在使用RAM帳號調用區塊鏈服務API前,需要主帳號通過建立授權策略對RAM帳號進行授權。在授權策略中,使用資源描述符(Alibaba Cloud Resource Name,ARN)指定授權資源。
本文提供了在區塊鏈服務中通過存取控制實現團隊或者部門成員鑒權、跨帳號資源授權以及跨雲端服務授權的RAM鑒權規則。在瞭解如何使用存取控制RAM授權和訪問區塊鏈服務之前,確保您已閱讀了RAM產品文檔和RAM API 文檔。
可授權的Hyperledger Fabric資源類型
在進行RAM子帳號授權時,Hyperledger Fabric資源的描述方式如下:
| 資源類型 | 授權策略中的資源描述方法 |
| 聯盟 | acs:baas:$regionId:$accountId:consortium/$consortiumId |
| 組織 | acs:baas:$regionId:$accountId:organization/$organizationId |
| 通道 | acs:baas:*:$accountId:channel/$channelId |
| 鏈碼 | acs:baas:*:$accountId:chaincode/$chaincodeId |
其中,$regionId為具體資源所在的region。$accountId為具體資源屬主的阿里雲雲帳號Id。$consortiumId/$organizationId/$channelId/$chaincodeId為具體資源在區塊鏈服務中的資源Id。
可授權的Hyperledger Fabric介面
下表列舉了Hyperledger Fabric區塊鏈中預設授權的API(子帳號以及STS Token持有人預設擁有許可權):
| API |
| CheckFabricConsortiumDomain |
| CheckFabricOrganizationDomain |
| DescribeTasks |
| DescribeRootDomain |
| DescribeFabricConsortiumConfig |
| DescribeFabricConsortiumSpecs |
| DescribeFabricOrganizationSpecs |
| DescribeFabricInviter |
| DescribeFabricChaincodeUploadPolicy |
| AcceptFabricInvitation |
下表列舉了Hyperledger Fabric中可授權的API及其描述方式:
| API | 資源描述 |
| CreateFabricOrganization | acs:baas:$regionId:$accountId:organization/* |
| DescribeFabricOrganization | acs:baas:$regionId:$accountId:organization/$organizationId |
| DescribeFabricOrganizationDeletable | acs:baas:$regionId:$accountId:organization/$organizationId |
| DescribeFabricOrganizations | acs:baas:*:$accountId:organization/* |
| DescribeFabricCandidateOrganizations | acs:baas:*:$accountId:organization/* |
| CreateFabricChannel | acs:baas:*:$accountId:channel/* acs:baas:$regionId:$accountId:consortium/$consortiumId |
| DescribeFabricOrganizationChannels | acs:baas:$regionId:$accountId:organization/$organizationId |
| DescribeFabricConsortiumChannels | acs:baas:$regionId:$accountId:consortium/$consortiumId |
| CreateFabricChannelMember | acs:baas:*:$accountId:channel/$channelId |
| DescribeFabricChannelMembers | acs:baas:*:$accountId:channel/$channelId |
| JoinFabricChannel | acs:baas:*:$accountId:channel/$channelId |
| CreateFabricConsortium | acs:baas:$regionId:$accountId:consortium/* |
| CreateFabricConsortiumMember | acs:baas:$regionId:$accountId:consortium/$consortiumId |
| ConfirmFabricConsortiumMember | acs:baas:$regionId:$accountId:consortium/$consortiumId |
| DescribeFabricOrganizationMembers | acs:baas:$regionId:$accountId:organization/$organizationId |
| DescribeFabricOrganizationPeers | acs:baas:$regionId:$accountId:organization/$organizationId |
| DescribeFabricConsortiums | acs:baas:*:$accountId:consortium/* |
| DescribeFabricConsortiumAdminStatus | acs:baas:*:$accountId:consortium/* |
| DescribeFabricConsortiumMembers | acs:baas:$regionId:$accountId:consortium/$consortiumId |
