-
Notifications
You must be signed in to change notification settings - Fork 8.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Chain MSPManager and chain ACLs config schema
This is a changeset suggesting MSPManager & chain ACL related configuration schema for a new chain/channel. This is put under protos/common, as it is a configuration relevant to orderer channel setup and application channels. This changesets suggests a representation for chain readers (identities that are allowed to read a chain), chain writers (identities that are authorized to submit transactions to a chain), and chain admins (identities that are authorized to administer a chain). The structures defined here can be used in conjuction to the policy framework. Files in this changeset: - common/chain-config.proto: definition of a config schema for chain MSPs, as well as the chain readers, writers and admins - common/chain-config.pb.go: its golang version Change-Id: Ia8fe10e6d0a3db5e24a502cc5edcbe59cd6ca920 Signed-off-by: Elli Androulaki <lli@zurich.ibm.com>
- Loading branch information
1 parent
94e282f
commit 6e1f314
Showing
4 changed files
with
733 additions
and
171 deletions.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,137 @@ | ||
| /* | ||
| Copyright IBM Corp. 2016 All Rights Reserved. | ||
| Licensed under the Apache License, Version 2.0 (the "License"); | ||
| you may not use this file except in compliance with the License. | ||
| You may obtain a copy of the License at | ||
| http://www.apache.org/licenses/LICENSE-2.0 | ||
| Unless required by applicable law or agreed to in writing, software | ||
| distributed under the License is distributed on an "AS IS" BASIS, | ||
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| See the License for the specific language governing permissions and | ||
| limitations under the License. | ||
| */ | ||
|
|
||
|
|
||
| syntax = "proto3"; | ||
|
|
||
| option go_package = "github.com/hyperledger/fabric/protos/common"; | ||
|
|
||
| package common; | ||
|
|
||
|
|
||
| // chain-config.proto contains proto messages defining the schema of | ||
| // a chain configuration structure. An example of how | ||
| // this could be | ||
| // -- VerifierMSPlist carries information associated to MSPs governing | ||
| // the chain | ||
| // -- MSPPrincipal carries the information needed to define policies | ||
| // for reading/writing or managing the chain | ||
| // | ||
| // An example of chain configuration could set the following parameters: | ||
| // -- an array of msp.MSPConfig items to denote the list of MSPs that govern | ||
| // the chain | ||
| // -- readers: a list of MSPPrincipal assuming that by default ANY entity | ||
| // being part of this list is able to read transactions of that chain | ||
| // -- writers: a list of MSPPrincipal assuming that by default ANY entity | ||
| // being part of this list is able to submit transactions to that chain | ||
| // -- admins: a list of MSPPrincipal assuming that by default ANY entity | ||
| // being part of this list is able to modify the configuraiton of that | ||
| // chain. | ||
|
|
||
|
|
||
|
|
||
| // MSPPrincipal aims to represent an MSP-centric set of identities. | ||
| // In particular, this structure allows for definition of | ||
| // - a group of identities that are member of the same MSP | ||
| // - a group of identities that are member of the same organization unit | ||
| // in the same MSP | ||
| // - a group of identities that are administering a specific MSP | ||
| // - a specific identity | ||
| // Expressing these groups is done given two fields of the fields below | ||
| // - Classification, that defines the type of classification of identities | ||
| // in an MSP this principal would be defined on; Classification can take | ||
| // three values: | ||
| // (i) ByMSPRole: that represents a classification of identities within | ||
| // MSP based on one of the two pre-defined MSP rules, "member" and "admin" | ||
| // (ii) ByOrganizationUnit: that represents a classification of identities | ||
| // within MSP based on the organization unit an identity belongs to | ||
| // (iii)ByIdentity that denotes that MSPPrincipal is mapped to a single | ||
| // identity/certificate; this would mean that the Principal bytes | ||
| // message | ||
| message MSPPrincipal { | ||
|
|
||
| enum Classification { | ||
| ByMSPRole = 0; // Represents the one of the dedicated MSP roles, the | ||
| // one of a member of MSP network, and the one of an | ||
| // administrator of an MSP network | ||
| ByOrganizationUnit = 1; // Denotes a finer grained (affiliation-based) | ||
| // groupping of entities, per MSP affiliation | ||
| // E.g., this can well be represented by an MSP's | ||
| // Organization unit | ||
| ByIdentity = 2; // Denotes a principal that consists of a single | ||
| // identity | ||
| } | ||
|
|
||
| // Classification describes the way that one should process | ||
| // Principal. An Classification value of "ByOrganizationUnit" reflects | ||
| // that "Principal" contains the name of an organization this MSP | ||
| // handles. A Classification value "ByIdentity" means that | ||
| // "Principal" contains a specific identity. Default value | ||
| // denotes that Principal contains one of the groups by | ||
| // default supported by all MSPs ("admin" or "member"). | ||
| Classification PrincipalClassification = 1; | ||
|
|
||
| // Principal completes the policy principal definition. For the default | ||
| // principal types, Principal can be either "Admin" or "Member". | ||
| // For the ByOrganizationUnit/ByIdentity values of Classification, | ||
| // PolicyPrincipal acquires its value from an organization unit or | ||
| // identity, respectively. | ||
| bytes Principal = 3; | ||
| } | ||
|
|
||
|
|
||
| // OrganizationUnit governs the organization of the Principal | ||
| // field of a policy principal when a specific organization unity members | ||
| // are to be defined within a policy principal. | ||
| message OrganizationUnit { | ||
|
|
||
| // MSPIdentifier represents the identifier of the MSP this organization unit | ||
| // refers to | ||
| string MSPIdentifier = 1; | ||
|
|
||
| // OrganizationUnitIdentifier defines the organization unit under the | ||
| // MSP identified with MSPIdentifier | ||
| string OrganizationUnitIdentifier = 2; | ||
|
|
||
| } | ||
|
|
||
| // MSPRole governs the organization of the Principal | ||
| // field of an MSPPrincipal when it aims to define one of the | ||
| // two dedicated roles within an MSP: Admin and Members. | ||
| message MSPRole { | ||
|
|
||
| // MSPIdentifier represents the identifier of the MSP this principal | ||
| // refers to | ||
| string MSPIdentifier = 1; | ||
|
|
||
| enum MSPRoleType { | ||
| Member = 0; // Represents an MSP Member | ||
| Admin = 1; // Represents an MSP Admin | ||
| } | ||
|
|
||
| // MSPRoleType defines which of the available, pre-defined MSP-roles | ||
| // an identiy should posess inside the MSP with identifier MSPidentifier | ||
| MSPRoleType Role = 2; | ||
|
|
||
| } | ||
|
|
||
|
|
||
| // TODO: Bring msp.SerializedIdentity from fabric/msp/identities.proto here. Reason below. | ||
| // SerializedIdentity represents an serialized version of an identity; | ||
| // this consists of an MSP-identifier this identity would correspond to | ||
| // and the bytes of the actual identity. A serialized form of | ||
| // SerializedIdentity would govern "Principal" field of a PolicyPrincipal | ||
| // of classification "ByIdentity". |
Oops, something went wrong.