Reputation: 189
Hyperledger Fabric ACL
ELI5 please. Why ACL policies in example https://github.com/hyperledger/fabric/blob/release-1.2/sampleconfig/configtx.yaml specified in different places (in "organizations", "orderer", "channel" and "application" sections)? What does mean these levels? What is the difference?
In which cases which one should I use? And why in some blocks only policies defined, but in other policy + ACL ("application" section)?
PS: what the difference between channel and org, orderer policies? For example, what happens when I specify "MAJORITY admins" on channel section, "ANY members" on channel and "ANY admins" on org section? What will change in this case for me as an application developer?
Upvotes: 0
Views: 394
Answers (2)
Reputation: 134
ACL(Access Control List) policies are defined as per different logical structures (namely channels,orderers etc.) so you have more control for each of these logical structures and you can define which identities on your network can do what kind of operations ( for simplicity considering them to be Writing, Reading or Admin Related Operations) for each of these units separately.
So as an application developer too, you need to be specific of the policies you define. The keywords(ImplicitMeta policy definers) ANY, ALL and MAJORITY define how many signatures you need to satisfy the policy. For example, if you want to add an organization to your channel in an already running network, you will be needing a few signatures from Admins (which is defined as admin identities from SampleOrg in your cited link). The number of these few signatures depend on the choice of this keyword at network bootstrap time, if you use ANY , even a single signature would do your job whereas MAJORITY would require signatures from a majority of the specified existing identities and ALL would require signatures from all the desired existing identities. Failing in getting the desired number of signatures would leave the policy unsatisfied and hence this operation/transaction won't be successfull.
As in the above case we were trying to make a change at channel level,we can also make changes at orderer level or so and hence we have separate policies for the Access Control. You might get a clearer view on this via the official docs :Here
Upvotes: 1
Reputation: 191
the ACL policies are written to refer to the policies in the channel configuration. The channel/application path is is the section of the configuration. The syntax is a bit obscure, but channel/application/readers refers to allowing the readers on the channel to access the resource governed by the policy, while channel/application/writers restricts the resource to writers on the channel.
You can learn more about the ACLs and their syntax here: https://hyperledger-fabric.readthedocs.io/en/latest/access_control.html
Upvotes: 1
Related Questions
- Dynamic access control in Hyperledger Fabric
- Implementing ACL in Hyperledger Fabric v1.2
- How to use Attribute Based Access Control (ABAC)
- Access Control List in Hyperledger Fabric
- Understanding ACL in Hyperledger Fabric v1.3
- Hyperledger Fabric ACL in configtx.yaml
- Create access control in hyperledger fabric
- Authorization in HyperLedger Fabric
- ACL scope in hyperledger composer
- User level restriction in hyperledger fabric 1.0