Hyperledger Fabric:实现链码级访问控制 [英] Hyperledger Fabric: implementing chaincode level access control
问题描述
我想对某些方法实施链码级访问控制.因此,例如,我希望只有在执行请求的用户具有与世界状态下所请求资产的字段相匹配的证书身份时,才能执行被调用的chaincode方法.
I want to implement a chaincode level access control to some method. So, for example, I want that the chaincode method called can be executed only if the user that has performed the request has a certein identity that match a field of the asset requested in the world state.
在 https://hyperledger-fabric.readthedocs.io/zh/release-1.4/chaincode4ade.html ,官方文档说:
"Chaincode可以通过调用GetCreator()函数将客户端(子发送方)证书用于访问控制决策.此外,Go shim提供了扩展API,这些API从提交者的证书中提取客户端身份,可用于访问控制决策,无论是否基于客户身份本身,组织身份或客户身份属性的
"Chaincode can utilize the client (submitter) certificate for access control decisions by calling the GetCreator() function. Additionally the Go shim provides extension APIs that extract client identity from the submitter’s certificate that can be used for access control decisions, whether that is based on client identity itself, or the org identity, or on a client identity attribute.
例如,表示为键/值的资产可以将客户的身份包括为值的一部分(例如,作为表示该资产所有者的JSON属性),并且只有该客户才能被授权对资产进行更新.将来的键/值.客户端身份库扩展API可以在链码中使用,以检索此提交者信息以做出此类访问控制决策."
For example an asset that is represented as a key/value may include the client’s identity as part of the value (for example as a JSON attribute indicating that asset owner), and only this client may be authorized to make updates to the key/value in the future. The client identity library extension APIs can be used within chaincode to retrieve this submitter information to make such access control decisions."
这完全反映了我的情况:我的资产包含字段所有者,并且我希望只有该资产所有者的用户才能对资产执行remove方法,即,如果其身份(用户名)与所有者字段.
This reflect perfectly my case: my assets contain a field owner and I want that the remove method can be performed on an asset only by an user that is the owner of this asset, i.e. if his identity - user name - match the owner field.
我的问题是,官方文档中提供的解决方案描述了使用客户端身份(cid)库"的可能性(
My problem is that the solution provided in the official documentation describe the possibility to use the "client identity (cid) library"(https://github.com/hyperledger/fabric/tree/master/core/chaincode/shim/ext/cid) to extract users information from the certificate. But in my case, I have chaincodes in Java and Javascript and (I think) I only can use the GetCreator() method, that give as output the user certificate as an array of bytes.
如何从证书中提取所需的信息?是否可以?可以使用我的Java和Javascript链码中的CID库吗?
How can I extract the information that I need from the certificate? Is it possible? Is it possible to use the CID library from my Java and Javascript chaincodes?
推荐答案
CID库只是一个语法糖包装程序,它有助于在链码中使用身份进行操作,本质上是在GoLang中提取信息的方法或方式,是:
CID library is only a syntax sugar wrapper which helps to operate with identity within a chaincode, essentially what is done or the way to extract the information in GoLang, is:
serializedID, _ := stub.GetCreator()
sId := &msp.SerializedIdentity{}
err := proto.Unmarshal(serializedID, sId)
if err != nil {
return shim.Error(fmt.Sprintf("Could not deserialize a SerializedIdentity, err %s", err))
}
bl, _ := pem.Decode(sId.IdBytes)
if bl == nil {
return shim.Error(fmt.Sprintf("Could not decode the PEM structure"))
}
cert, err := x509.ParseCertificate(bl.Bytes)
if err != nil {
return shim.Error(fmt.Sprintf("ParseCertificate failed %s", err))
}
fmt.Println(cert)
这可以在Java中通过以下几行完成:
which could be done in Java in along following lines:
try {
Identities.SerializedIdentity identity = Identities.SerializedIdentity.parseFrom(stub.getCreator());
StringReader reader = new StringReader(identity.getIdBytes().toStringUtf8());
PemReader pr = new PemReader(reader);
byte[] x509Data = pemReader.readPemObject().getContent();
CertificateFactory factory = CertificateFactory.getInstance("X509");
X509Certificate certificate = factory.generateCertificate(new ByteArrayInputStream(x509Data));
} catch (InvalidProtocolBufferException e) {
e.printStackTrace();
}
这篇关于Hyperledger Fabric:实现链码级访问控制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
