github.com/kaituanwang/hyperledger@v2.0.1+incompatible/docs/source/access_control.md (about) 1 # Access Control Lists (ACL) 2 3 ## What is an Access Control List? 4 5 *Note: This topic deals with access control and policies on a channel 6 administration level. To learn about access control within a chaincode, check out 7 our [chaincode for developers tutorial](./chaincode4ade.html#Chaincode_API).* 8 9 Fabric uses access control lists (ACLs) to manage access to resources by associating 10 a **policy** --- which specifies a rule that evaluates to true or false, given a set 11 of identities --- with the resource. Fabric contains a number of default ACLs. In this 12 document, we'll talk about how they're formatted and how the defaults can be overridden. 13 14 But before we can do that, it's necessary to understand a little about resources 15 and policies. 16 17 ### Resources 18 19 Users interact with Fabric by targeting a [user chaincode](./chaincode4ade.html), 20 [system chaincode](./chaincode4noah.html), or an [events stream source](./peer_event_services.html). 21 As such, these endpoints are considered "resources" on which access control should be 22 exercised. 23 24 Application developers need to be aware of these resources and the default 25 policies associated with them. The complete list of these resources are found in 26 `configtx.yaml`. You can look at a [sample `configtx.yaml` file here](http://github.com/hyperledger/fabric/blob/{BRANCH}/sampleconfig/configtx.yaml). 27 28 The resources named in `configtx.yaml` is an exhaustive list of all internal resources 29 currently defined by Fabric. The loose convention adopted there is `<component>/<resource>`. 30 So `cscc/GetConfigBlock` is the resource for the `GetConfigBlock` call in the `CSCC` 31 component. 32 33 ### Policies 34 35 Policies are fundamental to the way Fabric works because they allow the identity 36 (or set of identities) associated with a request to be checked against the policy 37 associated with the resource needed to fulfill the request. Endorsement policies 38 are used to determine whether a transaction has been appropriately endorsed. The 39 policies defined in the channel configuration are referenced as modification policies 40 as well as for access control, and are defined in the channel configuration itself. 41 42 Policies can be structured in one of two ways: as `Signature` policies or as an 43 `ImplicitMeta` policy. 44 45 #### `Signature` policies 46 47 These policies identify specific users who must sign in order for a policy 48 to be satisfied. For example: 49 50 ``` 51 Policies: 52 MyPolicy: 53 Type: Signature 54 Rule: “Org1.Peer OR Org2.Peer” 55 56 ``` 57 58 This policy construct can be interpreted as: *the policy named `MyPolicy` can 59 only be satisfied by the signature of an identity with role of "a peer from 60 Org1" or "a peer from Org2"*. 61 62 Signature policies support arbitrary combinations of `AND`, `OR`, and `NOutOf`, 63 allowing the construction of extremely powerful rules like: "An admin of org A 64 and two other admins, or 11 of 20 org admins". 65 66 #### `ImplicitMeta` policies 67 68 `ImplicitMeta` policies aggregate the result of policies deeper in the 69 configuration hierarchy that are ultimately defined by `Signature` policies. They 70 support default rules like "A majority of the organization admins". These policies 71 use a different but still very simple syntax as compared to `Signature` policies: 72 `<ALL|ANY|MAJORITY> <sub_policy>`. 73 74 For example: `ANY` `Readers` or `MAJORITY` `Admins`. 75 76 *Note that in the default policy configuration `Admins` have an operational role. 77 Policies that specify that only Admins --- or some subset of Admins --- have access 78 to a resource will tend to be for sensitive or operational aspects of the network 79 (such as instantiating chaincode on a channel). `Writers` will tend to be able to 80 propose ledger updates, such as a transaction, but will not typically have 81 administrative permissions. `Readers` have a passive role. They can access 82 information but do not have the permission to propose ledger updates nor do can 83 they perform administrative tasks. These default policies can be added to, 84 edited, or supplemented, for example by the new `peer` and `client` roles (if you 85 have `NodeOU` support).* 86 87 Here's an example of an `ImplicitMeta` policy structure: 88 89 ``` 90 Policies: 91 AnotherPolicy: 92 Type: ImplicitMeta 93 Rule: "MAJORITY Admins" 94 ``` 95 96 Here, the policy `AnotherPolicy` can be satisfied by the `MAJORITY` of `Admins`, 97 where `Admins` is eventually being specified by lower level `Signature` policy. 98 99 ### Where is access control specified? 100 101 Access control defaults exist inside `configtx.yaml`, the file that `configtxgen` 102 uses to build channel configurations. 103 104 Access control can be updated in one of two ways, either by editing `configtx.yaml` 105 itself, which will be used when creating new channel configurations, or by updating 106 access control in the channel configuration of an existing channel. 107 108 ## How ACLs are formatted in `configtx.yaml` 109 110 ACLs are formatted as a key-value pair consisting of a resource function name 111 followed by a string. To see what this looks like, reference this [sample configtx.yaml file](https://github.com/hyperledger/fabric/blob/{BRANCH}/sampleconfig/configtx.yaml). 112 113 Two excerpts from this sample: 114 115 ``` 116 # ACL policy for invoking chaincodes on peer 117 peer/Propose: /Channel/Application/Writers 118 ``` 119 120 ``` 121 # ACL policy for sending block events 122 event/Block: /Channel/Application/Readers 123 ``` 124 125 These ACLs define that access to `peer/Propose` and `event/Block` resources 126 is restricted to identities satisfying the policy defined at the canonical path 127 `/Channel/Application/Writers` and `/Channel/Application/Readers`, respectively. 