允许参与者完全读取权限
Allow participant full read access
我想授予在公司类型为 "BORDER" 的公司工作的所有 'Person' 参与者的读取权限。公司类型是一个枚举。
ACL:
rule NetworkAdminUser {
description: "Grant business network administrators full access to user resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "**"
action: ALLOW
}
rule NetworkAdminSystem {
description: "Grant business network administrators full access to system resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
rule SystemACL {
description: "System ACL to permit all access"
participant: "org.hyperledger.composer.system.Participant"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
rule transaction {
description: "Allow participants full access to transactions"
participant: "org.acme.shipping.participants.Person"
operation: ALL
resource: "org.acme.shipping.transactions.**"
action: ALLOW
}
rule containers {
description: "Allow participants access to containers owned by their company"
participant(p): "org.acme.shipping.participants.Person"
operation: ALL
resource(c): "org.acme.shipping.assets.**"
condition: (c.owner.getIdentifier() == p.company.getIdentifier())
action: ALLOW
}
rule border {
description: "Allow Border access to containers"
participant(p): "org.acme.shipping.participants.Person"
operation: READ
resource: "org.acme.shipping.assets.**"
condition: (p.company.type == "BORDER")
action: ALLOW
}
参与者模型文件:
namespace org.acme.shipping.participants
participant Company identified by cid {
o String cid
o String name
o CompanyType type
}
enum CompanyType {
o BORDER
o COURIER
o SHIPPER
}
participant Person identified by id {
o String id
o String name
--> Company company
}
但是,此人仍然看不到任何资产。
有什么解决办法的建议吗?
您为 Border Companies 授予对所有容器的访问权限而编写的 ACL 规则没有问题。主要问题是每个 Person 参与者都引用了他们的 Company 但没有为类型 的参与者指定规则Person 在 ACL 中访问/阅读他们公司的详细信息。因此,默认情况下,ACL 拒绝一个人读取其公司详细信息的读取权限,因为您在规则条件下访问此人的公司为
p.company.type
访问受限。要实现相同的功能,您必须首先使用
提供对该人自己公司的 READ 访问权限
rule readCompany {
description: "Allow Read Access to Person's Own Company"
participant(p): "org.acme.shipping.participants.Person"
operation: READ
resource(comp): "org.acme.shipping.participants.Company"
condition: (p.company.getIdentifier() == comp.getIdentifier())
action: ALLOW
}
然后您将能够将所有容器的访问权限授予属于 company 类型 的 persons ]Border 使用与
相同的规则
rule border {
description: "Allow Border access to containers"
participant(p): "org.acme.shipping.participants.Person"
operation: READ
resource: "org.acme.shipping.assets.**"
condition: (p.company.type == "BORDER")
action: ALLOW
}
我想授予在公司类型为 "BORDER" 的公司工作的所有 'Person' 参与者的读取权限。公司类型是一个枚举。
ACL:
rule NetworkAdminUser {
description: "Grant business network administrators full access to user resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "**"
action: ALLOW
}
rule NetworkAdminSystem {
description: "Grant business network administrators full access to system resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
rule SystemACL {
description: "System ACL to permit all access"
participant: "org.hyperledger.composer.system.Participant"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
rule transaction {
description: "Allow participants full access to transactions"
participant: "org.acme.shipping.participants.Person"
operation: ALL
resource: "org.acme.shipping.transactions.**"
action: ALLOW
}
rule containers {
description: "Allow participants access to containers owned by their company"
participant(p): "org.acme.shipping.participants.Person"
operation: ALL
resource(c): "org.acme.shipping.assets.**"
condition: (c.owner.getIdentifier() == p.company.getIdentifier())
action: ALLOW
}
rule border {
description: "Allow Border access to containers"
participant(p): "org.acme.shipping.participants.Person"
operation: READ
resource: "org.acme.shipping.assets.**"
condition: (p.company.type == "BORDER")
action: ALLOW
}
参与者模型文件:
namespace org.acme.shipping.participants
participant Company identified by cid {
o String cid
o String name
o CompanyType type
}
enum CompanyType {
o BORDER
o COURIER
o SHIPPER
}
participant Person identified by id {
o String id
o String name
--> Company company
}
但是,此人仍然看不到任何资产。
有什么解决办法的建议吗?
您为 Border Companies 授予对所有容器的访问权限而编写的 ACL 规则没有问题。主要问题是每个 Person 参与者都引用了他们的 Company 但没有为类型 的参与者指定规则Person 在 ACL 中访问/阅读他们公司的详细信息。因此,默认情况下,ACL 拒绝一个人读取其公司详细信息的读取权限,因为您在规则条件下访问此人的公司为
p.company.type
访问受限。要实现相同的功能,您必须首先使用
提供对该人自己公司的 READ 访问权限rule readCompany {
description: "Allow Read Access to Person's Own Company"
participant(p): "org.acme.shipping.participants.Person"
operation: READ
resource(comp): "org.acme.shipping.participants.Company"
condition: (p.company.getIdentifier() == comp.getIdentifier())
action: ALLOW
}
然后您将能够将所有容器的访问权限授予属于 company 类型 的 persons ]Border 使用与
相同的规则rule border {
description: "Allow Border access to containers"
participant(p): "org.acme.shipping.participants.Person"
operation: READ
resource: "org.acme.shipping.assets.**"
condition: (p.company.type == "BORDER")
action: ALLOW
}