Thank you very much for your reply. Indeed a transaction creator is already authenticated and attributes can be used to do acess control.
Considier another use case. Using chaincode to issue digital assets for physical assets needs the asset issuer's identity being authenticated. However, the issuer is not the transaction creator. If the function to read msp CA can be moved intto chaincode part as an api it is very good.
Is it possible and if it is, how should I do? Thank you.
If my understanding is correct,
You have considered one use-case, where you want to authenticate based on if the creator is from a certain org (To be more precise, a creator/user registered by a certain client/org). It is one of the application use cases. Similarly, there can be more such application use cases. We cannot move all such use cases to hyperledger's core.
Also, there is actually a way to implement your use case. Check out Attribute Based Access Control in hyprledger fabric.
For identifying if creator is from certain org:
- In an ideal case, each org will have different CA, so at chaincode, read the Certificate to find out Org Name.
For identifying if creator from a specific client in same org:
- You can add a special attribute in the certificate, indicating the name/identifier of the client, when registering a user.
- Then, at chaincode, you can read the certificate to find out client id.
In both cases, you have to write authentication logic at chaincode.
On Wed, 1 Apr 2020, 12:34 pm qs meng, <qsmeng@...
yes, a peer would authenticate the proposal creator, who is a member of fabric network. But in chaincode container, there is no way to authenticate an identity who belongs to one client application. If a chaincode could get CA certificate, it is feasible for chaincode to authenticate identities who belongs to client application.
I do not know if I explain it clearly.
At 2020-04-01 14:45:32, "Yacov Manevich" <YACOVM@...> wrote:
The proposal is authenticated by the peer
before it gets into the chaincode.
04/01/2020 03:26 AM
Fabric] introduce msp into chaincode for authentication
I suggest to add msp support
into chaincode to authenticate identitis in client applications.
The getCreator api only get the creator and take it as authenticated already.
A way to do: for an endorsing peer,
it has a function to get CA from configure block and autheniticate the
transaction creator. Just copy the function to chaicode part. Is it feasible?