Hyperledger Composer - ACL 问题
Hyperledger Composer - ACL issue
我需要一些帮助来了解访问控制登录在 Composer 中的工作原理。我已经研究了我只能找到的所有可用演示,但我仍然需要一些指导。
我有以下参与者:
abstract participant Business identified by email {
o String email
o String name
o String legalEntity
}
participant Insurer extends Business {
}
和以下资产:
asset Policy identified by policyId {
o String policyId
o PolicyStatus status
o DateTime signDate
--> Insurer insurer
}
以及以下交易:
transaction SwitchPolicyInsurer {
--> Policy policy
--> Insurer insurer
}
async function switchPolicyInsurer(tx) {
var NS = 'org.example.mynetwork';
let policy = tx.policy;
let newInsurer = tx.insurer;
// Save the old Insurer
let oldInsurer = tx.policy.insurer;
// Update the policy with new owner
var factory = getFactory();
policy.insurer = factory.newRelationship(NS, 'Insurer', newInsurer.getIdentifier());
//Update the asset registry
let policyRegistry = await getAssetRegistry(NS + '.Policy');
await policyRegistry.update(policy);
}
我创建了一个与 Insurer_1 相关的策略。我需要的是当我切换到 Insurer_2 身份时,并尝试使用 SwitchPolicyInsurer 事务来接收访问错误。基本上,只有保单中的承保人才能将关系切换到另一家承保人。
我在 ACL 中尝试了以下操作:
rule SwitchPolicyInsurer {
description: "Can switch"
participant(m): "org.example.mynetwork.Insurer"
operation: READ, UPDATE
resource(v): "org.example.mynetwork.Policy"
condition: (v.insurer.getIdentifier() == m.getIdentifier())
action: ALLOW
}
这行不通,任何保险公司身份都可以使用该交易。另一件奇怪的事情是我可以将任何字符串设置为保险公司并保存关系。
我正在使用浏览器作为测试平台。
我看到保单资产现在有字段 'insurer' 并且已添加 Insurer participant 模型。
更新:您的问题是:您定义了其他规则,并且这些规则的优先级/顺序会影响您想要限制的内容等。我建议(仅)尝试下面的这些规则,以及正常的规则您可能已经在底部拥有的系统/网络 ACL(以便正常操作可以正常运行)——一般来说,ACL 就像一个金字塔——越细粒度的规则(影响 'less' 目标资源)越接近顶部 - 'coarse' 规则越多(由于它们的本质,往往会到达规则集的底部,影响更广泛的目标资源集)。
rule txn_rule {
description: "Access the txn resource itself"
participant: "org.example.mynetwork.Insurer"
operation: ALL
resource: "org.example.mynetwork.SwitchPolicyInsurer"
action: ALLOW
}
rule marshal_rule_via_txn_only {
description: "Marshal updates such that transacting insurer participant matches the linked/related policy"
participant(m): "org.mynetwork.trading.Insurer"
operation: READ, UPDATE
resource(v): "org.example.mynetwork.Policy"
transaction(tx): "org.example.mynetwork.SwitchPolicyInsurer"
condition: (v.insurer.getIdentifier() == m.getIdentifier() )
action: ALLOW
}
rule policyresource_rule_outside_txn {
description: "Need base access to my (insurer) policy resource outside of the transaction itself - used ALL, but could equally have READ"
participant(m): "org.example.mynetwork.Insurer"
operation: ALL
resource(v): "org.example.mynetwork.Policy"
condition: (v.insurer.getIdentifier() == m.getIdentifier())
action: ALLOW
}
rule playground_rule_so_I_can_see_identities_to_switch_and_test { // can be removed when done with testing FYI
description: "self-explanatory"
participant: "ANY"
operation: ALL
resource: "org.example.mynetwork.Insurer"
action: ALLOW
}
我需要一些帮助来了解访问控制登录在 Composer 中的工作原理。我已经研究了我只能找到的所有可用演示,但我仍然需要一些指导。
我有以下参与者:
abstract participant Business identified by email {
o String email
o String name
o String legalEntity
}
participant Insurer extends Business {
}
和以下资产:
asset Policy identified by policyId {
o String policyId
o PolicyStatus status
o DateTime signDate
--> Insurer insurer
}
以及以下交易:
transaction SwitchPolicyInsurer {
--> Policy policy
--> Insurer insurer
}
async function switchPolicyInsurer(tx) {
var NS = 'org.example.mynetwork';
let policy = tx.policy;
let newInsurer = tx.insurer;
// Save the old Insurer
let oldInsurer = tx.policy.insurer;
// Update the policy with new owner
var factory = getFactory();
policy.insurer = factory.newRelationship(NS, 'Insurer', newInsurer.getIdentifier());
//Update the asset registry
let policyRegistry = await getAssetRegistry(NS + '.Policy');
await policyRegistry.update(policy);
}
我创建了一个与 Insurer_1 相关的策略。我需要的是当我切换到 Insurer_2 身份时,并尝试使用 SwitchPolicyInsurer 事务来接收访问错误。基本上,只有保单中的承保人才能将关系切换到另一家承保人。
我在 ACL 中尝试了以下操作:
rule SwitchPolicyInsurer {
description: "Can switch"
participant(m): "org.example.mynetwork.Insurer"
operation: READ, UPDATE
resource(v): "org.example.mynetwork.Policy"
condition: (v.insurer.getIdentifier() == m.getIdentifier())
action: ALLOW
}
这行不通,任何保险公司身份都可以使用该交易。另一件奇怪的事情是我可以将任何字符串设置为保险公司并保存关系。
我正在使用浏览器作为测试平台。
我看到保单资产现在有字段 'insurer' 并且已添加 Insurer participant 模型。
更新:您的问题是:您定义了其他规则,并且这些规则的优先级/顺序会影响您想要限制的内容等。我建议(仅)尝试下面的这些规则,以及正常的规则您可能已经在底部拥有的系统/网络 ACL(以便正常操作可以正常运行)——一般来说,ACL 就像一个金字塔——越细粒度的规则(影响 'less' 目标资源)越接近顶部 - 'coarse' 规则越多(由于它们的本质,往往会到达规则集的底部,影响更广泛的目标资源集)。
rule txn_rule {
description: "Access the txn resource itself"
participant: "org.example.mynetwork.Insurer"
operation: ALL
resource: "org.example.mynetwork.SwitchPolicyInsurer"
action: ALLOW
}
rule marshal_rule_via_txn_only {
description: "Marshal updates such that transacting insurer participant matches the linked/related policy"
participant(m): "org.mynetwork.trading.Insurer"
operation: READ, UPDATE
resource(v): "org.example.mynetwork.Policy"
transaction(tx): "org.example.mynetwork.SwitchPolicyInsurer"
condition: (v.insurer.getIdentifier() == m.getIdentifier() )
action: ALLOW
}
rule policyresource_rule_outside_txn {
description: "Need base access to my (insurer) policy resource outside of the transaction itself - used ALL, but could equally have READ"
participant(m): "org.example.mynetwork.Insurer"
operation: ALL
resource(v): "org.example.mynetwork.Policy"
condition: (v.insurer.getIdentifier() == m.getIdentifier())
action: ALLOW
}
rule playground_rule_so_I_can_see_identities_to_switch_and_test { // can be removed when done with testing FYI
description: "self-explanatory"
participant: "ANY"
operation: ALL
resource: "org.example.mynetwork.Insurer"
action: ALLOW
}