Hyperledger Composer中交易网络的限制性ACL [英] Restrictive ACL for Trading network in Hyperledger Composer
问题描述
我无法解决我的问题,因此我尝试再次解释:
有2个参与者(提供者)。他们俩都拥有自己的电子钱包和帐户,并且想将现金兑换成代币,反之亦然。由于欺诈,安全性等原因,他们应该只对自己的资产具有READ-访问权限。但是对于事务,它们需要UPDATE-访问权限。这是我的代码:
I couldn't solve my problem, so i try to explain it again: There are 2 Participants (Provider). Both of them holds own Wallet and Account and they want to exchange Cash to Tokens or visa versa. They should have just READ-access to their own assets, because of fraud, security etc. But for transactions they need UPDATE-access. Here is my code:
org.acme.biznet.cto:
org.acme.biznet.cto:
namespace org.acme.biznet
abstract participant Member identified by memberId {
o String memberId
o String name
o String email
}
// Sensorbesitzer, z.B private Personen, Haushalte etc.
participant Provider identified by providerId extends Member {
o String providerId
--> SDTWallet sdtWallet
--> Account account
}
// SDT Token Wallet von den Netzwerkteilnehmern.
asset SDTWallet identified by sdtWalletId {
o String sdtWalletId
o Double balance default = 0.0
--> Member owner
}
// Geldkonto von den Netzwerkteilnehmern.
asset Account identified by accountId {
o String accountId
o Double balance default = 0.0
--> Member owner
}
// Cash gegen Tokens getauscht.
transaction TradeCashToTokens {
o Double cashRate default = 2.0
o Double cashValue default = 1.0 range = [1.0,]
--> SDTWallet fromSDT
--> SDTWallet toSDT
--> Account fromCash
--> Account toCash
}
// Tokens gegen Cash getauscht.
transaction TradeTokensToCash {
o Double tokenRate default = 0.5
o Double tokenValue default = 2.0 range = [2.0,]
--> SDTWallet fromSDT
--> SDTWallet toSDT
--> Account fromCash
--> Account toCash
}
和logic.js:
/**
* Cash to tokens transaction
* @param {org.acme.biznet.TradeCashToTokens} UpdateValues
* @transaction
*/
function TradeCashToTokens(UpdateValues) {
//determine change in tokens value from the rate
var tokensChange = (UpdateValues.cashRate * UpdateValues.cashValue);
if(UpdateValues.fromCash.balance < UpdateValues.cashValue) {
throw new Error('Insufficient cash funds!');
} else if (tokensChange > UpdateValues.fromSDT.balance) {
throw new Error('Not enough tokens for this transaction!');
}
//alert("Fehler!");
//update values of exchanger1 cash account
console.log('#### exchanger1 cash balance before: ' + UpdateValues.fromCash.balance);
UpdateValues.fromCash.balance -= UpdateValues.cashValue;
console.log('#### exchanger1 cash balance after: ' + UpdateValues.fromCash.balance);
//update values of exchanger2 cash account
console.log('#### exchanger2 cash balance before: ' + UpdateValues.toCash.balance);
UpdateValues.toCash.balance += UpdateValues.cashValue;
console.log('#### exchanger2 cash balance after: ' + UpdateValues.toCash.balance);
//update values of exchanger1 token wallet
console.log('#### exchanger1 token balance before: ' + UpdateValues.toSDT.balance);
UpdateValues.toSDT.balance += tokensChange;
console.log('#### exchanger1 token balance after: ' + UpdateValues.toSDT.balance);
//update values of exchanger2 token wallet
console.log('#### exchanger2 token balance before: ' + UpdateValues.fromSDT.balance);
UpdateValues.fromSDT.balance -= tokensChange;
console.log('#### exchanger2 token balance after: ' + UpdateValues.fromSDT.balance);
console.log(UpdateValues.cashValue + ' EUR exchanged to ' + tokensChange + ' SDT Tokens with actual rate of ' + UpdateValues.cashRate);
return getAssetRegistry('org.acme.biznet.SDTWallet')
.then(function (assetRegistry) {
return assetRegistry.updateAll([UpdateValues.toSDT,UpdateValues.fromSDT]);
})
.then(function () {
return getAssetRegistry('org.acme.biznet.Account')
.then(function (assetRegistry) {
return assetRegistry.updateAll([UpdateValues.toCash,UpdateValues.fromCash]);
});
});
}
和Permissions.acl:
and permissions.acl:
//****************PROVIDER_PARTICIPANTS**********************
//Provider has access only to their own profile
rule ProviderAccessOwnProfile {
description: "Allow providers to access only their profile"
