poanetwork
/
quorum
mirror of https://github.com/poanetwork/quorum.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

permissions: documentation update for permissions

This commit is contained in:
vsmk98 2019-05-06 18:41:21 +08:00
parent 37f3581192
commit 425c136e1e
5 changed files with 144 additions and 215 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
controls/permission/PermissionsInterface.sol
View File

@ -75,7 +75,7 @@ contract PermissionsInterface {
// function for adding a new master org
function addSubOrg(string calldata _pOrg, string calldata _orgId, string calldata _enodeId, address _account) external
{
{
permImplementation.addSubOrg(_pOrg, _orgId, _enodeId, _account, msg.sender);
}

2
docs/README.md
View File

@ -8,5 +8,5 @@
* [Privacy](./privacy.md) - Sending private transactions [privacy video](https://vimeo.com/user5833792/review/210456729/8f70cfaaa5)
* [Running](./running.md) - Detailed instructions for running Quorum nodes (see also [Constellation](https://github.com/jpmorganchase/constellation), [Tessera](https://github.com/jpmorganchase/tessera))
* [API](./api.md) - new privacy API
* [Node Permissioing & Account Access Control](./permissions.md) - Overview of node permissioning and account access control features
* [Permissions ](./permissions.md) - Quorum permissions mode overview
* [Organization level transaction manager key management](./orgkey.md) - Overview of transaction manager key management at organizational level for private transactions

BIN
docs/images/ContractDesign.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 797 KiB

BIN
docs/images/PermissionsModel.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 340 KiB

355
docs/permissions.md
View File

@ -1,237 +1,174 @@
# Overview
Currently when Quorum geth is brought up in `--permissioned` mode, for establishing p2p connectivity the nodes check `permissioned-nodes.json` file. If the enode id of the node requesting connection is present in this file, the p2p connection is established else it is declined. The `permissioned-nodes.json` file is updated procedurally whenever a new node joins the network. Node permissioning feature will allow the existing nodes to propose a new node to join the network and once majority voting is done on the proposal, it will update the `permissioned-nodes.json` automatically. Further the existing nodes can propose any node for deactivation, blacklisting and activating a node back from a deactivated status.
# Introduction
The current permission model with in Quorum is limited to node level permissions only and allows a set of nodes which are part of `permissioned-nodes.json` to join the network. Considering the enterprise level needs for private and consortium Blockchains, the permissionsing model has been enhanced inline with EEA(Etnerprise Ethreum Alliance) specs. The overview of the mode is as depicted below:
![permissions mode](images/PermissionsModel.png)
### Key Definitions
* Network - A set of organizations
* Organization - A set of Ethereum accounts, nodes having varied permissions to interact with the network
* Sub Organization - Further sub grouping with in the Organization as per business need
* Account - An Ethereum account
* Voter - An account capable of voting for a certain action
* Role - A named job function in organization
* Node - A geth node which is part of the network and belongs to an organization or sub organization
As depicted above, in the enhanced permissions model, the network is comprises of group of organization. The voters defined at network level can add these organizations and assign an account as the organization administration account. Each organization is has roles, accounts linked to these roles and nodes. The organization can further have sub organizations and each sub organization can have its own set of roles accounts and sets. The organization administration account manage and control all activities at the organization level. Further the organization administrator can create an admin role and assign the same to a different account to manage the administration of a sub organization. The access rights of an account are derived based on the role assigned to it. The account will be able to transact via any node linked to the sub org or overall organizations level.
### Smart Contract design for permissions
The permissions model is completely built on smart contracts. The smart contract design is as below:
![contract design](images/ContractDesign.png)
The permissions smart contract design follows the Proxy-Implementation-Storage pattern which allows the implementation logic to be changed without changing the storage or interface layer. Brief description of the smart contracts is as below:
* `PermissionsUpgradable.sol`: This contract stores the address of latest implementation contract and is owned by a custodian( an Ethereum account). Only custodian is allowed to change the implementation contract address.
* `PermissionsInterface.sol`: This contract interface contract and holds the interfaces for permissions related actions
* `PermissionsImplementation.sol`: This contract has the business logic for the permissions actions. This contract can receive requests only from a valid interface as defined in `PermissionsUpgradable.sol` and interact with all the storage contracts for respective actions.
