我开发了一个带角度前端的超级边缘编曲器应用程序。
每当用户登录时,他/她都会ping网络以获取他/她的ID:
return this.httpClient.get('/api/system/ping', {withCredentials: true}).toPromise()
.then(data => {
//more code
});
问题是,这当前仅在网络管理员发送此请求时才有效。
原因是文件permissions.acl中的以下规则:
rule NetworkAdminSystem {
description: "Grant network administrators full access to system resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "org.hyperledger.composer.system.Network"
action: ALLOW
}
其他参与者(到目前为止)没有任何系统资源的权限。
为了让“普通”参与者能够ping通网络,我想编写一条规则,允许他们ping网络但不能更多。
也就是说,当谈到系统资源时,参与者唯一允许的就是ping网络。
问题是我不知道规则中的“资源”行应该是什么样的:
rule AllParticipantsCanPingNetwork {
description: "Allow all participants to ping the network (in order to get their participant id)."
participant: "org.hyperledger.composer.system.Participant"
operation: READ
resource: "org.hyperledger.composer.system.???"
action: ALLOW
}
我正在寻找的是类似的东西
resource: "org.hyperledger.composer.system.ping"
...遗憾的是,“org.hyperledger.composer.system.ping”不起作用。
如何限制参与者ping网络的权限?关于名称空间“org.hyperledger.composer.system”中包含的内容是否有某些文档?
更新:
我现在暂时使用以下规则:
// Business Access Control Rules:
//some rules
//none of the rules gives participants unrestricted READ access
//to the business network, Access rights are always bound to specific conditions
// System Access Control Rules:
rule AllParticipantsHaveFullAccessToSystemResources {
description: "Grant business network administrators full access to system resources"
participant: "org.hyperledger.composer.system.Participant"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
我实际上想进一步限制访问权限...为此我尝试了以下规则:
// Business Access Control Rules:
rule AllParticipantsCanAccessTheNetwork {
description: "Allow all participants to access the network"
participant: "org.hyperledger.composer.system.Participant"
operation: READ
resource: "org.hyperledger.composer.system.Network"
action: ALLOW
}
rule AllParticipantsCanUseTransactionsAffectingARegistry {
description: "Allow all participants to use transactions affecting a registry"
participant: "org.hyperledger.composer.system.Participant"
operation: ALL
resource: "org.hyperledger.composer.system.RegistryTransaction"
action: ALLOW
}
rule NetworkAdministratorsCanUpdateAndDeleteTheNetwork {
description: "Grant network administrators the right to update and delete the network"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: UPDATE, DELETE
resource: "org.hyperledger.composer.system.Network"
action: ALLOW
}
rule NetworkAdministratorsCanIssueIdentity {
description: "Grant network administrators the right to issue an identity"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "org.hyperledger.composer.system.IssueIdentity"
action: ALLOW
}
但是,这还不足以发送交易等。
我相信这应该有效:
在您的“正常ACL”中(对于业务网络本身 - 相应地更改名称空间 - 以下示例):
rule readBusiness {
description: "ACL to connect to the business network"
participant: "org.hyperledger.composer.system.Participant"
operation: READ
resource: "org.acme.mynetwork.*"
action: ALLOW
}
在系统ACL之前:
rule ReadNetwork {
description: "Allow all participants to read network"
participant: "org.hyperledger.composer.system.Participant"
operation: READ
resource: "org.hyperledger.composer.system.Network"
action: ALLOW
}