10

My question is on access control in hyperledger fabric composer.

Assume you have a business network, in which you have the following participants:

  1. Sellers
  2. (Potential) Buyers

A seller is an employee of a company that sells products to a buying company. A buyer is an employee of a buying company.

Example: The buying company is Daimler. Three employees of Daimler are registered as Buyers in the network. The selling company is General Electric. Two employees of General Electric are registered as Sellers in the network.

With hyperledger composer's Access Control Language, one can restrict the access rights of buyers and sellers at will.

But how is the situation regarding Access Control at the Node level?

There are not only buyers and sellers but also two system administrators: one system administrator responsible for the Daimler peer and one system administrator responsible for the General Electric peer.

By default, the system administrators have access to all data. That is, the Daimler system administrator has access to all data of the registered General Electric employees. Vice versa, the General Electric system administrator has access to all data of the registered Daimler employees.

Is it possible to restrict the access of the system administrators to a handful of rights, such as:

  1. right to install and start the business network
  2. right to control changes to the system made by the other system administrator (e.g. if the Daimler system administrator changes the code of the application, then the General Electric administrator must approve those changes before they can become effective)
  3. Read Access to employees of one's own company
steady_progress
  • 1,561
  • 6
  • 23
  • 52

1 Answers1

4

Access to a hyperledger fabric (for anything including interacting with a business network) is managed by hyperledger fabric MSPs. Hyperledger fabric, as part of the setting up of the hyperledger fabric network and channels, define which identities (created via the MSPs) have the authority to install chaincode onto peers and which identities have channel authority, to be able to instantiate or upgrade chaincode. It is possible to restrict Peer Install and Channel instantiate/upgrade to specific identities. Information about Hyperledger fabric MSPs for example can be found at this link https://hyperledger-fabric.readthedocs.io/en/release-1.2/msp.html but you will probably want to be familar with the complete operations section this section is part of.

Access control in Composer is done via participants and the business network ACL file. You control which participants can perform various actions on resources controlled by the Composer runtime. You need an identity (generated by your MSP) in order to be able to interact on a channel/chaincode (as required by hyperledger fabric) this identity has to be previously mapped to a specific participant in order to the interact on the business network. When a request is sent to a business network, composer will look up that specific participant based on the identity that made the request and use that participant and it's type to determine, through the information in the business network ACL file, what it is allowed to do.

Note that things like Peer install, channel instantiate/upgrade of chaincode is a fabric level capability, not a composer capability so you do not control these types of activity through composer ACL definitions

david_k
  • 4,867
  • 2
  • 7
  • 15
  • Thank you for your answer ... "Note that things like Peer install, channel instantiate/upgrade of chaincode is a fabric level capability, not a composer capability so you do not control these types of activity through composer ACL definitions" ... in the ACL file, I can manipulate the access rights of the network administrator (org.hyperledger.composer.system.NetworkAdmin) .... I thought this network administrator can do installation and channel instantiation/upgrade of chaincode ... are you saying that this network administrator is NOT able to do these things? – steady_progress Jul 23 '18 at 22:25
  • 2
    you might want to also read https://stackoverflow.com/questions/51453397/is-hyperledger-a-truly-secure-blockchain-like-ethereum. From a fabric point of view there are identities that have the capability to perform administrative actions and those get defined when the network is setup and the channel created. You define what capabilities participants or participant types can do within a business network using the ACL file. You then bind identities to participants so that those identities used to interact with a fabric can be mapped to a participant within a business network. – david_k Jul 24 '18 at 07:19
  • 2
    Then there is the fabric-ca-server. You don't have to use this server for identity generation but if you do (and composer identity issue along with composers automatic enrollment makes use of the fabric-ca-server) then you need an identity with issuer authority to be able to issue new user ids. Depending on how you set up the ca-server defines what identities exist that have issuer authority. Our simple dev server sets up a bootstrap identity of admin with a secret of adminpw. when you enroll that user you get an identity back that can setup new users on a ca-server – david_k Jul 24 '18 at 07:24
  • As far as I understand, the Peer Administrators are the only ones who can deploy a new business network or upgrade a running business network, correct? ... the "Network Admins" are normal participants, whose access rights can be determined in the ACL file. That is, I could, e.g., limit the rights of Network Admins to create new participants, correct? – steady_progress Jul 24 '18 at 16:06
  • But how do I prevent a Peer Administrator from looking at all the data saved in the ledger? – steady_progress Jul 24 '18 at 16:08
  • 1
    Put differently: What access rights does a peer administrator have by default? (E.g., Is he/she able to view old transactions?) ... And how do I manipulate the access rights of a peer administrator? – steady_progress Jul 24 '18 at 16:11
  • 1
    These are now specific to how hyperledger fabric (rather than composer) controls access to ledger data. I would recommend a new stackoverflow question specifically about this and then hopefully someone with more in depth knowledge for fabric will answer. I'm not familiar with that level of detail. – david_k Jul 25 '18 at 06:54