Permissions Hyperledger Composer:将参与者的权限限制为ping网络
我开发了一个带有角度前端的hyperledger composer应用程序 每当用户登录时,他/她都会ping网络以获取其id:Permissions Hyperledger Composer:将参与者的权限限制为ping网络,permissions,hyperledger-composer,access-control,Permissions,Hyperledger Composer,Access Control,我开发了一个带有角度前端的hyperledger composer应用程序 每当用户登录时,他/她都会ping网络以获取其id: return this.httpClient.get('/api/system/ping', {withCredentials: true}).toPromise() .then(data => { //more code }); 问题是,目前仅当网络管理员发送此请求时,此功能才起作用 原因是文件permissions.acl中的以下规则: r
return this.httpClient.get('/api/system/ping', {withCredentials: true}).toPromise()
.then(data => {
//more code
});
问题是,目前仅当网络管理员发送此请求时,此功能才起作用
原因是文件permissions.acl中的以下规则:
rule NetworkAdminSystem {
description: "Grant network administrators full access to system resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "org.hyperledger.composer.system.Network"
action: ALLOW
}
其他参与者(到目前为止)没有对任何系统资源的权限
为了让“普通”参与者能够ping网络,我想写一条规则,允许他们ping网络,但不能更多
也就是说,当涉及到系统资源时,参与者唯一可以做的就是ping网络
问题是我不知道规则中的“资源”行应该是什么样子:
rule AllParticipantsCanPingNetwork {
description: "Allow all participants to ping the network (in order to get their participant id)."
participant: "org.hyperledger.composer.system.Participant"
operation: READ
resource: "org.hyperledger.composer.system.???"
action: ALLOW
}
我要找的是
resource: "org.hyperledger.composer.system.ping"
。。。不幸的是,“org.hyperledger.composer.system.ping”不起作用
我如何限制参与者在网络上ping的权限?
命名空间“org.hyperledger.composer.system”中包含的内容是否有文档
更新: 我现在暂时使用以下规则:
实际上我想进一步限制访问权限。。。为此,我尝试了以下规则:
// Business Access Control Rules:
rule AllParticipantsCanAccessTheNetwork {
description: "Allow all participants to access the network"
participant: "org.hyperledger.composer.system.Participant"
operation: READ
resource: "org.hyperledger.composer.system.Network"
action: ALLOW
}
rule AllParticipantsCanUseTransactionsAffectingARegistry {
description: "Allow all participants to use transactions affecting a registry"
participant: "org.hyperledger.composer.system.Participant"
operation: ALL
resource: "org.hyperledger.composer.system.RegistryTransaction"
action: ALLOW
}
rule NetworkAdministratorsCanUpdateAndDeleteTheNetwork {
description: "Grant network administrators the right to update and delete the network"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: UPDATE, DELETE
resource: "org.hyperledger.composer.system.Network"
action: ALLOW
}
rule NetworkAdministratorsCanIssueIdentity {
description: "Grant network administrators the right to issue an identity"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "org.hyperledger.composer.system.IssueIdentity"
action: ALLOW
}
但是,这还不足以发送事务等。我认为这应该是可行的: 在“普通ACL”中(对于业务网络本身-相应地更改名称空间-下面的示例): 在系统ACL之前:
rule ReadNetwork {
description: "Allow all participants to read network"
participant: "org.hyperledger.composer.system.Participant"
operation: READ
resource: "org.hyperledger.composer.system.Network"
action: ALLOW
}
非常感谢你的回答。。。但是,“readBusiness”规则将为所有参与者提供对业务网络中所有其他参与者和所有资产的读取权限。。。我已经开发了另一个解决方案来避免这种情况(请参阅我的帖子的更新)。。。我想进一步限制访问权限。。。但我的方法(见下文更新)不起作用
rule readBusiness {
description: "ACL to connect to the business network"
participant: "org.hyperledger.composer.system.Participant"
operation: READ
resource: "org.acme.mynetwork.*"
action: ALLOW
}
rule ReadNetwork {
description: "Allow all participants to read network"
participant: "org.hyperledger.composer.system.Participant"
operation: READ
resource: "org.hyperledger.composer.system.Network"
action: ALLOW
}