Fine-Grained Access Control Library Functions
The library package provides the following functions for resources, groups and ACLs as well as global functions.
Global Functions
Function | Description |
---|---|
Initialization(identity *x509.Certificate, stub shim.ChaincodeStubInterface) (error) (error) |
When the chaincode is deployed, the After the bootstrap process is done, the following entities are created:
|
NewGroupManager(identity *x509.Certificate, stub shim.ChaincodeStubInterface) (*GroupManager, error) |
Gets the group manager that's used for all group related operations. Identity: the default identity for related operation. If it's nil, then the function uses the caller's identity. |
NewACLManager(identity *x509.Certificate, stub shim.ChaincodeStubInterface) (*ACLManager, error) |
Gets the ACL manager that's used for all ACL related operations. Identity: the default identity for related operation. If it's nil, then the function uses the caller's identity. |
NewResourceManager(identity *x509.Certificate, stub shim.ChaincodeStubInterface) (*ResourceManager, error) |
Gets the resource manager that's used for all resource related operations. Identity: the default identity for related operation. If it's nil, then the function uses the caller's identity. |
Access Control List (ACL) Functions
ACL
structure:type ACL struct {
Name string
Description string
Accesses []string // CREATE, READ, UPDATE, and DELETE, or whatever the end-user defined
Patterns []string // identities
Allowed bool // true means allows access.
BindACLs []string // The list of ACL , control who can call the APIs of this struct
}
- Accesses: The Accesses string is a list of comma-separated arbitrary access names and is completely up to the application except for four: CREATE, READ, UPDATE, and DELETE. These access values are used in maintaining the fine-grained access control. Applications can use their own access strings such as
"register"
,"invoke"
, or"query"
, or even such things as access to field names such as"owner"
,"quantity"
, and so on. - Allowed: Allowed determines whether identities that match a pattern are allowed access (true) or prohibited access (false). You can have an access control list that indicates Bob has access to "
CREATE
", and another one that indicates group Oracle (of which Bob is a member) is prohibited from"CREATE"
. Whether Bob has access or not depends upon the order of the access control lists that are associated with the entity in question. - BindACLs: The BindACLs parameter forms the initial access control list.
ACL functions:
Function | Description |
---|---|
Create(acl ACL, identity *x509.Certificate) (error) |
Creates an ACL. Duplicate named ACLs are not allowed. To create an ACL, the identity must have CREATE access to the bootstrap resource named ".ACLs". If identity is nil, the default identity specified in |
Get(aclName string, identity *x509.Certificate) (ACL, error) |
Gets a named ACL. The identity must have READ access to the named ACL. If identity is nil, the default identity specified in |
Delete(aclName string, identity *x509.Certificate) (error) |
Deletes a specified ACL. The identity must have DELETE access to the named ACL. If identity is nil, the default identity specified in |
Update(acl ACL, identity *x509.Certificate) (error) |
Updates an ACL. The identity must have UPDATE access to the named resource, and the named ACL must exist. If identity is nil, the default identity specified in |
AddPattern(aclName string, pattern string, identity *x509.Certificate) (error) |
Adds a new identity pattern to the named ACL. The identity must have UPDATE access to the named ACL. If identity is nil, the default identity specified in |
RemovePattern(aclName string, pattern string, identity *X509Certificate) (error) |
Removes the identity pattern from the ACL. The identity must have UPDATE access to the named ACL. If identity is nil, the default identity specified in |
AddAccess(aclname string, access string, identity *X509Certificate) (error) |
Adds a new access to the named ACL. The identity must have UPDATE access to the named ACL. If identity is nil, the default identity specified in |
RemoveAccess(aclName string, access string, identity *X509Certificate) (error) |
Removes the access from the ACL. The identity must have UPDATE access to the named ACL. If identity is nil, the default identity specified in |
UpdateDescription(aclName string, newDescription string, identity *X509Certificate) (error) |
Updates the description. The identity must have UPDATE access to the named ACL. If identity is nil, the default identity specified in |
AddBeforeACL(aclName string, beforeName string, newBindACL string, identity *X509Certificate) (error) |
Adds a bind ACL before the existing named ACL. If the named ACL is empty or not found, the ACL is added to the beginning of the bind ACL list. The identity must have UPDATE access to the named ACL. If the identity is nil, the default identity specified in |
AddAfterACL(aclName string, afterName string, newBindACL string, identity *X509Certificate) (error) |
Adds a bind ACL after the existing named ACL. If the named ACL is empty or not found, the ACL is added to the end of the bind ACL list. The identity must have UPDATE access to the named ACL. If the identity is nil, the default identity specified in |
RemoveBindACL(aclName string, removeName string, identity *X509Certificate) (error) |
Removes the The identity must have UPDATE access to the named ACL. If the identity is nil, the default identity specified in |
GetAll(identity *x509.Certificate) ([]ACL, error) |
Get all the ACLs. The identity must have READ access to the named ACL. If the identity is nil, the default identity specified in |
Group Functions
Group
structure:type Group struct {
Name string
Description string
Members []string // identity patterns, except GRP.
