Attribute-Based Access Control
基于属性的访问控制
Access control decisions can be made by chaincode (and by the Hyperledger Fabric runtime) based upon an identity’s attributes. This is called Attribute-Based Access Control, or ABAC for short.
访问控制决策可以由基于身份属性的链码(和由Hyperledger Fabric运行时)来实现,称为基于属性的访问控制,简称ABAC。
In order to make this possible, an identity’s enrollment certificate (ECert) may contain one or more attribute name and value. The chaincode then extracts an attribute’s value to make an access control decision.
为了使这成为可能,身份的注册证书(ECert)可以包含一个或多个属性名称和值。然后链码提取属性值来进行访问控制决策。
For example, suppose that you are developing application app1 and want a particular chaincode operation to be accessible only by app1 administrators. Your chaincode could verify that the caller’s certificate (which was issued by a CA trusted for the channel) contains an attribute named app1Admin with a value of true. Of course the name of the attribute can be anything and the value need not be a boolean value.
举个栗子,假设你正在开发一个名为app1的应用,只有app1的管理员才可以访问一个特定的chaincode操作。你的chaincode可以识别包含着一个值为true的app1Admin属性的访问者证书。属性的key和value可以为任意的值
So how do you get an enrollment certificate with an attribute? There are two methods:
那么如何获取基于属性的注册证书呢?有两种办法:
注册身份时,可以指定为身份颁发的注册证书应默认包含的属性。此行为可以在注册时重写,但这对于建立默认行为非常有用,如果注册发生在您的应用程序之外,则不需要任何应用程序更改。
The following shows how to register user1 with two attributes: app1Admin and email. The ”:ecert” suffix causes the appAdmin attribute to be inserted into user1’s enrollment certificate by default, when the user does not explicitly request attributes at enrollment time. The email attribute is not added to the enrollment certificate by default.
下面展示了如何注册包含app1Admin和email两个属性的user1。当用户在注册时没有明确地请求属性时,“:ecert”后缀会导致app1Admin属性默认插入user的注册证书中。email属性不会默认的添加到注册证书中
fabric-ca-client register --id.name user1 --id.secret user1pw --id.type user --id.affiliation org1 --id.attrs 'app1Admin=true:ecert,[email protected]'
2.When you enroll an identity, you may explicitly request that one or more attributes be added to the certificate. For each attribute requested, you may specify whether the attribute is optional or not. If it is not requested optionally and the identity does not possess the attribute, an error will occur.
登记身份时,可以显式请求将一个或多个属性添加到证书中。对于所请求的每个属性,可以指定属性是否是可选的。如果不需要请求,并且身份不具有属性,则会发生错误。
如在命令中指定了address,但身份中不具有该属性则会报错。
The following shows how to enroll user1 with the email attribute, without the app1Adminattribute, and optionally with the phone attribute (if the user possesses the phone attribute).
fabric-ca-client enroll -u http://user1:user1pw@localhost:7054 --enrollment.attrs "email,phone:opt"
The table below shows the three attributes which are automatically registered for every identity.
下表显示了每个身份自动注册的三个属性
Attribute Name |
Attribute Value |
hf.EnrollmentID |
The enrollment ID of the identity |
hf.Type |
The type of the identity |
hf.Affiliation |
The affiliation of the identity |
To add any of the above attributes by default to a certificate, you must explicitly register the attribute with the ”:ecert” specification. For example, the following registers identity ‘user1’ so that the ‘hf.Affiliation’ attribute will be added to an enrollment certificate if no specific attributes are requested at enrollment time.
如果要将任何上述属性默认添加到证书中,必须显式地使用“:ecert”注册属性,如下命令所示:
Note that the value of the affiliation (which is ‘org1’) must be the same in both the ‘–id.affiliation’ and the ‘–id.attrs’ flags.
fabric-ca-client register --id.name user1 --id.secret user1pw --id.type user --id.affiliation org1 --id.attrs 'hf.Affiliation=org1:ecert'