* `OrgManager.sol`: This contract stores data for organizations and sub organizations. This contract can receive request from valid implementation contract as defined in `PermissionsUpgrdable.sol`
* `AccountManager.sol`: This contract can receive request from valid implementation contract as defined in `PermissionsUpgrdable.sol`. This contracts stores the data of all accounts, their linkage to organization and various roles. This contracts also stores the status of an account. The account can be in any of the following states - `PendingApproval`, `Active`, `Suspended`, `Blacklisted`, `Revoked`
* `NodeManager.sol`: This contract can receive request from valid implementation contract as defined in `PermissionsUpgrdable.sol`. This contracts stores the data of a node, its linkage to a organization or sub organization and status of the node. The node status can be any one of the following states - `PendingApproval`, `Active`, `Deactivated`, `Blacklisted`
* `RoleManager.sol`: This contract can receive request from valid implementation contract as defined in `PermissionsUpgrdable.sol`. This contract stores data for various roles and the organization to which it is linked. At access at role level can be any one of the following: `Readonly` which allows only read operations, `Transact` which allows value transfer but no contract deployment access, `ContractDeploy` which allows both value transfer and contract deployment access and `FullAccess` which allows additional network level accesses in addition to value transfer and contract deployment. If a role is revoked all accounts which are linked to the role lose all access rights.
* `VoterManager.sol`: This contract can receive request from valid implementation contract as defined in `PermissionsUpgrdable.sol`. This contract stores the data of valid voters at network level which can approve identified activities e.g. adding a new organization to the network. Any account which is linked to a predefined network admin role will be marked as a voter. Whenever a network level activity which requires voting is performed, a voting item is added to this contract and each voter account can vote for the activity. The activity is marked as `Approved` upon majority voting.
Account permissioning feature introduces controls at account level. This will control the type of activities that a particular account can perform in the network.
It should be noted that both the above features will be available when Quorum geth is brought in `--permissioned` mode with the set up as described in the next section.
## Set up
Node permissioning and account access control is managed by a smart contract [PermissionsInterface.sol](../controls/permission/PermissionsInterface.sol). The precompiled byte code of the smart contract is deployed at address `0x000000000000000000020` in network boot-up process. The binding of the precompiled byte code with the address is in `genesis.json`. The initial set of account that will have full access when the network is up, should given as a part of `genesis.json` as shown below:
```
{
"alloc": {
"0x0000000000000000000000000000000000000020": {
"code": "<<compiled contract bytecode>>"
"storage": {
"0x0000000000000000000000000000000000000000000000000000000000000000" : "0x0000000000000000000000000000000000000003",
"0x290decd9548b62a8d60345a988386fc84ba6bc95484008f6362f93160ef3e563" : "0xcA843569e3427144cEad5e4d5999a3D0cCF92B8e",
"0x290decd9548b62a8d60345a988386fc84ba6bc95484008f6362f93160ef3e564" : "0xed9d02e382b34818e88b88a309c7fe71e65f419d",
"0x290decd9548b62a8d60345a988386fc84ba6bc95484008f6362f93160ef3e565" : "0x0fbdc686b912d7722dc86510934589e0aaf3b55a"
},
"balance": "1000000000000000000000000000"
},
```
In the above set up, accounts `"0xcA843569e3427144cEad5e4d5999a3D0cCF92B8e", "0xed9d02e382b34818e88b88a309c7fe71e65f419d", "0x0fbdc686b912d7722dc86510934589e0aaf3b55a"` will have full access when the network boot is completed. The default access for any other account in the network will be `ReadOnly`
If the network is brought up with permissions control byte code and no accounts are given as a part of storage, then geth start up will fail with error `Permissioned network being brought up with zero accounts having full access. Add permissioned full access accounts in genesis.json and bring up the network`
Further, if the initial set of network nodes are brought up with `--permissioned` mode and a new approved node is joining the network without `--permissioned` flag in the `geth` start command, system will not allow the new `geth` node to come and a fatal error `Joining a permissioned network in non-permissioned mode. Bring up geth with --permissioned."` will be thrown.