BindACLs []string // The list of ACLs, controls who can access this group.
}
Definition of GroupManager
functions:
Function | Description |
---|---|
Create(group Group, identity *x509.Certificate) (error) |
Creates a group. The identity must have CREATE access to bootstrap group |
Get(groupName string, identity *x509.Certificate) (Group, error) |
Gets a specified group. The identity must have READ access to this group. If identity is nil, the default identity specified in |
Delete(groupName string, identity *x509.Certificate) (error) |
Deletes a specified group. The identity must have DELETE access to this group. If identity is nil, the default identity specified in |
AddMembers(groupName string, member []string, identity *x509.Certificate) (error) |
Adds one or more members to the group. The identity must have UPDATE access to this group. If identity is nil, the default identity specified in |
RemoveMembers(groupName string, member []string, identity *x509.Certificate) (error) |
Removes one or more member from a group. The identity must have UPDATE access to this group. If identity is nil, the default identity specified in |
UpdateDescription(groupName string, newDes string, identity *x509.Certificate) (error) |
Updates the description. The identity must have UPDATE access to this group. If identity is nil, the default identity specified in |
AddBeforeACL(groupName string, beforeName string, aclName string, identity *x509.Certificate) (error) |
Adds a bind ACL to the group before the existing named ACL. If the named ACL is empty or not found, the ACL is added to the beginning of the list of bind ACL for the resource. The identity must have UPDATE access to the named group. If identity is nil, the default identity specified in |
AddAfterACL(groupName string, afterName string, aclName string, identity *x509.Certificate) (error) |
Adds a bind ACL to the group after the existing named ACL. If the named ACL is empty or not found, the ACL is added to the end of the list of bind ACLs for the group. The identity must have UPDATE access to the named group. If the identity is nil, the default identity specified in |
RemoveBindACL(groupName string, aclName string, identity *x509.Certificate) (error) |
Removes the named ACL from the bind ACL list of the named group. The identity must have UPDATE access to the named group. If the identity is nil, the default identity specified in |
GetAll(identity *x509.Certificate) ([]Group, error) |
Gets all groups. The identity must have READ access to these groups. If identity is nil, the default identity specified in |
Resource Functions
Resource
structure:type Resource struct {
Name string
Description string
BindACLs []string // The name list of ACL, controls who can access this resource
}
Resource Functions:
Fuction | Description |
---|---|
Create(resource Resource, identity *x509.Certificate) (error) |
Creates a resource. Duplicate named resources are not allowed. The identity must have CREATE access to the |
Get(resName string, identity *x509.Certificate) (Resource, error) |
Gets a specified resource. The identity must have READ access to the resource. If identity is null, the default identity specified in |
Delete(resName string, identity *x509.Certificate) (error) |
Deletes a named resource. The identity must have DELETE access to the named resource. If identity is null, the default identity specified in |
UpdateDescription(resourceName string, newDes string, identity *x509.Certificate) (error) |
Updates the description. The identity must have UPDATE access to this resource. If identity is nil, the default identity specified in |
AddBeforeACL(resourceName string, beforeName string, aclName string, identity *x509.Certificate) (error) |
Adds a bind ACL to the resource before the existing named ACL. If the named ACL is empty or not found, the ACL is added to the beginning of the list of bind ACL for the resource. The identity must have UPDATE access to the named resource. If identity is nil, the default identity specified in |
AddAfterACL(resourceName string, afterName string, aclName string, identity *x509.Certificate) (error) |
Adds a bind ACL to the resource after the existing named ACL. If the named ACL is empty or not found, the ACL is added to the end of the list of bind ACL for the resource. The identity must have UPDATE access to the named resource. If the identity is nil, the default identity specified in |
RemoveBindACL(resourceName string, aclName string, identity *x509.Certificate) (error) |
Removes the named ACL from the bind ACL list of the named resource. The identity must have UPDATE access to the named resource. If the identity is nil, the default identity specified in |
CheckAccess(resName string, access string, identity *x509.Certificate) (bool, error) |
Checks whether the current user has the specified access to the named resource. If the identity is nil, the default identity specified in |
GetAll(identity *x509.Certificate) ([]Resource, error) |
Gets all resources. The identity must have READ access to these resources. If identity is nil, the default identity specified in |