participant(p): "org.acme.biznet.Provider"
operation: READ, UPDATE
resource(r): "org.acme.biznet.Provider"
condition: (r.getIdentifier() === p.getIdentifier())
action: ALLOW
}
//Provider has read only access to other Providers
rule ProviderReadAccessProviders {
description: "Allow provider read access to other providers"
participant: "org.acme.biznet.Provider"
operation: READ
resource: "org.acme.biznet.Provider"
action: ALLOW
}
//****************PROVIDER_ASSETS**********************
rule ProvidersReadAccesstoAccount {
description: "Traders see their own BankAccount only"
participant: "org.acme.biznet.Provider"
operation: READ
resource: "org.acme.biznet.Account"
action: ALLOW
}
rule ProvidersReadAccesstoSDTWallet {
description: "Providers see their own SDT Wallet only"
participant: "org.acme.biznet.Provider"
operation: READ
resource: "org.acme.biznet.SDTWallet"
action: ALLOW
}
//Provider can submit CashToToken transaction
rule ProvidercanUpdateAccountthroughTransactionOnly {
description: "Allow trader to submit trade transactions"
participant(p): "org.acme.biznet.Provider"
operation: READ, UPDATE
resource(r): "org.acme.biznet.Account"
transaction(tx): "org.acme.biznet.TradeCashToTokens"
condition: (p.getIdentifier() === r.owner.getIdentifier() &&
r.getIdentifier() === tx.toCash.getIdentifier())
action: ALLOW
}
//Provider can submit CashToToken transaction
rule ProvidercanUpdateSDTWalletthroughTransactionOnly {
description: "Allow trader to submit trade transactions"
participant(p): "org.acme.biznet.Provider"
operation: READ, UPDATE
resource(r): "org.acme.biznet.SDTWallet"
transaction(tx): "org.acme.biznet.TradeCashToTokens"
condition: (p.getIdentifier() === r.owner.getIdentifier() &&
r.getIdentifier() === tx.fromSDT.getIdentifier())
action: ALLOW
}
//****************PROVIDER_TRANSACTIONS**********************
//Provider can submit CashToTokens transaction
rule ProviderSubmitCashToTokenTransactions {
description: "Allow provider to submit cash to tokens transactions"
participant: "org.acme.biznet.Provider"
operation: CREATE, READ
resource: "org.acme.biznet.TradeCashToTokens"
action: ALLOW
}
//Provider can submit TokenToCash transaction
rule ProviderSubmitTokensToCashTransactions {
description: "Allow provider to submit tokens to cash transactions"
participant: "org.acme.biznet.Provider"
operation: CREATE, READ
resource: "org.acme.biznet.TradeTokensToCash"
action: ALLOW
}
//****************PROVIDER_HISTORY**********************
//Provider can see the history of own transactions only
rule ProviderSeeOwnHistoryOnly {
description: "Proviers should be able to see the history of their own
transactions only"
participant(p): "org.acme.biznet.Provider"
operation: READ
resource(r): "org.hyperledger.composer.system.HistorianRecord"
condition: (r.participantInvoking.getIdentifier() != p.getIdentifier())
action: DENY
}
//*********************NETWORK***************************
rule SystemACL {
description: "System ACL to permit all access"
participant: "org.hyperledger.composer.system.Participant"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
rule NetworkAdminUser {
description: "Grant business network administrators full access to user
resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "**"
action: ALLOW
}
rule NetworkAdminSystem {
description: "Grant business network administrators full access to system
resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
当我想尝试以提供者身份进行交易时,例如TradeCachToTokens,它表示 t:参与者'org.acme.biznet.Provider#P1'没有对资源'org.acme.biznet.SDTWallet#SDT1'的'UPDATE'访问权限
And when i want to try make transactions as Provider, e.g. TradeCachToTokens, it says t: Participant 'org.acme.biznet.Provider#P1' does not have 'UPDATE' access to resource 'org.acme.biznet.SDTWallet#SDT1'
请查看屏幕截图: cash_to_tokens
如果提供方(P2)进行交易,但不仅是自己进行交易,提供商(P1)应该获得对电子钱包和帐户的更新访问权限太。
Provider(P1) should get UPDATE-access for Wallet and Account, if he make transaction, but not only his own, for his opposite (P2) too.
这里出什么问题了?