## Node Permissioning
In a permissioned network any node can be in one of the following status:
* Proposed - The node has been proposed to join the network and pending majority voting to be marked as `Approved`
* Approved - The node is approved and is part of the network
* PendingDeactivation - The node has been proposed for deactivation from network and is pending majority approval
* Deactivated - The node has been deactivated from the network. Any node in this status will be disconnected from the network and block sync with this node will not happen
* PendingActivation - A deactivated node has been proposed for activation and is pending majority approval. Once approved the node will move to `Approved` status
* PendingBlacklisting - The node has been proposed for blacklisting and is pending majority approval
* Blacklisted - The node has been blacklisted. If the node was an active node on the network, the node will be disconnected from the network and block sync will stop
It should be noted that deactivation is temporary in nature and hence the node can join back the network at a later point in time. However blacklisting is permanent in nature. A blacklisted node will never be able to join back the network. Further blacklisting can be proposed for a node which is in the network or a new node which is currently not part of the network.
When the network is started for the first time, all the nodes present in `static-nodes.json` file are added to the permissioned nodes list maintained in the smart contract. Once the initial network is up, these nodes can then propose and approve new nodes to join the network.
### Node Permission APIs
#### quorumNodeMgmt.permissionNodeList
### Permission APIs
#### quorumPermission.orgList
* Input: None
* Output: Returns the list of all enodes and their status
* Output: Returns the list of all organizations and their status
* Example:
```
> quorumNodeMgmt.permissionNodeList
> quorumPermission.orgList
[{
enodeId: "enode://ac6b1096ca56b9f6d004b779ae3728bf83f8e22453404cc3cef16a3d9b96608bc67c4b30db88e0a5a6c6390213f7acbe1153ff6d23ce57380104288ae19373ef@127.0.0.1:21000?discport=0&raftport=50401",
status: "Approved"
}, {
enodeId: "enode://0ba6b9f606a43a95edc6247cdb1c1e105145817be7bcafd6b2c0ba15d58145f0dc1a194f70ba73cd6f4cdd6864edc7687f311254c7555cc32e4d45aeb1b80416@127.0.0.1:21001?discport=0&raftport=50402",
status: "Approved"
}, {
enodeId: "enode://579f786d4e2830bbcc02815a27e8a9bacccc9605df4dc6f20bcc1a6eb391e7225fff7cb83e5b4ecd1f3a94d8b733803f2f66b7e871961e7b029e22c155c3a778@127.0.0.1:21002?discport=0&raftport=50403",
status: "Approved"
}, {
enodeId: "enode://3d9ca5956b38557aba991e31cf510d4df641dce9cc26bfeb7de082f0c07abb6ede3a58410c8f249dabeecee4ad3979929ac4c7c496ad20b8cfdd061b7401b4f5@127.0.0.1:21003?discport=0&raftport=50404",
status: "Approved"
fullOrgId: "INITORG",
level: 1,
orgId: "INITORG",
parentOrgId: "",
status: 2,
subOrgList: null,
ultimateParent: "INITORG"
}]
```
#### quorumNodeMgmt.addVoter
Before a new node can be proposed to the network, the network should have valid voters. This api allows an account to be added as voter to the network. Only an account with full access can add another account as voter. Further the account being added as voter account should have at least transact permission.
* Input: Account to be added as voter, transaction object
* Output: Status of the operation
* Example:
```
> quorumNodeMgmt.addVoter("0x0fBDc686b912d7722dc86510934589E0AAf3b55A", {from: eth.accounts[0]})
{
msg: "Action completed successfully",
status: true
}
```
#### quorumNodeMgmt.removeVoter
Allows a voter account to be removed from the network. Only an account with `FullAccess` can perform this activity.
* Input: Account to be removed, transaction object
* Output: Status of the operation
* Example:
```
> quorumNodeMgmt.removeVoter("0x0fBDc686b912d7722dc86510934589E0AAf3b55A", {from: eth.accounts[0]})
{
msg: "Action completed successfully",
status: true
}
```
#### quorumNodeMgmt.voterList
#### quorumPermission.acctList
* Input: None
* Output: List of all voters on the network
* Output: Returns the list of all accounts across organizations
* Example:
```
> quorumNodeMgmt.voterList
["0xed9d02e382b34818e88B88a309c7fe71E65f419d", "0x0fBDc686b912d7722dc86510934589E0AAf3b55A"]
```
#### quorumNodeMgmt.proposeNode
Allows a new enode to be proposed to the network. This operation will be allowed only if at least one voter account is present in the network.
