允许参与者完全读取访问权

时间:2018-05-04 08:54:31

标签: hyperledger-fabric hyperledger hyperledger-composer ibm-blockchain

我想给在公司工作的所有“人”参与者提供读取权限,其中公司的类型是“BORDER”。公司类型是枚举。

ACL:

rule NetworkAdminUser {
    description: "Grant business network administrators full access to user resources"
    participant: "org.hyperledger.composer.system.NetworkAdmin"
    operation: ALL
    resource: "**"
    action: ALLOW
}

rule NetworkAdminSystem {
    description: "Grant business network administrators full access to system resources"
    participant: "org.hyperledger.composer.system.NetworkAdmin"
    operation: ALL
    resource: "org.hyperledger.composer.system.**"
    action: ALLOW
}

rule SystemACL {
  description:  "System ACL to permit all access"
  participant: "org.hyperledger.composer.system.Participant"
  operation: ALL
  resource: "org.hyperledger.composer.system.**"
  action: ALLOW
}

rule transaction {
    description: "Allow participants full access to transactions"
    participant: "org.acme.shipping.participants.Person"
    operation: ALL
    resource: "org.acme.shipping.transactions.**"
    action: ALLOW
}

rule containers {
    description: "Allow participants access to containers owned by their company"
    participant(p): "org.acme.shipping.participants.Person"
    operation: ALL
    resource(c): "org.acme.shipping.assets.**"
    condition: (c.owner.getIdentifier() == p.company.getIdentifier())
    action: ALLOW
}

rule border {
    description: "Allow Border access to containers"
    participant(p): "org.acme.shipping.participants.Person"
    operation: READ
    resource: "org.acme.shipping.assets.**"
    condition: (p.company.type == "BORDER")
    action: ALLOW
}

参与者模型文件:

namespace org.acme.shipping.participants

participant Company identified by cid {
  o String cid
  o String name
  o CompanyType type
}

enum CompanyType {
  o BORDER
  o COURIER
  o SHIPPER
}

participant Person identified by id {
  o String id
  o String name
  --> Company company
}

但是,该人仍然无法看到任何资产。

有关如何解决此问题的任何建议吗?

1 个答案:

答案 0 :(得分:1)

您为了授予边境公司所有容器的访问权限而编写的ACL规则没有问题。主要问题是每个参与者都有对公司的引用,但没有为类型为的参与者指定访问/的规则在ACL中阅读他们公司的详细信息。因此,默认情况下,ACL拒绝人员阅读其公司详细信息的READ访问权限,并且当您在规则条件中访问个人公司时

p.company.type

访问权限受到限制。要实现相同的功能,您必须首先使用

为Person自己的公司提供READ访问权限 
rule readCompany {
    description: "Allow Read Access to Person's Own Company"
    participant(p): "org.acme.shipping.participants.Person"
    operation: READ
    resource(comp): "org.acme.shipping.participants.Company"
    condition: (p.company.getIdentifier() == comp.getIdentifier())
    action: ALLOW
}

然后,您就可以使用您的所有容器访问属于边境 公司

相同的规则 
rule border {
    description: "Allow Border access to containers"
    participant(p): "org.acme.shipping.participants.Person"
    operation: READ
    resource: "org.acme.shipping.assets.**"
    condition: (p.company.type == "BORDER")
    action: ALLOW
}
相关问题
最新问题