Private Data Collection Policy: Demonstrating Members-Only Read and Write Features

Overview

According to fabric documentation, private data collection policy allows more granular access control from non-policy members. In most cases it is desired that only policy members can read and write private data collection, while non-policy members cannot. There are still certain cases we have this need. In this article we will take a look on these two options, and observe the behaviour through some testing scenarios.

Test Setup

We are using the same setup and testing chaincode from a previous article about testing private data.

  1. membersOnlyRead: false, membersOnlyWrite: true
  2. membersOnlyRead: true, membersOnlyWrite: false
  1. Package chaincode and install chaincode package to all peers
  2. Approve chaincode definition with a private data collection file
  3. Commit chaincode definition
  4. Invoke setPrivate() for setting a key-value in the private data
  5. Get private data in local ledger for each of three organizations: only Org1 and Org2 can see the data
  6. Use Org3 to query getPrivate()
  7. Use Org3 to invoke setPrivate()

Test Step

Follow the Preparation of Test Step in my previous article.

Scenario 1

docker exec -e CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org3.example.com/users/Admin@org3.example.com/msp -e CORE_PEER_ADDRESS=peer0.org3.example.com:11051 -e CORE_PEER_LOCALMSPID="Org3MSP" -e CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/ca.crt cli peer chaincode query -o orderer.example.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem --peerAddresses peer0.org1.example.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt -C mychannel -n mycc -c '{"Args":["getPrivate","name"]}'
docker exec -e CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org3.example.com/users/Admin@org3.example.com/msp -e CORE_PEER_ADDRESS=peer0.org3.example.com:11051 -e CORE_PEER_LOCALMSPID="Org3MSP" -e CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org3.example.com/peers/peer0.org3.example.com/tls/ca.crt cli peer chaincode invoke -o orderer.example.com:7050 --tls true --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem -C mychannel -n mycc --peerAddresses peer0.org1.example.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt --peerAddresses peer0.org2.example.com:9051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt -c '{"Args":["setPrivate","name","Bob"]}'

Scenario 2

  • When membersOnlyRead is set false (this scenario), Org3 cannot read the private data because the private data is not stored in the peer of Org3. Only hash is found.

Scenario 3

Observation

These two options membersOnlyRead and membersOnlyWrite allow more control in private data collection. In scenario 1, both are set true. This is the strictest policy as only collection policy members can read and write the private data. Set false to either or both options the restriction is released to organizations outside the collection policy members, as what we see in scenario 2 and 3.

Visit http://www.ledgertech.biz/kcarticles.html for all my works. Reach me on https://www.linkedin.com/in/ktam1/ or follow me @kctheservant in Twitter.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store