* Input: enode to be proposed, transaction object
* Output: Status of the operation
* Example:
```
> quorumNodeMgmt.proposeNode("enode://3701f007bfa4cb26512d7df18e6bbd202e8484a6e11d387af6e482b525fa25542d46ff9c99db87bd419b980c24a086117a397f6d8f88e74351b41693880ea0cb@127.0.0.1:21004?discport=0&raftport=50405", {from: eth.accounts[0]})
{
msg: "Action completed successfully",
status: true
}
```
#### quorumNodeMgmt.approveNode
API for approving a proposed node. The node gets approved once majority votes from the voter accounts is received.
* Input: enode to be approved, transaction object
* Output: Status of the operation
* Example:
```
> quorumNodeMgmt.approveNode("enode://3701f007bfa4cb26512d7df18e6bbd202e8484a6e11d387af6e482b525fa25542d46ff9c99db87bd419b980c24a086117a397f6d8f88e74351b41693880ea0cb@127.0.0.1:21004?discport=0&raftport=50405", {from: eth.accounts[0]})
{
msg: "Action completed successfully",
status: true
}
```
#### quorumNodeMgmt.proposeNodeDeactivation
API for proposing a node for deactivation. The node must be `Approved` state and there should be at least one voter account present at network.
* Input: enode to be deactivated, transaction object
* Output: Status of the operation
* Example:
```
> quorumNodeMgmt.proposeNodeDeactivation("enode://3701f007bfa4cb26512d7df18e6bbd202e8484a6e11d387af6e482b525fa25542d46ff9c99db87bd419b980c24a086117a397f6d8f88e74351b41693880ea0cb@127.0.0.1:21004?discport=0&raftport=50405", {from: eth.accounts[0]})
{
msg: "Action completed successfully",
status: true
}
```
#### quorumNodeMgmt.approveNodeDeactivation
API for approving node for deactivation. The node gets deactivated once majority votes from the voter accounts is received
* Input: enode to be deactivated, transaction object
* Output: Status of the operation
* Example:
```
> quorumNodeMgmt.approveNodeDeactivation("enode://3701f007bfa4cb26512d7df18e6bbd202e8484a6e11d387af6e482b525fa25542d46ff9c99db87bd419b980c24a086117a397f6d8f88e74351b41693880ea0cb@127.0.0.1:21004?discport=0&raftport=50405", {from: eth.accounts[0]})
{
msg: "Action completed successfully",
status: true
}
```
#### quorumNodeMgmt.proposeNodeActivation
API for proposing activation of a deactivated node. The node must be in `Deactivated` state and there should be at least one voter account present at network.
* Input: enode to be activated, transaction object
* Output: Status of the operation
* Example:
```
> quorumNodeMgmt.proposeNodeActivation("enode://3701f007bfa4cb26512d7df18e6bbd202e8484a6e11d387af6e482b525fa25542d46ff9c99db87bd419b980c24a086117a397f6d8f88e74351b41693880ea0cb@127.0.0.1:21004?discport=0&raftport=50405", {from: eth.accounts[0]})
{
msg: "Action completed successfully",
status: true
}
```
#### quorumNodeMgmt.approveNodeActivation
API for approval of activating a deactivated node. The node gets activated once majority votes from the voter accounts is received
* Input: enode to be activated, transaction object
* Output: Status of the operation
* Example:
```
> quorumNodeMgmt.approveNodeActivation("enode://3701f007bfa4cb26512d7df18e6bbd202e8484a6e11d387af6e482b525fa25542d46ff9c99db87bd419b980c24a086117a397f6d8f88e74351b41693880ea0cb@127.0.0.1:21004?discport=0&raftport=50405", {from: eth.accounts[0]})
{
msg: "Action completed successfully",
status: true
}
```
#### quorumNodeMgmt.proposeNodeBlacklisting
API for blacklisting a node from the network. Any node (irrespective of node status or a node which is not part of network) can be proposed for blacklisting. Blacklisting takes precedence on any other proposal.
