Re: introduce msp into chaincode for authentication


qs meng <qsmeng@...>
 

Hi Prasanth,
   Thank you very much for your reply.  Indeed a transaction creator is already authenticated and attributes can be used to do acess control.
    Considier another use case. Using chaincode to issue digital assets for physical assets needs the asset issuer's identity being authenticated.  However, the issuer is not the transaction creator.  If the function to read msp CA can be moved intto chaincode part as an api it is very good.
   Is it possible and if it is, how should I do? Thank you.
  Best regards,
qs meng





At 2020-04-02 18:27:14, "Prasanth Sundaravelu" <prasanths96@...> wrote:

Hi Meng, 

If my understanding is correct,

You have considered one use-case, where you want to authenticate based on if the creator is from a certain org (To be more precise, a creator/user registered by a certain client/org). It is one of the application use cases. Similarly, there can be more such application use cases. We cannot move all such use cases to hyperledger's core.

Also, there is actually a way to implement your use case. Check out Attribute Based Access Control in hyprledger fabric. 

General idea:
For identifying if creator is from certain org:
- In an ideal case, each org will have different CA, so at chaincode, read the Certificate to find out Org Name.

For identifying if creator from a specific client in same org:
 - You can add a special attribute in the certificate, indicating the name/identifier of the client, when registering a user. 
- Then, at chaincode, you can read the certificate to find out client id.

In both cases, you have to write authentication logic at chaincode.

- Prasanth


On Wed, 1 Apr 2020, 12:34 pm qs meng, <qsmeng@...> wrote:
Hi Yacov,
    yes, a peer would authenticate the proposal creator, who is a member of  fabric network. But in chaincode container, there is no way to  authenticate an identity who belongs to one client application.  If a chaincode could get CA certificate, it is feasible for chaincode to authenticate identities who belongs to client application. 
   I do not know if I explain it clearly.
   Thank you.
  Regards,
qs meng





At 2020-04-01 14:45:32, "Yacov Manevich" <YACOVM@...> wrote:

The proposal is authenticated by the peer before it gets into the chaincode.



From:        "qs meng" <qsmeng@...>
To:        "fabric@..." <fabric@...>
Date:        04/01/2020 03:26 AM
Subject:        [EXTERNAL] [Hyperledger Fabric] introduce msp into chaincode for authentication
Sent by:        fabric@...




Hi,
   I suggest to add msp support into chaincode to authenticate identitis  in  client applications. The getCreator api only get the creator and take it as authenticated already.
  A way to do: for an endorsing peer, it has a function to get CA from configure block and autheniticate the transaction creator. Just copy the function to chaicode part. Is it feasible?
  Thank you.
 Regards,
qs meng

 






 



 

Join fabric@lists.hyperledger.org to automatically receive all group messages.