I issued new identity to already existing participant by composer rest server and got it activated. Now in wallet section section I selected the new card to use composer rest server. ACL for participant is:
rule SimpleRule {
description: "Description of the ACL rule"
participant: "org.example.auction.Buyer"
operation: ALL
resource: "org.example.auction.*"
action: ALLOW
}
When I try to query the network I get error
"Error trying to query business network. Error: chaincode error (status: 500, message: Error: Participant 'org.example.auction.Buyer#Buyer2' does not have 'READ' access to resource 'org.hyperledger.composer.system.Network#auction-network#0.0.1')",
Give access to read the business network.
Add another rule to .acl file
rule Rule1 {
description: "Description of the ACL rule"
participant: "org.example.auction.Buyer"
operation: READ
resource: "org.hyperledger.composer.system.*"
action: ALLOW
}
Update the network, restart the REST server and try again.
as Sneha as indicated, you need your ACLs updated to grant access to the business network ie grant access to all operations and commands in the business network, including network access and business access.
See the trade-network example for an example of a permissions ACL file. https://github.com/hyperledger/composer-sample-networks/blob/master/packages/trade-network/permissions.acl
Related
I want to use Consul for Service Discovery and as Distributed Configuration for my microservices. Without any security my system is working fine but I don't want every user to be able to change values in the key-value store. So I tried to introduce security with Consul's ACL but now my services aren't able to register themselves anymore.
I set the default policy in my HCL configuration to "deny" and tried to set a write policy for every service so they can register themselves at Consul and a read policy for the key-value-store, so the values can only be read via the UI. But my services receives a 403 during registration process.
agent.hcl
service_prefix "" {
policy = "write"
}
key_prefix "" {
policy = "read"
}
consul-policy.hcl
service_prefix "" {
policy = "write"
}
key_prefix "" {
policy = "read"
}
I started the server with:
consul agent -config-file agent.hcl -dev
And added the policy (after getting and setting an ACL token):
consul acl policy create -name consul-server-one -rules #consul-policy.hcl
How can I define a read-only policy for the key-value store in the UI and a write policy for services?
Is it possible to start Consul with the ACL configuration (instead of delivering it after the startup process)?
Which ACL resources are the right ones for my problem? Are service_prefix and key_prefix correct choices?
What I did miss was the fact that you need to generate tokens for a policy.
consul acl token create -description "Token description" -policy-name "consul-server-one" -token "(your global token)"
And I wanted the usage of a default token which can be set via:
consul acl set-agent-token -token "(your global token)" default (your generated token)
I am upgrading my tutorial from composer v0.16 to composer v0.20.2 Most of the upgrade has gone smoothly, however I'm running into an authentication problem that I can't get around. I'm going through a step-wise process to create and activate a user. In v0.16, I did the following:
ADD a new member to a registry
ISSUE identity for the new member
CREATE and IMPORT a card for the new member
PING the business network using the new member ID
The last step 'activated' the member, so that they could do productive work in the network. In v0.20, the first 3 steps still work flawlessly, however the PING step now returns the following error:
transaction returned with failure: AccessException:
Participant 'org.acme.Z2BTestNetwork.Buyer#rdd#xyz.com' does not have 'READ' access to resource
'org.hyperledger.composer.system.Network#zerotoblockchain-network#0.1.5'
I've simplified my permissions.acl file down to just the following 3 statements:
rule Z2BTestFullAccess {
description: "Allow all participants access to all resources"
participant: "org.acme.Z2BTestNetwork.Buyer"
operation: READ
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
rule NetworkAdminUser {
description: "Grant business network administrators full access to user resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "**"
action: ALLOW
}
rule NetworkAdminSystem {
description: "Grant business network administrators full access to system resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
I can further simplify the first rule to be
rule Z2BTestFullAccess {
description: "Allow all participants access to all resources"
participant: "ANY"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
But it still fails with the same error message.
composer card list for the new card returns:
userName: rdd-xyz.com
description:
businessNetworkName: zerotoblockchain-network
identityId: 6c6eab0d11d26ccfc4a8164dbe971814d2120802e84d1b3b98b16ceb2cb80334
roles: none
connectionProfile:
name: hlfv1
x-type: hlfv1
credentials: Credentials set
composer network ping for the new card returns the same error as the nodejs code.
How do I determine the root cause of this error and, more importantly, how do I resolve this? Happy to add code segments for each step if that will help.
I am not able to start a composer-rest-server without a network admin card.
