If my understanding is correct,
You have considered one use-case, where you want to authenticate based on if the creator is from a certain org (To be more precise, a creator/user registered by a certain client/org). It is one of the application use cases. Similarly, there can be more such application use cases. We cannot move all such use cases to hyperledger's core.
Also, there is actually a way to implement your use case. Check out Attribute Based Access Control in hyprledger fabric.
For identifying if creator is from certain org:
- In an ideal case, each org will have different CA, so at chaincode, read the Certificate to find out Org Name.
For identifying if creator from a specific client in same org:
- You can add a special attribute in the certificate, indicating the name/identifier of the client, when registering a user.
- Then, at chaincode, you can read the certificate to find out client id.
In both cases, you have to write authentication logic at chaincode.
On Wed, 1 Apr 2020, 12:34 pm qs meng, <qsmeng@...
yes, a peer would authenticate the proposal creator, who is a member of fabric network. But in chaincode container, there is no way to authenticate an identity who belongs to one client application. If a chaincode could get CA certificate, it is feasible for chaincode to authenticate identities who belongs to client application.
I do not know if I explain it clearly.
At 2020-04-01 14:45:32, "Yacov Manevich" <YACOVM@...> wrote:
The proposal is authenticated by the peer
before it gets into the chaincode.
04/01/2020 03:26 AM
Fabric] introduce msp into chaincode for authentication
I suggest to add msp support
into chaincode to authenticate identitis in client applications.
The getCreator api only get the creator and take it as authenticated already.
A way to do: for an endorsing peer,
it has a function to get CA from configure block and autheniticate the
transaction creator. Just copy the function to chaicode part. Is it feasible?