B Using the Fine-Grained Access Control Library Included in the Marbles Sample
Starting in v1.2, Hyperledger Fabric provided fine-grained access control to many of the management functions. Oracle Blockchain Platform provides a marbles sample package on the Developer Tools tab of the console, implementing a library of functions that chaincode developers can use to create access control lists for chaincode functions. It currently only supports the Go language.
Background
The goal of this sample access control library is to provide the following:
- Provides a mechanism to allow you to control which users can access particular chaincode functions.
- The list of users and their entitlements should be dynamic and shared across chaincodes.
- Provides access control checks so that a chaincode can check the access control list easily.
- At chaincode deployment time, allows you to populate the list of resources and access control lists with your initial members.
- An access control list must be provided to authorize users to perform access control list operations.
Download the Sample
Fine-GrainedAccessControlLibrary.zip
:The fine-grained access control library. It contains functions in Go which can be used by chaincode developers to create access control lists for chaincode functions.
fgACL_MarbleSampleCC.zip
:The marbles sample with access control lists implemented. It includes a variety of functions to let you examine how to work with fine-grained access control lists, groups and resources to restrict functions to certain users/identities.
fgACL-NodeJSCode.zip
:Node.js scripts which use the Node.js SDK to run the sample.
registerEnrollUser.js
can be used to register new users with the Blockchain Platform.invokeQueryCC.js
can be used to run transactions against a Blockchain Platform instance.
Terminology and Acronyms
Term | Description |
---|---|
Identity | An X509 certificate representing the identity of either the caller or the specific identity the chaincode wants to check. |
Identity Pattern |
A pattern that matches one or more identities. The following patterns are suggested:
The format for a pattern is essentially just a string with a prefix. For example, to define a pattern that matches any identity in organization "example.com", the pattern would be "%O%example.com". |
Resource | The name of anything the chaincode wants to control access to. To this library it is just a named arbitrary string contained in a flat namespace. The semantics of the name are completely up to the chaincode. |
Group | A group of identity patterns. |
ACL | Access Control List: a named entity that has a list of identity patterns, a list of types of access such as "READ", "CREATE", "INVOKE", "FORWARD", or anything the chaincode wants to use. This library will use access types of CREATE, READ, UPDATE, and DELETE (standard CRUD operations) to maintain its information. Other than those four as they relate to the items in this library, they are just strings with no implied semantics. An application may decide to use accesses of "A", "B", and "CUSTOM". |