poanetwork
/
quorum
mirror of https://github.com/poanetwork/quorum.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/feature/permissioning-1.8.18-suborgs-docs' into feature/permissioning-1.8.18-suborgs-docs

This commit is contained in:
vsmk98 2019-08-15 11:48:44 +08:00
parent 91d85aa15c 0c6084c7a7
commit f97e7920c6
3 changed files with 214 additions and 137 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

277
docs/Permissioning/Permissioning apis.md
View File

@ -12,9 +12,8 @@ None
* `status`: org status. [refer](#organization-status-types) for complete list of statuses
* `subOrgList`: list of sub orgs linked to the org
* `ultimateParent`: Master org under which the org falls
####Example
Via JSON RPC
```jshelllanguage
#### Examples
```jshelllanguage tab="JSON RPC"
// Request
curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPermission_orgList","id":10}' --header "Content-Type: application/json"
@ -29,8 +28,8 @@ curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPer
ultimateParent: "INITORG"
}
```
Via `geth` console
```javascript
```javascript tab="geth console"
> quorumPermission.orgList
[{
fullOrgId: "INITORG",
@ -44,17 +43,20 @@ Via `geth` console
```
### `quorumPermission_acctList`
Returns the list of accounts permissioned in the network
#### Parameters
None
#### Returns
* `acctId`: account id
* `isOrgAdmin`: indicates if the account is admin account for the organization
* `orgId`: org identifier
* `roleId`: role assigned to the account
* `status`: account status. [refer](#account-status-types) for the complete list of account status.
####Example
Via JSON RPC
```jshelllanguage
#### Examples
```jshelllanguage tab="JSON RPC"
// Request
curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPermission_acctList","id":10}' --header "Content-Type: application/json"
@ -73,8 +75,8 @@ curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPer
status: 2
}
```
Via `geth` console
```javascript
```javascript tab="geth console"
> quorumPermission.acctList
[{
acctId: "0xed9d02e382b34818e88b88a309c7fe71e65f419d",
@ -99,8 +101,8 @@ None
* `status`: status of the node. [refer](#node-status-types) for the complete list of node statuses
* `url`: complete enode id
#### Examples
Via JSON RPC
```jshelllanguage
```jshelllanguage tab="JSON RPC"
// Request
curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPermission_nodeList","id":10}' --header "Content-Type: application/json"
@ -123,8 +125,8 @@ curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPer
url: "enode://28a4afcf56ee5e435c65b9581fc36896cc684695fa1db83c9568de4353dc6664b5cab09694d9427e9cf26a5cd2ac2fb45a63b43bb24e46ee121f21beb3a7865e@127.0.0.1:21003?discport=0"
}
```
Via `geth` console
```javascript
```javascript tab="geth console"
> quorumPermission.nodeList
[{
orgId: "INITORG",
@ -156,9 +158,9 @@ None
* `isVoter`: indicates if the role is enabled for voting. Applicable only for network admin role
* `orgId`: org id to which the role is linked
* `roleId`: unique role id
#### Example
Via JSON RPC
```jshelllanguage
#### Examples
```jshelllanguage tab="JSON RPC"
// Request
curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPermission_roleList","id":10}' --header "Content-Type: application/json"
@ -172,8 +174,8 @@ curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPer
roleId: "NWADMIN"
}
```
Via `geth` console
```javascript
```javascript tab="geth console"
> quorumPermission.roleList
[{
access: 3,
@ -195,9 +197,9 @@ This returns the list of accounts, nodes, roles, and sub organizations linked to
* `roleList`
* `subOrgList`: array of sub orgs linked to the org
* Output: list of all accounts, nodes, roles, and sub orgs
#### Example:
Via JSON RPC
```jshelllanguage
#### Examples
```jshelllanguage tab="JSON RPC"
// Request
curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPermission_getOrgDetails","params":["INITORG"],"id":10}' --header "Content-Type: application/json"
@ -244,8 +246,8 @@ curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPer
subOrgList: null
}
```
Via `geth` console
```javascript
```javascript tab="geth console"
> quorumPermission_getOrgDetails("INITORG")
{
acctList: [{
@ -299,22 +301,22 @@ This api can be executed by a network admin account (`from:` in transactions arg
#### Returns
* `msg`: response message
* `status`: `bool` indicating if the operation was success or failure
#### Example:
Via JSON RPC
```jshelllanguage
#### Examples
```jshelllanguage tab="JSON RPC"
// Request
curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPermission_addOrg","params":["ABC", "enode://3d9ca5956b38557aba991e31cf510d4df641dce9cc26bfeb7de082f0c07abb6ede3a58410c8f249dabeecee4ad3979929ac4c7c496ad20b8cfdd061b7401b4f5@127.0.0.1:21003?discport=0&raftport=50404", "0x0638e1574728b6d862dd5d3a3e0942c3be47d996", {"from":"0xed9d02e382b34818e88b88a309c7fe71e65f419d"}],"id":10}' --header "Content-Type: application/json"
// Response
{"jsonrpc":"2.0","id":10,"result":"Action completed successfully"}
```
Via `geth` console
```javascript
```javascript tab="geth console"
> quorumPermission.addOrg("ABC", "enode://3d9ca5956b38557aba991e31cf510d4df641dce9cc26bfeb7de082f0c07abb6ede3a58410c8f249dabeecee4ad3979929ac4c7c496ad20b8cfdd061b7401b4f5@127.0.0.1:21003?discport=0&raftport=50404", "0x0638e1574728b6d862dd5d3a3e0942c3be47d996", {from: eth.accounts[0]})
"Action completed successfully"
```
If there are any pending items for approval, proposal of any new organization will fail. Also the enode id and accounts can be linked to one organization only.