128 129 ### Updating ACL defaults in `configtx.yaml` 130 131 In cases where it will be necessary to override ACL defaults when bootstrapping 132 a network, or to change the ACLs before a channel has been bootstrapped, the 133 best practice will be to update `configtx.yaml`. 134 135 Let's say you want to modify the `peer/Propose` ACL default --- which specifies 136 the policy for invoking chaincodes on a peer -- from `/Channel/Application/Writers` 137 to a policy called `MyPolicy`. 138 139 This is done by adding a policy called `MyPolicy` (it could be called anything, 140 but for this example we'll call it `MyPolicy`). The policy is defined in the 141 `Application.Policies` section inside `configtx.yaml` and specifies a rule to be 142 checked to grant or deny access to a user. For this example, we'll be creating a 143 `Signature` policy identifying `SampleOrg.admin`. 144 145 ``` 146 Policies: &ApplicationDefaultPolicies 147 Readers: 148 Type: ImplicitMeta 149 Rule: "ANY Readers" 150 Writers: 151 Type: ImplicitMeta 152 Rule: "ANY Writers" 153 Admins: 154 Type: ImplicitMeta 155 Rule: "MAJORITY Admins" 156 MyPolicy: 157 Type: Signature 158 Rule: "OR('SampleOrg.admin')" 159 ``` 160 161 Then, edit the `Application: ACLs` section inside `configtx.yaml` to change 162 `peer/Propose` from this: 163 164 `peer/Propose: /Channel/Application/Writers` 165 166 To this: 167 168 `peer/Propose: /Channel/Application/MyPolicy` 169 170 Once these fields have been changed in `configtx.yaml`, the `configtxgen` tool 171 will use the policies and ACLs defined when creating a channel creation 172 transaction. When appropriately signed and submitted by one of the admins of the 173 consortium members, a new channel with the defined ACLs and policies is created. 174 175 Once `MyPolicy` has been bootstrapped into the channel configuration, it can also 176 be referenced to override other ACL defaults. For example: 177 178 ``` 179 SampleSingleMSPChannel: 180 Consortium: SampleConsortium 181 Application: 182 <<: *ApplicationDefaults 183 ACLs: 184 <<: *ACLsDefault 185 event/Block: /Channel/Application/MyPolicy 186 ``` 187 188 This would restrict the ability to subscribe to block events to `SampleOrg.admin`. 189 190 If channels have already been created that want to use this ACL, they'll have 191 to update their channel configurations one at a time using the following flow: 192 193 ### Updating ACL defaults in the channel config 194 195 If channels have already been created that want to use `MyPolicy` to restrict 196 access to `peer/Propose` --- or if they want to create ACLs they don't want 197 other channels to know about --- they'll have to update their channel 198 configurations one at a time through config update transactions. 199 200 *Note: Channel configuration transactions are an involved process we won't 201 delve into here. If you want to read more about them check out our document on 202 [channel configuration updates](./config_update.html) and our ["Adding an Org to a Channel" tutorial](./channel_update_tutorial.html).* 203 204 After pulling, translating, and stripping the configuration block of its metadata, 205 you would edit the configuration by adding `MyPolicy` under `Application: policies`, 206 where the `Admins`, `Writers`, and `Readers` policies already live. 207 208 ``` 209 "MyPolicy": { 210 "mod_policy": "Admins", 211 "policy": { 212 "type": 1, 213 "value": { 214 "identities": [ 215 { 216 "principal": { 217 "msp_identifier": "SampleOrg", 218 "role": "ADMIN" 219 }, 220 "principal_classification": "ROLE" 221 } 222 ], 223 "rule": { 224 "n_out_of": { 225 "n": 1, 226 "rules": [ 227 { 228 "signed_by": 0 229 } 230 ] 231 } 232 }, 233 "version": 0 234 } 235 }, 236 "version": "0" 237 }, 238 ``` 239 240 Note in particular the `msp_identifer` and `role` here. 241 242 Then, in the ACLs section of the config, change the `peer/Propose` ACL from 243 this: 244 245 ``` 246 "peer/Propose": { 247 "policy_ref": "/Channel/Application/Writers" 248 ``` 249 250 To this: 251 252 ``` 253 "peer/Propose": { 254 "policy_ref": "/Channel/Application/MyPolicy" 255 ``` 256 257 Note: If you do not have ACLs defined in your channel configuration, you will 258 have to add the entire ACL structure. 259 260 Once the configuration has been updated, it will need to be submitted by the 261 usual channel update process. 262 263 ### Satisfying an ACL that requires access to multiple resources 264 265 If a member makes a request that calls multiple system chaincodes, all of the ACLs 266 for those system chaincodes must be satisfied. 267 268 For example, `peer/Propose` refers to any proposal request on a channel. If the 269 particular proposal requires access to two system chaincodes that requires an 270 identity satisfying `Writers` and one system chaincode that requires an identity 271 satisfying `MyPolicy`, then the member submitting the proposal must have an identity 272 that evaluates to "true" for both `Writers` and `MyPolicy`. 273 274 In the default configuration, `Writers` is a signature policy whose `rule` is 275 `SampleOrg.member`. In other words, "any member of my organization". `MyPolicy`, 276 listed above, has a rule of `SampleOrg.admin`, or "any admin of my organization". 277 To satisfy these ACLs, the member would have to be both an administrator and a 278 member of `SampleOrg`. By default, all administrators are members (though not all 279 administrators are members), but it is possible to overwrite these policies to 280 whatever you want them to be. As a result, it's important to keep track of these 281 policies to ensure that the ACLs for peer proposals are not impossible to satisfy 282 (unless that is the intention). 283 284 <!--- Licensed under Creative Commons Attribution 4.0 International License 285 https://creativecommons.org/licenses/by/4.0/ -->