zoukankan      html  css  js  c++  java
  • Fabric的权限管理:Attribute-Based Access Control

    之前稍微了解过Client Identity Chaincode Library,这几天正好开始实际应用。

    虽然了解过,还是发现了不少之前理解的不足,也踩了不少坑。

    先列出官方介绍: https://github.com/hyperledger/fabric/blob/release-1.1/core/chaincode/lib/cid/README.md

     1,首先要给注册的user添加attrs,但是在ca 数据库中看不到,chaincode 层也查不到

    查看CA的log,并没有报错,user也成功enroll,

    chaincode层查找fabric 默认的attrs,则可以查到。然后意识到,需要在ca-server-config.yaml中添加需要的attrs。

    2,在chaincode中 import http://github.com/hyperledger/fabric/core/chaincode/lib/cid,compile的时候总是说找不到 github.com/hyperledger/fabric/core/chaincode/lib/cid

    错误消息说的很明确,但是由于对go语言及扩展知识理解不做,踩了不少坑。

    shim包可以引入成功,但是并不知道shim包在哪里,也不知道应该怎么引入新包。于是系统中搜索shim,但是找不到结果。

    上网查找,很确认这里是正解:https://stackoverflow.com/questions/49560104/cannot-find-package-cid-in-goroot-or-gopath

    但是还是不是很明白,最后参考abac的例子和govendor的文档,才搞定

    下面是一些关键代码:

    ca-config.yaml

    registry:
      # Maximum number of times a password/secret can be reused for enrollment
      # (default: -1, which means there is no limit)
      maxenrollments: -1
    
      # Contains identity information which is used when LDAP is disabled
      identities:
         - name: admin
           pass: adminpw
           type: client
           affiliation: ""
           attrs:
              hf.Registrar.Roles: "peer,orderer,client,user"
              hf.Registrar.DelegateRoles: "peer,orderer,client,user"
              hf.Revoker: true
              hf.IntermediateCA: true
              hf.GenCRL: true
              hf.Registrar.Attributes: "*"
              hf.AffiliationMgr: true
              permissions: "*"
    

      

    node js

    			let secret = await caClient.register({
    				enrollmentID: username,
    				affiliation: userOrg.toLowerCase() + '.department1',
    				attrs:[{name:"hf.Registrar.Attributes",value:"query",ecert:true},
    				{name:"permissions",value:"query",ecert:true}]
    				//attrs:reg_attr
    			}, adminUserObj);
    

      

    chaincode

    // Get the client ID object
    	id, err := cid.New(stub)
    
    	fmt.Println("client ID object:")
    	fmt.Println(id)
    	if err != nil {
    		return shim.Error(err.Error())
    	}
    	mspid, err := id.GetMSPID()
    
    	fmt.Println("mspid:")
    	fmt.Println(mspid)
    	if err != nil {
    		return shim.Error(err.Error())
    	}
    
    	cert, err := cid.GetX509Certificate(stub)
    	fmt.Println("cert:")
    	fmt.Printf("%+v
    ", cert)
    	fmt.Println("cert.Extensions :")
    	fmt.Printf("%+v
    ", cert.Extensions)
    	fmt.Println("cert.Subject.CommonName:")
    	fmt.Println(cert.Subject.CommonName)
    
    	val, ok, err := cid.GetAttributeValue(stub, "hf.Registrar.Attributes")
    	if err != nil {
    		return shim.Error(err.Error())
    	}
    	if !ok {
    		return shim.Error("The client identity does not possess the attribute:hf.Registrar.Attributes")
    	}
    	fmt.Println("hf.Registrar.Attributes:")
    	fmt.Println(val)
    
    	val, ok, err = cid.GetAttributeValue(stub, "permissions")
    	if err != nil {
    		return shim.Error(err.Error())
    	}
    	if !ok {
    		return shim.Error("The client identity does not possess the attribute:permissions")
    	}
    	fmt.Println("permissions:")
    	fmt.Println(val)
    

      

  • 相关阅读:
    linux软件安装方式
    docker 安装 jenkins touch: cannot touch ‘/var/jenkins_home/copy_reference_file.log’: Permission denied Can not write to /var/jenkins_home/copy_reference_file.log. Wrong volume permissions?
    [ERR] Node goodsleep.vip:6379 is not empty. Either the node already knows other nodes (check with CLUSTER NODES) or contains some key in database 0.
    Linux 常用命令 服务器间scp 用户 export 创建文件、软连接
    redis 安装 集群 主从 哨兵 docker
    WPF密码框中禁止复制、粘贴
    Application 统计在线人数
    【转义字符】HTML 字符实体< &gt: &等
    SQL语句统计每天的数据
    正则表达式计算代码数
  • 原文地址:https://www.cnblogs.com/13579net/p/9116551.html
Copyright © 2011-2022 走看看