```javascript
```javascript tab="geth console"
> quorumPermission.addOrg("ABC", "enode://3d9ca5956b38557aba991e31cf510d4df641dce9cc26bfeb7de082f0c07abb6ede3a58410c8f249dabeecee4ad3979929ac4c7c496ad20b8cfdd061b7401b4f5@127.0.0.1:21003?discport=0&raftport=50404", "0x0638e1574728b6d862dd5d3a3e0942c3be47d996", {from: eth.accounts[0]})
Error: Pending approvals for the organization. Approve first
at web3.js:3143:20
@ -345,17 +347,17 @@ This api can be executed by a network admin account (`from:` in transactions arg
#### Returns
* `msg`: response message
* `status`: `bool` indicating if the operation was success or failure
#### Example:
Via JSON RPC
```jshelllanguage
#### Examples
```jshelllanguage tab="JSON RPC"
// Request
curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPermission_approveOrg","params":["ABC", "enode://3d9ca5956b38557aba991e31cf510d4df641dce9cc26bfeb7de082f0c07abb6ede3a58410c8f249dabeecee4ad3979929ac4c7c496ad20b8cfdd061b7401b4f5@127.0.0.1:21003?discport=0&raftport=50404", "0x0638e1574728b6d862dd5d3a3e0942c3be47d996", {"from":"0xed9d02e382b34818e88b88a309c7fe71e65f419d"}],"id":10}' --header "Content-Type: application/json"
// Response
{"jsonrpc":"2.0","id":10,"result":"Action completed successfully"}
```
Via `geth` console
```javascript
```javascript tab="geth console"
quorumPermission.approveOrg("ABC", "enode://3d9ca5956b38557aba991e31cf510d4df641dce9cc26bfeb7de082f0c07abb6ede3a58410c8f249dabeecee4ad3979929ac4c7c496ad20b8cfdd061b7401b4f5@127.0.0.1:21003?discport=0&raftport=50404", "0x0638e1574728b6d862dd5d3a3e0942c3be47d996", {from: eth.accounts[0]})
"Action completed successfully"
```
@ -369,44 +371,49 @@ This api can only be executed by a network admin account and is used for tempora
#### Returns
* `msg`: response message
* `status`: `bool` indicating if the operation was success or failure
#### Example
Via JSON RPC
```jshelllanguage
#### Examples
```jshelllanguage tab="JSON RPC"
// Request
curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPermission_updateOrgStatus","params":["ABC", 1, {"from":"0xed9d02e382b34818e88b88a309c7fe71e65f419d"}],"id":10}' --header "Content-Type: application/json"
//Response
{"jsonrpc":"2.0","id":10,"result":"Action completed successfully"}
```
Via `geth` console
```javascript
```javascript tab="geth console"
> quorumPermission.updateOrgStatus("ABC", 1, {from:eth.accounts[0]})
"Action completed successfully"
```
### `quorumPermission_approveOrgStatus`
This api can only be executed by a network admin account and is used for approving the org status change proposal. Once majority approval is received from network admins, the org status is updated.
#### Parameters
* `orgId`: org id
* `action`:
* 1 - for approving org suspension
* 2 - for approving activation of suspended org
#### Returns
* `msg`: response message
* `status`: `bool` indicating if the operation was success or failure
#### Example
Via JSON RPC
```jshelllanguage
#### Examples
```jshelllanguage tab="JSON RPC"
// Request
curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPermission_approveOrgStatus","params":["ABC", 1, {"from":"0xed9d02e382b34818e88b88a309c7fe71e65f419d"}],"id":10}' --header "Content-Type: application/json"
//Response
{"jsonrpc":"2.0","id":10,"result":"Action completed successfully"}
```
Via `geth` console
```javascript
```javascript tab="geth console"
quorumPermission.approveOrgStatus("ABC", 1, {from: eth.accounts[0]})
"Action completed successfully"
```
When an organization is in suspended status, no transactions or contract deploy activities are allowed from any nodes linked to the org and sub organizations under it. Similarly no transactions will be allowed from any accounts linked to the organization
### `quorumPermission_addSubOrg`
@ -418,21 +425,22 @@ This api can be executed by a organization admin account to create a sub organiz
#### Returns
* `msg`: response message
* `status`: `bool` indicating if the operation was success or failure
#### Example
Via JSON RPC
```jshelllanguage
#### Examples
```jshelllanguage tab="JSON RPC"
// Request
curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPermission_addSubOrg","params":["ABC", "SUB1","", {"from":"0xed9d02e382b34818e88b88a309c7fe71e65f419d"}],"id":10}' --header "Content-Type: application/json"
// Response
{"jsonrpc":"2.0","id":10,"result":"Action completed successfully"}
```
Via `geth` console
```javascript
```javascript tab="geth console"
> quorumPermission.addSubOrg("ABC", "SUB1", "", {from: eth.accounts[0]})
"Action completed successfully"
```
Few examples of adding sub org in nested hierarchy:
Few examples of adding sub org in nested hierarchy:
```javascript
> quorumPermission.addSubOrg("ABC.SUB1", "SUB2","", {from: eth.accounts[0]})
"Action completed successfully"
@ -440,78 +448,91 @@ Few examples of adding sub org in nested hierarchy:
> quorumPermission.addSubOrg("ABC.SUB1.SUB2", "SUB3","", {from: eth.accounts[0]})
"Action completed successfully"
```
### `quorumPermission_addNewRole`
This api can be executed by an organization admin account to create a new role for the organization.
#### Parameters
* `orgId`: org id for which the role is being created
* `roleId`: unique role identifier
* `accountAccess`: account level access. [Refer](#account-access-types) for complete list
* `isVoter`: `bool` indicates if its a voting role
* `isAdminRole`: `bool` indicates if its an admin role
#### Returns
* `msg`: response message
* `status`: `bool` indicating if the operation was success or failure
#### Example
Via JSON RPC
```jshelllanguage
#### Examples
```jshelllanguage tab="JSON RPC"
// Request
curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPermission_addNewRole","params":["ABC", "TRANSACT",1,false,false, {"from":"0xed9d02e382b34818e88b88a309c7fe71e65f419d"}],"id":10}' --header "Content-Type: application/json"
// Response
{"jsonrpc":"2.0","id":10,"result":"Action completed successfully"}
```
Via `geth` console
```javascript
```javascript tab="geth console"
> quorumPermission.addNewRole("ABC", "TRANSACT", 1, false, false,{from: eth.accounts[0]})
"Action completed successfully"
> quorumPermission.addNewRole("ABC.SUB1.SUB2.SUB3", "TRANSACT", 1, false, false,{from: eth.accounts[0]})
"Action completed successfully"
```
### `quorumPermission_removeRole`
This api can be executed by an organization admin account to create a new role for the organization.
#### Parameters
* `orgId`: org or sub org id to which the role belongs
* `roleId`: role id
#### Returns
* `msg`: response message
* `status`: `bool` indicating if the operation was success or failure
#### Example
Via JSON RPC
```jshelllanguage
#### Examples
```jshelllanguage tab="JSON RPC"
// Request
curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPermission_removeRole","params":["ABC", "TRANSACT", {"from":"0xed9d02e382b34818e88b88a309c7fe71e65f419d"}],"id":10}' --header "Content-Type: application/json"
// Response
{"jsonrpc":"2.0","id":10,"result":"Action completed successfully"}
```
Via `geth` console
```javascript
```javascript tab="geth console"
> quorumPermission.removeRole("ABC.SUB1.SUB2.SUB3", "TRANSACT", {from: eth.accounts[1]})
"Action completed successfully"
```
### `quorumPermission_addAccountToOrg`
This api can be executed by an organization admin to add an account to an organization and assign a role to the account
#### Parameters
* `acctId`: org or sub org id to which the role belongs
* `orgId`: org id
* `roleId`: role id
#### Returns
* `msg`: response message
* `status`: `bool` indicating if the operation was success or failure
#### Example
Via JSON RPC
```jshelllanguage
#### Examples
```jshelllanguage tab="JSON RPC"
// Request
curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPermission_addAccountToOrg","params":["0xf017976fdf1521de2e108e63b423380307f501f8", "ABC", "TRANSACT", {"from":"0xed9d02e382b34818e88b88a309c7fe71e65f419d"}],"id":10}' --header "Content-Type: application/json"
// Response
{"jsonrpc":"2.0","id":10,"result":"Action completed successfully"}
```
Via `geth` console
```javascript
```javascript tab="geth console"
> quorumPermission.addAccountToOrg("0xf017976fdf1521de2e108e63b423380307f501f8", "ABC", "TRANSACT", {from: eth.accounts[1]})
"Action completed successfully"
```
The account can at best be linked to a single organization or sub organization and cannot belong to multiple organizations or sub organizations
```javascript
> quorumPermission.addAccountToOrg("0xf017976fdf1521de2e108e63b423380307f501f8", "ABC.SUB1", "TRANSACT", {from: eth.accounts[1]})
@ -530,23 +551,24 @@ This api can be executed by an organization admin account to assign a role to an
#### Returns
* `msg`: response message
* `status`: `bool` indicating if the operation was success or failure
#### Example
Via JSON RPC
```jshelllanguage
#### Examples
```jshelllanguage tab="JSON RPC"
// Request
curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPermission_changeAccountRole","params":["0xf017976fdf1521de2e108e63b423380307f501f8", "ABC", "TRANSACT", {"from":"0xed9d02e382b34818e88b88a309c7fe71e65f419d"}],"id":10}' --header "Content-Type: application/json"
// Response
{"jsonrpc":"2.0","id":10,"result":"Action completed successfully"}
```
Via `geth` console
```javascript
```javascript tab="geth console"
> quorumPermission.changeAccountRole("0xf017976fdf1521de2e108e63b423380307f501f8", "ABC", "TRANSACT", {from: eth.accounts[1]})
"Action completed successfully"
```
### `quorumPermission_updateAccountStatus`
This api can be executed by an organization admin account to update the account status.
#### Parameters
* `orgId`: org id
* `acctId`: org or sub org id to which the role belongs
@ -554,139 +576,160 @@ This api can be executed by an organization admin account to update the account
* 1 - for suspending the account
* 2 - for activating a suspended account
* 3 - for blacklisting an account
#### Returns
* `msg`: response message
* `status`: `bool` indicating if the operation was success or failure
#### Example
Via JSON RPC
```jshelllanguage
#### Examples
```jshelllanguage tab="JSON RPC"
// Request
curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPermission_updateAccountStatus","params":["ABC", "0xf017976fdf1521de2e108e63b423380307f501f8", 1, {"from":"0xed9d02e382b34818e88b88a309c7fe71e65f419d"}],"id":10}' --header "Content-Type: application/json"
// Response
{"jsonrpc":"2.0","id":10,"result":"Action completed successfully"}
```
Via `geth` console
```javascript
```javascript tab="geth console"
> quorumPermission.updateAccountStatus("ABC", "0xf017976fdf1521de2e108e63b423380307f501f8", 1, {from: eth.accounts[1]})
"Action completed successfully"
```
Once a account is blacklisted it can only be recovered by network admins. Refer to [quorumPermission_recoverBlackListedAccount](#quorumpermission_recoverblacklistedaccount) and [quorumPermission_approveBlackListedAccountRecovery](#quorumpermission_approveblacklistedaccountrecovery) for further details.
### `quorumPermission_recoverBlackListedAccount`
This api can be executed by the network admin account to initiate the recovery of a blacklisted account. Post majority approval from network admin accounts, the blacklisted account will be marked as active.
#### Parameters
* `orgId`: org or sub org id to which the node belongs
* `acctId`: blacklisted account id
#### Returns
* `msg`: response message
* `status`: `bool` indicating if the operation was success or failure
Via JSON RPC
```jshelllanguage
```jshelllanguage tab="JSON RPC"
// Request
curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPermission_recoverBlackListedAccount","params":["ABC.SUB1.SUB2.SUB3", "0xf017976fdf1521de2e108e63b423380307f501f8", {"from":"0xed9d02e382b34818e88b88a309c7fe71e65f419d"}],"id":10}' --header "Content-Type: application/json"
// Response
{"jsonrpc":"2.0","id":10,"result":"Action completed successfully"}
```
Via `geth` console
```javascript
```javascript tab="geth console"
> quorumPermission.recoverBlackListedAccount("ABC.SUB1.SUB2.SUB3", "0xf017976fdf1521de2e108e63b423380307f501f8", {from: eth.accounts[1]})
"Action completed successfully"
```
### `quorumPermission_approveBlackListedAccountRecovery`
This api can be executed by the network admin approve the recovery of a blacklisted account. Once majority approvals from network admin accounts is received, the account is marked as active.
