Channel policy with affiliations #hyperledger-fabric


spectre-@...
 


Hi, we have a basic commercial network that apart from having admins, nodes and clients, we need to have users (individual citizens) that transact on the network. The problem is that we need to give users a role that is not client, because this is nota scalable solution and won't be a sustainable infrastructure for future additions. We need to implement this for various reasons, one of them being that users should only be able to invoke chaincode, and not have access to other resources like event registration.

Since Fabric does not allow for custom Node OUs, AFAIK we have 2 options:
 -- Create 2 Intermediate CAs to distinguish 2 departments, members, and users
 -- Use affiliations inside the CA and set Organizational Units inside  config.yaml and  

1st question: How would you approach this issue? Is there a 3rd way?
2nd question: How do we implement the 2nd option? There is limited documentation as to how this is achieved. I will present what I have tried but does not work.

On CA Config:
affiliations:
   org1:
      - USERS
      - MEMBERS
 
On config.yaml:
 
OrganizationalUnitIdentifiers:
  - Certificate: cacerts/cacert.pem
    OrganizationalUnitIdentifier: USERS
  - Certificate: cacerts/cacert.pem
    OrganizationalUnitIdentifier: MEMBERS  
 
NodeOUs:
    Enable: true
    ClientOUIdentifier:
        # Certificate: cacerts/cacert.pem
        OrganizationalUnitIdentifier: client
    PeerOUIdentifier:
        # Certificate: cacerts/cacert.pem
        OrganizationalUnitIdentifier: peer
    AdminOUIdentifier:
        # Certificate: cacerts/cacert.pem
        OrganizationalUnitIdentifier: admin
    OrdererOUIdentifier:
        # Certificate: cacerts/cacert.pem
        OrganizationalUnitIdentifier: orderer

On configtx.yaml:
- Org1 
     ... 
       Readers:
                Type: Signature
                # If your MSP is configured with the new NodeOUs, you might
                # want to use a more specific rule like the following:
                Rule: "OR('Org1.MEMBERS.admin', 'Org1.MEMBERS.peer', 'Org1.MEMBERS.client')"    
        Invokers:
                Type: Signature
                Rule: "OR('Org1.USERS.client', 'Org1.MEMBERS.client', 'Org1.MEMBERS.peer', 'Org1.MEMBERS.admin')"

...
Policies:
        Invokers:
            Type: ImplicitMeta
            Rule: "ANY Invokers"

ACLS:
        # ACL policy for invoking chaincodes on peer
        peer/Propose: /Channel/Application/Invokers
 
        # ACL policy for chaincode to chaincode invocation
        peer/ChaincodeToChaincode: /Channel/Application/Invokers
 
Even though I register users with affiliation USERS, they are validated under Org1MSP instead of Org1MSP.USERS and are classified as READERS

Join fabric@lists.hyperledger.org to automatically receive all group messages.