hyperledger-fabric - 允许参与者完全读取权限
问题描述
我想授予在公司工作的所有“人员”参与者的读取权限,其中公司的类型是“边界”。公司类型是一个枚举。
访问控制列表:
rule NetworkAdminUser {
description: "Grant business network administrators full access to user resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "**"
action: ALLOW
}
rule NetworkAdminSystem {
description: "Grant business network administrators full access to system resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
rule SystemACL {
description: "System ACL to permit all access"
participant: "org.hyperledger.composer.system.Participant"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
rule transaction {
description: "Allow participants full access to transactions"
participant: "org.acme.shipping.participants.Person"
operation: ALL
resource: "org.acme.shipping.transactions.**"
action: ALLOW
}
rule containers {
description: "Allow participants access to containers owned by their company"
participant(p): "org.acme.shipping.participants.Person"
operation: ALL
resource(c): "org.acme.shipping.assets.**"
condition: (c.owner.getIdentifier() == p.company.getIdentifier())
action: ALLOW
}
rule border {
description: "Allow Border access to containers"
participant(p): "org.acme.shipping.participants.Person"
operation: READ
resource: "org.acme.shipping.assets.**"
condition: (p.company.type == "BORDER")
action: ALLOW
}
参与者模型文件:
namespace org.acme.shipping.participants
participant Company identified by cid {
o String cid
o String name
o CompanyType type
}
enum CompanyType {
o BORDER
o COURIER
o SHIPPER
}
participant Person identified by id {
o String id
o String name
--> Company company
}
但是,Person 仍然看不到任何资产。
有什么建议可以解决吗?
解决方案
您为授予边境公司所有容器的访问权限而编写的 ACL 规则没有问题。主要问题是每个Person参与者都有对其公司的引用,但没有为Person类型的参与者指定在 ACL 中访问/读取其公司详细信息的规则。因此,默认情况下,ACL 拒绝人员读取其公司详细信息的 READ 访问权限,并且当您在规则条件下访问人员的公司时
p.company.type
访问只是受到限制。要实现相同的功能,您必须首先提供对 Person 自己的公司的 READ 访问权限,使用
rule readCompany {
description: "Allow Read Access to Person's Own Company"
participant(p): "org.acme.shipping.participants.Person"
operation: READ
resource(comp): "org.acme.shipping.participants.Company"
condition: (p.company.getIdentifier() == comp.getIdentifier())
action: ALLOW
}
然后,您将能够使用与您相同的规则将所有容器的访问权限授予属于Border类型公司的人员
rule border {
description: "Allow Border access to containers"
participant(p): "org.acme.shipping.participants.Person"
operation: READ
resource: "org.acme.shipping.assets.**"
condition: (p.company.type == "BORDER")
action: ALLOW
}