推荐答案
更新后的答案:答案是(5月10日):
UPDATED ANSWER: the answer is (May 10):
-
您正在更新注册表
org.acme.biznet.SDTWallet和org.acme.bixnet.Account-我看到您有规则允许交易TradeCashToTokens或TradeTokensToCash。我认为问题在于条件应该是||而不是&& -一次评估一个资源,在条件匹配中资源所有者可以为TRUE。当参与者调用trxn时,应始终将条件A设为TRUE(除非他当然不是资源所有者);对于目标资源(toCash或toSDT),请将其与资源所有者进行比较(在您的交易功能代码-名称如上)。请注意,这些规则基于允许调用方更新2个目标资源(基于参与者而不是帐户-ps,我认为您的 SDT规则失败的原因是因为规则显示 fromSDT(仅评估为一个目标资源)。
You are updating the registries
org.acme.biznet.SDTWalletandorg.acme.bixnet.Account- and I see you have rules to allow updates to occur from the transactionTradeCashToTokensor indeedTradeTokensToCash. I think the problem is the condition should be || and not && - one resource at a time is evaluated, and the resource owner can be TRUE in the conditional match. As the trxn is invoked by the participant, should always evaluate TRUE (unless he's not the resource owner of course), part A of the condition ; for the target resource (toCashortoSDT), you compare it with the owner of the resource (being updated in your transaction function code - names as above). Note the rules are based allowing the invoking participant update the 2 target resources (based on participant, not Account - ps I think the reason your 'SDT' rule failed is because the rule says 'fromSDT' (evaluates to one target resource only).
建议一组规则,例如:
rule UpdateAccountsviaTradeCashToTokens {
description: "Allow source/target providers defined in trxn (ie 2)- to access/update their Accounts from, trxn TradeCashToTokens only"
participant(p): "org.acme.biznet.Provider"
operation: READ, UPDATE
resource(r): "org.acme.biznet.Account"
transaction(tx): "org.acme.biznet.TradeCashToTokens"
condition: ( p.getIdentifier() === r.owner.getIdentifier() || tx.toCash.owner.getIdentifier() === r.owner.getIdentifier() )
action: ALLOW
}
rule UpdateSDTWalletsviaTradeCashToTokens {
description: "Allow source/target providers defined in trxn (ie 2)- to access/update their SDT Wallets from, trxn TradeCashToTokens only"
participant(p): "org.acme.biznet.Provider"
operation: READ, UPDATE
resource(r): "org.acme.biznet.SDTWallet"
transaction(tx): "org.acme.biznet.TradeCashToTokens"
condition: ( p.getIdentifier() === r.owner.getIdentifier() || tx.toSDT.owner.getIdentifier() === r.owner.getIdentifier() )
action: ALLOW
}
同样-对于其他交易 TradeTokenstoCash ,您可以拥有
rule UpdateAccountsviaTradeTokensToCash {
description: "Allow source/target providers defined in trxn (ie 2)- to access/update their Accounts from, trxn TradeTokensToCash only"
participant(p): "org.acme.biznet.Provider"
operation: READ, UPDATE
resource(r): "org.acme.biznet.Account"
transaction(tx): "org.acme.biznet.TradeTokensToCash"
condition: ( p.getIdentifier() === r.owner.getIdentifier() || tx.toCash.owner.getIdentifier() === r.owner.getIdentifier() )
action: ALLOW
}
rule UpdateSDTWalletsviaTradeTokenstoCash {
description: "Allow source/target providers defined in trxn (ie 2)- to access/update their SDT Wallets from, trxn TradeTokenstoCash only"
participant(p): "org.acme.biznet.Provider"
operation: READ, UPDATE
resource(r): "org.acme.biznet.SDTWallet"
transaction(tx): "org.acme.biznet.TradeTokenstoCash"
condition: ( p.getIdentifier() === r.owner.getIdentifier() || tx.toSDT.owner.getIdentifier() === r.owner.getIdentifier() )
action: ALLOW
}
您仍然需要您的 PROVIDER_TRANSACTIONS 规则。
您正确地说您将需要 PROVIDER_ASSETS 规则-在基于事务更新的规则(即上述)之前。
You are correct to say you will need the PROVIDER_ASSETS rules - before the transaction update based rules (ie mentioned above).
我创建了一个ACL教程-与您所做的类似,我将在适当的时候将其合并到Composer文档中(也为他人着想)。
I have created an ACL tutorial - that I will incorporate into the Composer docs in due course (for benefit of others too) - similar to what you've done.
https://github.com/mahoney1/test/blob/master/acl_dynamic.md
希望这会有所帮助,已尝试对您的完整规则集进行更改,并且该规则集有效;如果您希望我发布完整的规则集,请告诉我。
Hope this helps, have tried your complete ruleset with changes and it works; if you wish me to post the complete set of rules, let me know.
这篇关于Hyperledger Composer中交易网络的限制性ACL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
![cash_to_tokens](\"https://i.stack.imgur.com/rz47Z.png\"){kind=link}