Applying user level permissions in Hyperledger Fabric


#1

Hi Team,

I want to apply for user-level permissions in Fabric (like the .acl file in Composer) but I don’t want to use Composer. I don’t get it how should I achieve it in core fabric. Is there anything that is similar to ACL in a fabric. I want to apply some permission to the user (according to their roles to the chain code functions), that we create using fabric-node SDK using fabric_client.createUser(......) If anyone has any resource or example which demonstrates the same then please share it.


(Saeedi) #2

ACLs are one area where it’s difficult to provide any concise information. There is no direct equivalent in fabric so the only option is to develop your own solution to meet your requirements. You can look at using the Client Identity package available in chaincode to retrieve attributes you set on certificates to make decisions on access. This is referred to as Attribute Based Access Control. You also need to make sure you put proper controls in place at the channel, data or infrastructure level but you would have had to do that for ACLs in Composer anyway. For example if a user has direct access to their identity and the fabric network, they can query the ledger directly (ie not through a chaincode invocation) or listen for block events and be able to infer the data.

You can also take a look at convector it is kinda a similar to composer.

There are also resources available for migrating from composer to convector. Hope this helps !


#3

Is it not possible to do in Hyperledger Fabric without using any other tools? because as per my knowledge Permissions are the feature of Fabric, so I should be able to do it using core Fabric only?

and what is the use of this? https://github.com/hyperledger/fabric/blob/release-1.2/sampleconfig/configtx.yaml does this help to achieve the same?


(Saeedi) #4

Yes it is possible to do in hyperledger fabric natively. Take a look at here, it might help.
https://hyperledger-fabric.readthedocs.io/en/release-1.4/access_control.html


(Walter Montes) #5

Here’s another example in this case with Convector to do ABAC and authorization with native Fabric info https://github.com/worldsibu/convector-identity-patterns