDepartment. This work the same thing for peers, you can enroll new peer identity and give it a role (member, admin, client and peer).
You can read more about that here.
I hope I have helped at least a little bit, Hyperledger Fabric has a complex government to give the system the maximum security.
what is Application's own signature in this context, and how can someone using hyperledger fabric node SDK can set the application's signature?
the application that you are talking about is simply a client app which talks to the ledger. The issue here is not the client app, the issue here is that you need a proper endorsement policy which establishes how anything goes onto the ledger.
Imagine this scenario ...
you have 2 orgs, Org1 and Org2, both owning one peer, P1 belongs to Org1, P2 belongs to Org2 and both peers joined on a channel, let's call it defaultchannel.
you deploy and instantiate your chaincode and set a basic endorsement policy which is 1-Of.
Each org has a client application, running against their own peer. When Org1 submits a transaction to the ledger, its validity is endorsed by itself, but not by the second org, because your policy requires only one to accomplish this. Basically in any network where you have more than one org, you really want a proper endorsement policy. 2-Of would work in the case of our example as any transaction would need to be validated by both orgs and that gives the ledger much better integrity.
Bottom line, your fabric network needs to be properly built and protected, especially in a production environment and this allows it to be protected by any client apps which have rights to interact with it. Your network being protected means that it doesn't matter how a client app is built and what it tries to do, it won't be able to bypass mechanisms such as the endorsement mechanisms.
I have 2 organization say org1 and org2. I would like to create a channel which gives full access to org1 and read only to org2. Can some one tell me on how in hyperledger fabric.
I have already created a TwoOrg channel as per https://hyperledger-fabric.readthedocs.io/en/release-1.1/build_network.html#understanding-the-docker-compose-topology. But I wanted to make org1 alone have write permission.
You need to update the configuration of the channel to change the access rights of org2 to read (instead of write).
When I generate MSP for some organization, I can confirm Admin and User. What does this mean?
Does this mean client node?
And additionally,
can some clients join an organization?
Is one channel matched with one consortium?
Admin and user are roles (principals), so you will be able to define fine grained policy controls, meaning that you could separate certain concerns by allowing them to be controlled by admins only and restricted for regular users (or members). For example you could have chaincode instantiation policy such that only organization admins will be able to instantiate the chaincode.
can some clients join an organization?
By providing client valid certificate signed with organization CA, you can claim that client has join the organization, moreover you can enroll client within Fabric-CA, which basically will end up with Fabric-CA providing client signed certificate.
Is one channel matched with one consortium?
Not exactly, you can have as many channel as you want to within single consortium, for example you can divide your consortium into subgroups each of them could have channel of their own. You cannot have multiple consortiums within one channel.