* Input: enode to be blacklisted, transaction object
* Output: Status of the operation
* Example:
```
> quorumNodeMgmt.proposeNodeBlacklisting("enode://3701f007bfa4cb26512d7df18e6bbd202e8484a6e11d387af6e482b525fa25542d46ff9c99db87bd419b980c24a086117a397f6d8f88e74351b41693880ea0cb@127.0.0.1:21004?discport=0&raftport=50405", {from: eth.accounts[0]})
{
msg: "Action completed successfully",
status: true
}
```
#### quorumNodeMgmt.approveNodeBlacklisting
API for approving node blacklisting. The node is blacklisted once majority votes from the voter accounts. Once the node is blacklisted, it cannot rejoin the network.
* Input: enode to be blacklisted, transaction object
* Output: Status of the operation
* Example:
```
> quorumNodeMgmt.approveNodeBlacklisting("enode://3701f007bfa4cb26512d7df18e6bbd202e8484a6e11d387af6e482b525fa25542d46ff9c99db87bd419b980c24a086117a397f6d8f88e74351b41693880ea0cb@127.0.0.1:21004?discport=0&raftport=50405", {from: eth.accounts[0]})
{
msg: "Action completed successfully",
status: true
}
```
## Account Access Control
The following account access types are being introduced as a part of this feature:
* ReadOnly: Accounts with this access will be able to perform only read activities and will not be able to deploy contracts or transactions. By default any account which is not permissioned will have a read only access.
* Transact: Accounts with transact access will be able to commit transactions but will not be able to deploy contracts
* Contract deploy: Accounts with this access will be able to deploy contracts and commit transactions
* Full access: Similar to "Contract deploy" access, accounts with this access will be able to deploy contracts and perform transactions. Further only an account with Full access can add voters to the network.
### Account Access APIs
#### quorumAcctMgmt.permissionAccountList
* Input: None
* Output: Returns the list of all permissioned accounts with account access for each
* Example:
```
> quorumAcctMgmt.permissionAccountList
> quorumPermission.acctList
[{
access: "FullAccess",
address: "0xcA843569e3427144cEad5e4d5999a3D0cCF92B8e"
acctId: "0xed9d02e382b34818e88b88a309c7fe71e65f419d",
isOrgAdmin: true,
orgId: "INITORG",
roleId: "NWADMIN",
status: 2
}, {
access: "Transact",
address: "0xed9d02e382b34818e88B88a309c7fe71E65f419d"
acctId: "0xca843569e3427144cead5e4d5999a3d0ccf92b8e",
isOrgAdmin: true,
orgId: "INITORG",
roleId: "NWADMIN",
status: 2
}]
```
#### quorumPermission.nodeList
* Input: None
* Output: Returns the list of all nodes across organizations
* Example:
```
> quorumPermission.nodeList
[{
orgId: "INITORG",
status: 2,
url: "enode://72c0572f7a2492cffb5efc3463ef350c68a0446402a123dacec9db5c378789205b525b3f5f623f7548379ab0e5957110bffcf43a6115e450890f97a9f65a681a@127.0.0.1:21000?discport=0"
}, {
access: "ContractDeploy",
address: "0x0fBDc686b912d7722dc86510934589E0AAf3b55A"
orgId: "INITORG",
status: 2,
url: "enode://7a1e3b5c6ad614086a4e5fb55b6fe0a7cf7a7ac92ac3a60e6033de29df14148e7a6a7b4461eb70639df9aa379bd77487937bea0a8da862142b12d326c7285742@127.0.0.1:21001?discport=0"
}, {
access: "ReadOnly",
address: "0x9186eb3d20Cbd1F5f992a950d808C4495153ABd5"
orgId: "INITORG",
status: 2,
url: "enode://5085e86db5324ca4a55aeccfbb35befb412def36e6bc74f166102796ac3c8af3cc83a5dec9c32e6fd6d359b779dba9a911da8f3e722cb11eb4e10694c59fd4a1@127.0.0.1:21002?discport=0"
}, {
orgId: "INITORG",
status: 2,
