I have a scenario here, in which I want to register and enrol a user which can be used in multiple organisations. But I cannot get any way to do so. Does anyone have any way to achieve this.
I figured out how to solve my issue. I came across something called Organisational Units in the Fabric CA. We can have multiple intermediate CAs for multiple organisational units and one root CAs. Each Organisational Unit will act as an individual Org and the user registered and enrolled by root CA can access chaincodes in any of the Organisational Units.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 2 years ago.
Improve this question
I want to create a Hyperledger Fabric network which has a frontend. The web application is having feature of registering and login the user.The question is :-
Does registering a user through web application require also to register the user in fabric-ca-server (Fabric CA).
Do we need to create credentials for the newly registered users like we generate credentials for peers, orderers or other participants in the network?
What will be the "role" of the newly registered participant in the network? What role should we give to the newly added member?
Is there any need to properly create an MSP structure for a new user?
How many users can be registered through Fabric Certificate Authority?
How many participants/users can belong to one peer node? Do the users/participants which belongs to any one peer organisation will share the same ledger data?
what should be the login logic when after registering the user in the network ?
First of all, I will try to explain you how are organized at Hyperledger Fabric the different components. Hyperledger Fabric is focused on organizations, because of it, Blockchain nodes belong to the different organizations. However, each organization then will have many users.
Now, I will try to answer your questions:
Web application users can be managed as you want. If they will operate against the Blockchain, they need a certificate. However, many users could user the same certificate, for example a generic certificate for all the users of that organization.
You need at lest one client certificate.
It role will be client.
Yes, each component requires a MSP structure. At that structure, it will have its public and private key, as well as the certificates of its trust chain. So, for each user it will be created a MSP directory. However, it could be mentioned that each individual belongs to an organization. And each organization it is identified by each MSP.
You can registry as many as users as you want. The attributes option will be also interesting for it. However, there are many options to manage it.
The ledger data is shared among the organizations that are at the same channel. Then, you can define at your Chaincode restrictions about who can execute a function.
In my opiniĆ³n, you should think about your users management strategy and decide if they will operate with the same certificate of each of them will have one.
I would like to use roles to identify what an organization can do in my hyperledger fabric blockchain, so, if org1 is an distributor it can call the contract1 and the contract2 but org2 that has an auditor role can only call contract2.
I am planning of doing it, by storing the msp roles in the blockchain and querying them in the contract to do the validation, and this roles can be stored in the blockchain on the instantiate method.
Something like this:
public async contract1(ctx: context) {
const cid = ctx.clientIdentity;
const role = await ctx.stub.getState(cid);
if (role === 'auditor') {
throw new Error('An Auditor can not issue a transference');
}
....
return response;
}
Is there a better way to associate a role to an mspid? Like directly on the certificate? But if the organization manages the CA, how can I warranty that they don't give themselves super powers and super roles? Or should I check directly on my code for each mspId?
Thanks
I am planning of doing it, by storing the msp roles in the blockchain
and querying them in the contract to do the validation, and this roles
can be stored in the blockchain on the instantiate method.
I think your approach is reasonable. It's open to changes and extensions later on.
Is there a better way to associate a role to an mspid? Like directly
on the certificate?
Embedding Attributes in Certs: As you mentioned, we cannot trust attributes on certificates on organization-wise roles. Our system knows about the root certificate of organizations, so only these can be our reference for such solution. Since client certificates are sighed with these root certificates, we can reach these certificate's issuer certificate as well. If we enforce organizations to put some attributes there, this would bring us a solution. This enforcement occurs during on-boarding time and validated manually by admins. Obviously this is a bad approach. Because it's static and we enforce some certificate actions for our custom solution, etc.
Here is a quick and dirty solution method I used before:
Embedding roles on MSP IDs: This is really a quick and dirty solution. i.e. MSP ID will be set as Org1_xyz where x, y and z are the different roles. You can easily get client's MSP ID and extract the organization's roles from here. It's a safe method since MSP ID is assigned to an organization by the admins during introducing the organization to the system channel. Afterwards it's not changeable at all and also this is information is very dependent on a chaincode logic, where MSP IDs are on higher level definition.
Relying on the contents of an enrollment certificate does indeed introduce a lot of trust on the CA issuing the cert. I know this is the idea behind attribute based access control (ABAC), and in some cases will work, but the trust issues are significant as any CA can issue a certificate with arbitrary "roles". I think the only real way to handle this is to maintain in chaincode a list of identities that you want to grant access to certain functions. Basically create your own access control lists that are maintained onchain.
We set up Hyperledger Fabric and added two channels (for two different applications). We also registered two users in our Organization (one for each application). We should restrict access to each channel so only the corresponding user can read and write based on affiliation or OU of the user.
We checked Hyperledger Fabric documentation on channel policies and did not find any indication on how to use OU or affiliation (i.e. conditions that go beyond "must be member of orgX").
From what I've read so far, I got the impression that restrictions within the organization can only be enforced in chaincode, but not by using policies (this is also indicated in this question).
Is this really the way to go? Is there no possibility to restrict access to either a OU or an attribute like affiliation by just using the channel policy?
You can define an MSP that is defined with the OU you have in mind, and then the user will have to belong to that MSP and use a certificate with that OU when it sends transactions.
In crypto-config.yaml for each organization we have Template and users, I know template number is the number of users but I can't understand what Users variable is used for
A template is used to refer to the number of peers that you want to have in an organization. Peers are the units which store the ledger. It is completely different from the type of users who update these ledgers. So maybe that is the difference between a template and user.
Background
I am studying the hyperledger fabic tutorial: Building Your First Network (BYFN), and studying the details of the scripts. The source codes can be found here.
Question
The commandbyfn.sh generate runs cryptogen generate ./config=./crypto-config.yaml and then generates certificates. A directory crypto-config/ is produced with sub-directories ordererOrganization/ and peerOrganizations/.
In the path crypto-config/peerOrganizations/org1.example.com/. It consists of
ca/
msp/
peers
tlsca/
users/
I have difficulties in understanding the structures in this directory.
Q1: There are certs and private keys in ca/, msp/ and tlsa/. But what are they representing? and why do we need them? It confuses me because inside directory of peer/, there are also msp/ and tls/.
Q2: What is the purpose of users/ directory? (I only know the network has peers and orderers). Are user and admin representing the end-users for this organization? and what is the difference between user and admin? Take this network picture for example, where are user and admin?
Many Thanks
So, public channel configuration is loaded only with what is found under msp/.
This is used to verify certificates of clients, and network nodes (peers, orderers).
The ca/ folder just represents what a CA would have had it exited.
The tlsca/ folder is basically used to define the same thing the ca/ folder, only for TLS certificates. In fabric, there is a different certificate chain for TLS and for enrollment certificates.
Now, the peers, orderers , users contain the material for the local MSP of the node, as well as its signing identity (certificate, and private key).
The user is basically anyone that can authenticate to fabric as a client, and an admin is a special type of users who is authorized to sign transactions that have administrative changes on the organization it belongs to, like - adding anchor peers when sending a configuration transaction to the orderer, or - instantiating chaincode.