Implementing ACL in Hyperledger Fabric v1.2

Question

I am trying to implement ACL in Hyperledger Fabric. I have tried my custom policy with peer/proposal and its working fine.

My question is What resource to use if I want to prevent peer chaincode install, peer chaincode instantiate, peer channel create and all the other commands.

ACL Default is given below:

# ACL policy for lscc's "getid" function
        lscc/ChaincodeExists: /Channel/Application/Readers


        # ACL policy for lscc's "getdepspec" function
        lscc/GetDeploymentSpec: /Channel/Application/Readers

        # ACL policy for lscc's "getccdata" function
        lscc/GetChaincodeData: /Channel/Application/Readers

        # ACL Policy for lscc's "getchaincodes" function
        lscc/GetInstantiatedChaincodes: /Channel/Application/Readers


        #---Query System Chaincode (qscc) function to policy mapping for access control---#

        # ACL policy for qscc's "GetChainInfo" function
        qscc/GetChainInfo: /Channel/Application/Readers

        # ACL policy for qscc's "GetBlockByNumber" function
        qscc/GetBlockByNumber: /Channel/Application/Readers

        # ACL policy for qscc's  "GetBlockByHash" function
        qscc/GetBlockByHash: /Channel/Application/Readers

        # ACL policy for qscc's "GetTransactionByID" function
        qscc/GetTransactionByID: /Channel/Application/Readers

        # ACL policy for qscc's "GetBlockByTxID" function
        qscc/GetBlockByTxID: /Channel/Application/Readers

        #---Configuration System Chaincode (cscc) function to policy mapping for access control---#

        # ACL policy for cscc's "GetConfigBlock" function
        cscc/GetConfigBlock: /Channel/Application/Readers

        # ACL policy for cscc's "GetConfigTree" function
        cscc/GetConfigTree: /Channel/Application/Readers

        # ACL policy for cscc's "SimulateConfigTreeUpdate" function
        cscc/SimulateConfigTreeUpdate: /Channel/Application/Readers

        #---Miscellanesous peer function to policy mapping for access control---#

        # ACL policy for invoking chaincodes on peer
        peer/Propose: /Channel/CustomPolicy

        # ACL policy for chaincode to chaincode invocation
        peer/ChaincodeToChaincode: /Channel/Application/Readers

        #---Events resource to policy mapping for access control###---#

        # ACL policy for sending block events
        event/Block: /Channel/Application/Readers

        # ACL policy for sending filtered block events
        event/FilteredBlock: /Channel/Application/Readers

Is there any way to achieve this kind of functionality?

Any help/suggestion would be appreciated.

Thanks

Answer 1

Currently, ACLs relate to the chaincode packages for Lifecycle System Chaincode or LSCC (which is a system chaincode handling deployment, upgrade, and termination transaction for user chaincodes), Configuration System Chaincode or CSCC (a management system chaincode handling configuration requests to alter an aspect of a channel), client events, and peers (chaincode package, not CLI tool). Below is a chart displaying the resources in relation to each network component.

We can reference each resource by using the components category, and then its resource with / (slash) separating the two, for example event/FilteredBlock.

We can use this to specify the requirements we must satisfy before a client can receive block information.

Answer 2

commands like peer chaincode install, peer chaincode instantiate, peer channel create are administrative tasks and only organization's admin can use them. The member/participants other than admin are not allowed to use them. The ACL is not written to handle such commands because these commands are only restricted to admin.

Hence, the answer is NO. You can not control these commands using ACL.