Hyperledger Composer - 具有条件功能的 ACL 规则
Hyperledger Composer - ACL Rule with function in condition
我一直在尝试在 ACL 规则的条件下编写更复杂的逻辑 p.getIdentifier() == r.getIdentifier(),因为我的错是不可能的。
这些是我的模型:
participant Customer identified by customerID {
o String customerID
o String name
...
}
asset A identified by aID {
o String aID
--> Customer customer
}
asset B identified by bID {
o String bID
--> A a
}
现在我想授予 Customer 查看所有 B 资产的权限,但仅在与 A 的关系引用资产的情况下,该资产与实际资产有关系Customer 的参与者,他是 "logged in".
总结逻辑:从资产 B 到 A,然后从 A 到 Customer。
所以在这种情况下,我无法直接比较 Customer 和 B 的标识符,而必须遍历 A。因此,我想使用在 script.js 文件中调用的函数评估访问权限:
rule CustomerAccessCustomer {
description: "The customer should see all B assets, but only when he have a relationship in asset A "
participant(p): "org.xxx.test.participant.Customer"
operation: READ
resource(r): "org.xxx.test.asset.B"
condition: (evaluateAccess(p,r))
action: ALLOW
}
下面是script.js的函数:
async function evaluateAccess(p,r) {
try {
const bRegistry = await getAssetRegistry('org.xxx.test.asset.B');
const b = await bRegistry.get(r.getIdentifier());
const aRegistry = await getAssetRegistry('org.xxx.test.asset.A');
const a = await aRegistry.get(b.a.getIdentifier());
if (p.getIdentifier() === a.customer.getIdentifier()) {
return true;
}
} catch (error) {
console.log(error);
}
}
但是我得到一个错误 Error: The runtime API is not available。
我是不是想错了,不是可以用一个函数来评估访问吗?
如果您不能只比较标识符,您是如何处理访问规则的?
客户应该是参与者而不是资产:
participant Customer identified by customerID {
o String customerID
o String name
}
你应该能够做到:
rule CustomerAccessCustomer {
description: "The customer should see all B assets, but only when he have a relationship in asset A "
participant(p): "org.xxx.test.participant.Customer"
operation: READ
resource(r): "org.xxx.test.asset.B"
condition: ( (p.getIdentifier() === r.a.customer.getIdentifier())
action: ALLOW
}
但 p 也需要 READ 访问权限才能首先 'read' 资产资源 'A'(检查标识符等):-)
我一直在尝试在 ACL 规则的条件下编写更复杂的逻辑 p.getIdentifier() == r.getIdentifier(),因为我的错是不可能的。
这些是我的模型:
participant Customer identified by customerID {
o String customerID
o String name
...
}
asset A identified by aID {
o String aID
--> Customer customer
}
asset B identified by bID {
o String bID
--> A a
}
现在我想授予 Customer 查看所有 B 资产的权限,但仅在与 A 的关系引用资产的情况下,该资产与实际资产有关系Customer 的参与者,他是 "logged in".
总结逻辑:从资产 B 到 A,然后从 A 到 Customer。
所以在这种情况下,我无法直接比较 Customer 和 B 的标识符,而必须遍历 A。因此,我想使用在 script.js 文件中调用的函数评估访问权限:
rule CustomerAccessCustomer {
description: "The customer should see all B assets, but only when he have a relationship in asset A "
participant(p): "org.xxx.test.participant.Customer"
operation: READ
resource(r): "org.xxx.test.asset.B"
condition: (evaluateAccess(p,r))
action: ALLOW
}
下面是script.js的函数:
async function evaluateAccess(p,r) {
try {
const bRegistry = await getAssetRegistry('org.xxx.test.asset.B');
const b = await bRegistry.get(r.getIdentifier());
const aRegistry = await getAssetRegistry('org.xxx.test.asset.A');
const a = await aRegistry.get(b.a.getIdentifier());
if (p.getIdentifier() === a.customer.getIdentifier()) {
return true;
}
} catch (error) {
console.log(error);
}
}
但是我得到一个错误 Error: The runtime API is not available。
我是不是想错了,不是可以用一个函数来评估访问吗? 如果您不能只比较标识符,您是如何处理访问规则的?
客户应该是参与者而不是资产:
participant Customer identified by customerID {
o String customerID
o String name
}
你应该能够做到:
rule CustomerAccessCustomer {
description: "The customer should see all B assets, but only when he have a relationship in asset A "
participant(p): "org.xxx.test.participant.Customer"
operation: READ
resource(r): "org.xxx.test.asset.B"
condition: ( (p.getIdentifier() === r.a.customer.getIdentifier())
action: ALLOW
}
但 p 也需要 READ 访问权限才能首先 'read' 资产资源 'A'(检查标识符等):-)