When I tried a normal user card, it generates the following error:
Connection fails: Error: 2 UNKNOWN: error executing chaincode:
transaction returned with failure:
AccessException: Participant 'com.tuzz.agloan.Dccb#dccb1' does not have 'READ' access to resource 'org.hyperledger.composer.system.Network#aloan#0.0.2-deploy.17'
You can try adding a rule that gives the participant access to the network.
in .acl file, add this rule then update the network and start the REST server
rule Rule1 {
description: "Grant access to the network"
participant: "com.tuzz.agloan.Dccb"
operation: READ
resource: "org.hyperledger.composer.system.Network"
action: ALLOW
}
For more details, you can refer Granting network access control section in ACL reference
I have been following this Tutorial and I am able to complete it. I issue a new identity, to an existing participant and I create a business card for this identity with the following command:
composer identity issue --card admin#tutorial-network -f usr001#tutorial-network.card -u usr001 -a "resource:org.acme.biznet.Trader#usr001" -x true
Then, I import that business card via POST /wallet/import and I am able to call different REST API operations. After that, I stop the composer-rest-server and after a few minutes I start the composer-rest-server again with the command composer-rest-server -c admin#tutorial-network -m true -a true
Then, I authenticate to the REST API using the configured authentication mechanism (in this case passport-github strategy) and if I try to call one operation fro REST API it throws a A business network card has not been specified error message, then I import the previous business card via POST /wallet/import getting a no content which is supposed to be correct.
Finally, when I try to call another REST API operation I get the following error:
{
"error": {
"statusCode": 500,
"name": "Error",
"message": "Error trying to ping. Error: Error trying to query business network. Error: chaincode error (status: 500, message: Error: The current identity has not been registered: usr001)",
"stack": "Error: Error trying to ping. Error: Error trying to query business network. Error: chaincode error (status: 500, message: Error: The current identity has not been registered: usr001)\n at _checkRuntimeVersions.then.catch (/home/username/.npm-global/lib/node_modules/composer-rest-server/node_modules/composer-connector-hlfv1/lib/hlfconnection.js:679:34)\n at <anonymous>"
}
}
This is the main issue, I don't know why my identity is not being recongized by the REST API if I used it previously to call some operations.
the problem is one of persistence as captured here -> https://hyperledger.github.io/composer/v0.16/integrating/enabling-multiuser.html and the link for persisting identities (ie instructions) is captured here -> https://hyperledger.github.io/composer/v0.16/integrating/deploying-the-rest-server.html
All user information is persisted in a LoopBack data source by using a LoopBack connector. By default, the REST server uses the LoopBack "memory" connector to persist user information, which is lost when the REST server is terminated. The REST server should be configured with a LoopBack connector that stores data in a highly available data source, for example a database.
I am trying to access DynamoDB from my Node app deployed on AWS ElasticBeanStalk. I am getting an error
User is not authorized to perform: dynamodb:PutItem on resource
It works perfectly fine locally, but when I deploy to the AWS it stops performing.
The dynamoDB access denied is generally a Policy issue. Check the IAM/Role policies that you are using. A quick check is to add
AmazonDynamoDBFullAccess
policy in your role by going to "Permissions" tab in AWS console. If it works after that then it means you need to create a right access policy and attach it to your role.
Check the access key you are using to connect to DynamoDB in your Node app on AWS. This access key will belong to a user that does not have the necessary privileges in IAM. So, find the IAM user, create or update an appropriate policy and you should be good.
For Beanstalk you need to setup user policies when you publish. Check out the official docs here.
And check out the example from here too, courtesy of #Tirath Shah.
Granting full dynamodb access using aws managed policy AmazonDynamoDBFullAccess is not recommended and is not a best practice.
Try adding your table arn in the resource key in the policy in your role policy json.
"Resource": "arn:aws:dynamodb:<region>:<account_id>:table:/dynamodb_table_name"
In my case (I try to write to a DynamoDB table through a SageMaker Notebook for experimental purposes), the complete error looks like this:
ClientError: An error occurred (AccessDeniedException) when calling the UpdateItem operation: User: arn:aws:sts::728047644461:assumed-role/SageMakerExecutionRole/SageMaker is not authorized to perform: dynamodb:UpdateItem on resource: arn:aws:dynamodb:eu-west-1:728047644461:table/mytable
I needed to go to AWS Console -> IAM -> Roles -> SageMakerExecutionRole, and Attach these two Policies:
AmazonDynamoDBFullAccess
AWSLambdaInvocation-DynamoDB
In a real-world scenario though, I'd advise to follow the least-permissions philosophy, and apply a policy that allows put item method to go through, in order to avoid accidents (e.g. deleting a record from your table).
Sign in to IAM > Roles, select the service name. Make sure the DynamoDB Resource is correct.