url: "enode://28a4afcf56ee5e435c65b9581fc36896cc684695fa1db83c9568de4353dc6664b5cab09694d9427e9cf26a5cd2ac2fb45a63b43bb24e46ee121f21beb3a7865e@127.0.0.1:21003?discport=0"
}]
```
#### quorumPermission.roleList
* Input: None
* Output: Returns the list of all roles across organizations and their details
* Example:
```
> quorumPermission.roleList
[{
access: 3,
active: true,
isAdmin: true,
isVoter: true,
orgId: "INITORG",
roleId: "NWADMIN"
}]
```
#### quorumPermission.getOrgDetails
This returns the list of accounts, nodes, roles, sub organizations linked to an organization
* Input: idrganization or sub organization id
* Output: list of all accounts, roles, nodes and sub orgs
* Example:
```
> quorumPermission.getOrgDetails("INITORG")
{
acctList: [{
acctId: "0xed9d02e382b34818e88b88a309c7fe71e65f419d",
isOrgAdmin: true,
orgId: "INITORG",
roleId: "NWADMIN",
status: 2
}, {
acctId: "0xca843569e3427144cead5e4d5999a3d0ccf92b8e",
isOrgAdmin: true,
orgId: "INITORG",
roleId: "NWADMIN",
status: 2
}],
nodeList: [{
orgId: "INITORG",
status: 2,
url: "enode://72c0572f7a2492cffb5efc3463ef350c68a0446402a123dacec9db5c378789205b525b3f5f623f7548379ab0e5957110bffcf43a6115e450890f97a9f65a681a@127.0.0.1:21000?discport=0"
}, {
orgId: "INITORG",
status: 2,
url: "enode://7a1e3b5c6ad614086a4e5fb55b6fe0a7cf7a7ac92ac3a60e6033de29df14148e7a6a7b4461eb70639df9aa379bd77487937bea0a8da862142b12d326c7285742@127.0.0.1:21001?discport=0"
}, {
orgId: "INITORG",
status: 2,
url: "enode://5085e86db5324ca4a55aeccfbb35befb412def36e6bc74f166102796ac3c8af3cc83a5dec9c32e6fd6d359b779dba9a911da8f3e722cb11eb4e10694c59fd4a1@127.0.0.1:21002?discport=0"
}, {
orgId: "INITORG",
status: 2,
url: "enode://28a4afcf56ee5e435c65b9581fc36896cc684695fa1db83c9568de4353dc6664b5cab09694d9427e9cf26a5cd2ac2fb45a63b43bb24e46ee121f21beb3a7865e@127.0.0.1:21003?discport=0"
}],
roleList: [{
access: 3,
active: true,
isAdmin: true,
isVoter: true,
orgId: "INITORG",
roleId: "NWADMIN"
}],
subOrgList: null
}
```
#### quorumAcctMgmt.setAccountAccess
* Input: Account, access type for the account and transaction object
#### quorumPermission.addOrg
This api can be executed by a network admin account only for proposing a new organization into the network
* Input: Unique organization id, enode id, account id
* Output: Status of the operation
* Example:
```
> quorumAcctMgmt.setAccountAccess("0x9186eb3d20cbd1f5f992a950d808c4495153abd5", 2, {from: eth.accounts[0]})
> quorumPermission.addOrg("ABC", "enode://3d9ca5956b38557aba991e31cf510d4df641dce9cc26bfeb7de082f0c07abb6ede3a58410c8f249dabeecee4ad3979929ac4c7c496ad20b8cfdd061b7401b4f5@127.0.0.1:21003?discport=0&raftport=50404", "0x0638e1574728b6d862dd5d3a3e0942c3be47d996", {from: eth.accounts[0]})
{
msg: "Action completed successfully",
status: true
}
```
### General validations for account access
The table below indicates the numeric value for each account access type.
@ -248,11 +185,3 @@ While setting the account access, system checks if the account which is setting
* Accounts with `Transact` access grant only `Transact` or `ReadOnly` access to other accounts
* Accounts with `ReadOnly` access cannot grant any access
If an account having lower privileges tries to assign a higher privilege to an account, system will not allow the operation and will throw the an error as shown below:
```
> quorumAcctMgmt.setAccountAccess("0xAE9bc6cD5145e67FbD1887A5145271fd182F0eE7", "0", {from: eth.accounts[0]})
{
msg: "Account does not have sufficient access for operation",
status: false
}
```