Hyperledger Composer v0.19 Hiding Historian in ACL

2019-09-03 13:05发布

站内问答 / 前沿技术
2039 2 4

I would like to ask how to hide the Historian // Transaction log in v0.19?

I have tried this from an example --> 

    rule hideHistorianAccess{
    description: "Deny access to Historian"
    participant: "org.blockknowhow.com.Users"
    operation: READ
    resource: "org.hyperledger.composer.system.HistorianRecord"
    action: DENY
    }

    rule historianAccess{
    description: "Only allow members to read historian records referencing transactions they submitted."
    participant(p): "org.blockknowhow.com.Users"
    operation: READ
    resource(r): "org.hyperledger.composer.system.HistorianRecord"
    condition: (r.participantInvoking.getIdentifier() == p.getIdentifier())
    action: ALLOW
    }

But none of this seems to work, I would like to hide adding new participants mostly, but if that is not possible I would like to hide the complete transaction log. I have personal details in the participant fields which I would not like to make publicly accessible.

2条回答
我想做一个坏孩纸
2楼-- · 2019-09-03 13:48

As mentioned by david_k - the context of your rules (above) in relation to ALL rules in permissions.acl would be needed to understand why you saw what you did.

It appears from a Rocketchat conversation that the issue was related to the ORDER of the rules in the ruleset, ie a more 'general' rule is evaluated ahead of the 'specific' rule in the lexical rules evaluation, and found a match (so subsequent 'specific' rule wasn't evaluated, hence why you saw those results initially).

An example of that is shown below:

'CORRECT ORDER'

// specifically allow users to see historian records they invoked
rule historianAccess{
  description: "Only allow members to read historian records referencing transactions they submitted."
  participant(p): "org.blockknowhow.com.Users"
  operation: READ
  resource(r): "org.hyperledger.composer.system.HistorianRecord"
  condition: (r.participantInvoking.getIdentifier() == p.getIdentifier())
  action: ALLOW
}

// prevent users from seeing historian records
rule hidehistorianAccess{
  description: "Deny access to Historian"
  participant: "org.blockknowhow.com.Users"
  operation: READ
  resource: "org.hyperledger.composer.system.HistorianRecord"
  action: DENY
}

vs 'INCORRECT ORDER':

rule hidehistorianAccess{
  description: "Deny access to Historian"
  participant: "org.blockknowhow.com.Users"
  operation: READ
  resource: "org.hyperledger.composer.system.HistorianRecord"
  action: DENY
}

rule historianAccess{
  description: "Only allow members to read historian records referencing transactions they submitted."
  participant(p): "org.blockknowhow.com.Users"
  operation: READ
  resource(r): "org.hyperledger.composer.system.HistorianRecord"
  condition: (r.participantInvoking.getIdentifier() == p.getIdentifier())
  action: ALLOW

}
查看更多
0人赞 添加讨论(0) 举报
Emotional °昔
3楼-- · 2019-09-03 13:56

I think the first rule is not needed. With your ALLOW rule for only particular participants under a strict condition, every other participant not matching the condition will get its actions denied.

I see that you found the ALLOW rule in the docs and this also looks good, I wouldn't approach it differently. But to get it running, try deleting the first rule. If that's not working out, I would recommend creating an issue at composer on Github.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)