| DescribeFabricConsortiumMemberApproval | acs:baas:$regionId:$accountId:consortium/$consortiumId |
| DescribeFabricConsortiumOrderers | acs:baas:$regionId:$accountId:consortium/$consortiumId |
| DescribeFabricConsortiumDeletable | acs:baas:$regionId:$accountId:consortium/$consortiumId |
| CreateFabricChaincode | acs:baas:*:$accountId:chaincode/* acs:baas:*:$accountId:channel/$channelId acs:baas:$regionId:$accountId:consortium/$consortiumId acs:baas:$regionId:$accountId:organization/$organizationId |
| DescribeFabricOrganizationChaincodes | acs:baas:$regionId:$accountId:organization/$organizationId |
| DescribeFabricConsortiumChaincodes | acs:baas:$regionId:$accountId:consortium/$consortiumId |
| DeleteFabricChaincode | acs:baas:*:$accountId:chaincode/$chaincodeId |
| InstallFabricChaincode | acs:baas:*:$accountId:chaincode/$chaincodeId acs:baas:$regionId:$accountId:organization/$organizationId |
| InstantiateFabricChaincode | acs:baas:*:$accountId:chaincode/$chaincodeId acs:baas:$regionId:$accountId:organization/$organizationId |
| UpgradeFabricChaincode | acs:baas:*:$accountId:chaincode/$chaincodeId acs:baas:$regionId:$accountId:organization/$organizationId |
| SynchronizeFabricChaincode | acs:baas:*:$accountId:chaincode/$chaincodeId acs:baas:$regionId:$accountId:organization/$organizationId |
| CreateFabricOrganizationUser | acs:baas:$regionId:$accountId:organization/$organizationId |
| DescribeFabricOrganizationUsers | acs:baas:$regionId:$accountId:organization/$organizationId |
| ResetFabricOrganizationUserPassword | acs:baas:$regionId:$accountId:organization/$organizationId |
| DownloadFabricOrganizationSDK | acs:baas:$regionId:$accountId:organization/$organizationId |
| DescribeFabricInvitationCode | acs:baas:$regionId:$accountId:consortium/$consortiumId |
Hyperledger Fabric RAM規則樣本
例1 :授權BaaS服務唯讀類操作。這種類型的許可權能夠允許使用者通過控制台或API查看區塊鏈狀態,下載SDK。
{
"Statement": [{
"Action": ["baas:Describe*","baas:DownloadFabricOrganizationSDK"],
"Effect": "Allow",
"Resource": "acs:baas:*:*:*"
}],
"Version": "1"
}{
"Statement": [{
"Action": "baas:*Chaincode",
"Effect": "Allow",
"Resource": ["acs:baas:*:*:chaincode/*","acs:baas:*:*:organization/*", "acs:baas:*:*:consortium/*","acs:baas:*:*:channel/*"]
}],
"Version": "1"
}例3:更精細化的鏈碼開發人員授權。該許可權通常需要全部的讀類型操作,以及特定組織的鏈碼管理類操作。按照最小許可權原則,需要限制該使用者僅能建立用於指定聯盟、組織、通道的鏈碼,也只能在特定組織上進行鏈碼的安裝、執行個體化等操作。將下面的$consortiumId/$organizationId/$channelId替換為具體資源在區塊鏈服務中的資源Id。
{
"Statement": [{
"Action": ["baas:Describe*","baas:DownloadFabricOrganizationSDK"],
"Effect": "Allow",
"Resource": "acs:baas:*:*:*"
},
{
"Action": "baas:*Chaincode",
"Effect": "Allow",
"Resource": ["acs:baas:*:*:chaincode/*","acs:baas:*:*:organization/$organizationId","acs:baas:*:*:consortium/$consortiumId","acs:baas:*:*:channel/$channelId"]
}],
"Version": "1"
}