Skip to content

Distinguish Banker From Client for Access Control #1

Open
@VRamakrishnaSG

Description

In the organization structure of the initial version of the network, a single organization encompasses banker and client for the importing as well as the exporting side (thereby conflating the role of Importer and ImporterBank, and Exporter and ExporterBank, respectively.)

Currently, the access control mechanisms that have been built cannot distinguish these two roles, neither in chaincode nor in the application.

There are two ways to fix this. We probably should implement both:

  1. Have the organization MSP issue certificates with different attributes to banker and client. Then change chaincode logic to check for the right attributes before executing the transaction.
  2. Have the web service (in application) associate different user IDs with different roles, and control access to chaincode functions at that level. We could also consider adding a role parameter to the chaincode arguments list (we would have to augment the chaincode too.)

Anyone want to take a shot at this? I don't think this is very urgent, as we can discuss access control theoretically in the book and even leave the implementation as a reader exercise. In an case, the code can have a (parallel) life of its own, independent of the book. We'll just need to make clear what version of the code the book is referring to.

Metadata

Labels

enhancementNew feature or request

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions