I have 2 organization say org1 and org2. I would like to create a channel which gives full access to org1 and read only to org2. Can some one tell me on how in hyperledger fabric.
I have already created a TwoOrg channel as per https://hyperledger-fabric.readthedocs.io/en/release-1.1/build_network.html#understanding-the-docker-compose-topology. But I wanted to make org1 alone have write permission.
You need to update the configuration of the channel to change the access rights of org2 to read (instead of write).
Related
I am currently working at a blockchain project with Hyperledger Fabric, and I'm facing some issues.
The scenario I would like to achieve is the following:
three organizations (Org1, Org2, Org3) with one peer each
a private channel between Org1 and Org2, say channel12
a private channel between Org2 and Org3, say channel23
My problem is that I can't understand how to customize the provided Hyperledger Fabric test network, in order to achieve the described scenario.
How can I proceed?
You can customize the configuration of the test network in configtx.yaml (test-network/configtx/configtx.yaml). I would start by adding a definition for Org3, which you can model off the existing definitions for Org1 and Org2 under the Organizations section, then creating a new channel profile that includes (Org2, Org3) under the Profiles section.
If by private channel you mean:
There is a need to encapsulate all the attributes of a channel like the chaincode deployed and the peers on the channel. In this case, you can use the createChannel.sh script (test-network/scripts/createChannel.sh) to join Org1 and Org2 to a new channel, then use this script as a base for another script joining Org2 and Org3 to another channel, referencing the new channel profile created earlier.
There is a need to keep only the data within transactions private. In this case, a separate channel for Org2 and Org3 would be unnecessary. You can use the addOrg3 script to create and add Org3 to an existing channel between Org1 and Org2. You can then use private data to hide the data in transactions on the channel.
I am building one POC using Hyperledger fabric,
Is it possible to send messages from one organization admin like money details to another organization admin and he sends the (agree/denied) message?
You can work with multi organization model. Install chaincode on two organization peers and instantiate the chaincode over channel. Post Instantiation of chaincode you can invoke some transactions which will be distributed the orderer to every peer that is joined in the channel.
In the below link you can expect a basic network for two organizations with two peers each.
In hyperledger fabric, suppose there is a channel, 'channel_12' between org1 and org2 and another channel, 'channel_13' between org1 and org3. Suppose there are 2 users, 'Org1User1' & 'Org1User2' in org1. Can we restrict the access of Org1User1 to channel_12 and that of Org1User2 to channel_13?
One way with which we can achieve this is:
While enrolling the user we can set the attributes in the X509 certificate for the user about which channel he has access to. For this, we need to generate a CSR with these details and send it to the CA server.
Now, when the user is submitting the transaction, we can check the value of this attribute on either the client side or within the chaincode. Based on this attribute we can control the access to the channel.
P.S: This is on the certificate level. Would love to know if there are any methods/apis that fabric provides for the same.
I am using "https://hyperledger.github.io/composer/tutorials/deploy-to-fabric-multi-org" for Deploying Hyperledger Composer blockchain business network to Hyperledger Fabric(mulriple organizations). In this tutorial why we are creating two connection profiles
The difference between two connection profiles shown in below image.
Why we should create two connection profiles for onenter image description heree organization, i.e 1. Org1 only and Org1 and Org2 ?
The need for the distinct Org1 and Org2 only cards is related to rights on the Fabric. The initial Runtime Install uses the distinct cards (and connection.json) and subsequent commands - Network Start and Commands from Alice and Bob use cards (and connection profiles) that access all peers regardless of organisation as they have rights to the Network.
For the tutorial (and the Dev Fabric) we have combined the Peer Install role and the Channel admin role into a single identity called PeerAdmin. Then you need an identity to handle the Fabric-ca server issuer role. You also need an identity bound to the initial business network participant. These roles have been combined into one for alice/bob.
we have two organisation, org1 and org2
org2 will have a private channel with chaincode on it and private state
now we want users from org1 to execute chaincode on the private channel of org2, but they can't have access to the full state (so they cannot setup a peer that can join the private channel)
how should we do this? is this possible?
I'm not sure. But you can try to apply endorsement policy. I think.
It's impossible to execute chaincode on a channel one can not join. Therefore you would want to create a separate channel for org1 and org2, where org1 is the party which executes the chaincode there. If you need state information from org2, InvokeChainCode provides limited support for cross-channel communication.
You have to decide which information of the org2 would be accesible for the users from org1. Then, you should define a Smart Contract according to it. The org1 and org2 will be members of the channel.
org1 users can't have access to the full state (so they cannot setup a
peer that can join the private channel)
When you create a channel, you define which peers are going to be part of it. Then, the creator of the channel will control the acces to new members. So, if you create the channel, only you will be able to join new peers to the channel.
Side DB capability which is expected in Fabric 1.1 should provide the mechanism you're looking for - ability to store some of the channel data only on a specified subset of peers (e.g. just peers that belong to org2).
https://jira.hyperledger.org/browse/FAB-1151