Attribute based access control
是一种权限控制方式。基本思路是在ca证书中添加一些属性字段(attribute),
const secret = await ca.register({ affiliation: 'org1.department1', enrollmentID: 'user1', role: 'client' }, adminIdentity);
然后在编写chaincode的时候,可以读取这些字段,根据相应信息进行权限控制。
func set(stub shim.ChaincodeStubInterface, args []string) (string, error) {
// only user with org1.department1 affiliation can set the value
department1err := cid.AssertAttributeValue(stub, "hf.Affiliation", "org1.department1")
if department1err != nil {
return "", fmt.Errorf("Only Department 1 can set value.")
}
...
original code
...
}
可见ABAC是需要CA和chaincode一起配合的,和Policy不同。Policy是配置Channel的权限,而ABAC是chaincode内部逻辑的权限控制。
其他权限控制方式
fabric的权限控制方式分为两种粒度:
- Channel层级的权限,控制本channel上所有chaincode的权限,是通过Policy
- Chaincode层级的权限,即通过上面的ABAC和Private Data实现
Ref
- https://stackoverflow.com/questions/58682378/hyperledger-fabric-difference-between-attribute-based-access-control-vs-policy
- https://hyperledger-fabric-ca.readthedocs.io/en/latest/users-guide.html#attribute-based-access-control
- https://kctheservant.medium.com/identity-in-hyperledger-fabric-part-2-fc2f50214d9
- https://github.com/hyperledger/fabric-chaincode-go/blob/main/pkg/cid/README.md
回复 agodelo 取消回复