#### Parameters
* `orgId`: org or sub org id to which the node belongs
* `acctId`: blacklisted account id
#### Returns
* `msg`: response message
* `status`: `bool` indicating if the operation was success or failure
Via JSON RPC
```jshelllanguage
#### Examples
```jshelllanguage tab="JSON RPC"
// Request
curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPermission_approveBlackListedNodeRecovery","params":["ABC.SUB1.SUB2.SUB3", "0xf017976fdf1521de2e108e63b423380307f501f8", {"from":"0xed9d02e382b34818e88b88a309c7fe71e65f419d"}],"id":10}' --header "Content-Type: application/json"
// Response
{"jsonrpc":"2.0","id":10,"result":"Action completed successfully"}
```
Via `geth` console
```javascript
```javascript tab="geth console"
> quorumPermission.approveBlackListedNodeRecovery("ABC.SUB1.SUB2.SUB3", "0xf017976fdf1521de2e108e63b423380307f501f8", {from: eth.accounts[1]})
"Action completed successfully"
```
### `quorumPermission_assignAdminRole`
This api can be executed by the network admin to add a new account as network admin or change the org admin account for an organization.
#### Parameters
* `orgId`: org id to which the account belongs
* `acctId`: account id
* `roleId`: new role id to be assigned to the account. This can be the network admin role or org admin role only
#### Returns
* `msg`: response message
* `status`: `bool` indicating if the operation was success or failure
#### Example
Via JSON RPC
```jshelllanguage
#### Examples
```jshelllanguage tab="JSON RPC"
// Request
curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPermission_assignAdminRole","params":["ABC", "0xf017976fdf1521de2e108e63b423380307f501f8", "NWADMIN", {"from":"0xed9d02e382b34818e88b88a309c7fe71e65f419d"}],"id":10}' --header "Content-Type: application/json"
// Response
{"jsonrpc":"2.0","id":10,"result":"Action completed successfully"}
```
Via `geth` console
```javascript
```javascript tab="geth console"
> quorumPermission.assignAdminRole("ABC", "0xf017976fdf1521de2e108e63b423380307f501f8", "NWADMIN", {from: eth.accounts[0]})
"Action completed successfully"
```
### `quorumPermission_approveAdminRole`
This api can be executed by the network admin to approve the organization admin or network admin role assignment to an account. The role is approved once majority approval is received.
#### Parameters
* `orgId`: org id to which the account belongs
* `acctId`: account id
#### Returns
* `msg`: response message
* `status`: `bool` indicating if the operation was success or failure
#### Example
Via JSON RPC
```jshelllanguage
#### Examples
```jshelllanguage tab="JSON RPC"
// Request
curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPermission_approveAdminRole","params":["ABC", "0xf017976fdf1521de2e108e63b423380307f501f8", {"from":"0xed9d02e382b34818e88b88a309c7fe71e65f419d"}],"id":10}' --header "Content-Type: application/json"
// Response
{"jsonrpc":"2.0","id":10,"result":"Action completed successfully"}
```
Via `geth` console
```javascript
```javascript tab="geth console"
> quorumPermission.approveAdminRole("ABC", "0xf017976fdf1521de2e108e63b423380307f501f8", {from: eth.accounts[0]})
"Action completed successfully"
```
### `quorumPermission_addNode`
This api can be executed by the organization admin account to add a node to the organization or sub organization. A node cannot be part of multiple organizations.
#### Parameters
* `orgId`: org or sub org id to which the node belongs
* `enodeId`: complete enode id
#### Returns
* `msg`: response message
* `status`: `bool` indicating if the operation was success or failure
#### Example
Via JSON RPC
```jshelllanguage
#### Examples
```jshelllanguage tab="JSON RPC"
// Request
curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPermission_addNode","params":["ABC.SUB1.SUB2.SUB3", "enode://239c1f044a2b03b6c4713109af036b775c5418fe4ca63b04b1ce00124af00ddab7cc088fc46020cdc783b6207efe624551be4c06a994993d8d70f684688fb7cf@127.0.0.1:21006?discport=0&raftport=50407", {"from":"0xed9d02e382b34818e88b88a309c7fe71e65f419d"}],"id":10}' --header "Content-Type: application/json"
// Response
{"jsonrpc":"2.0","id":10,"result":"Action completed successfully"}
```
Via `geth` console
```javascript
```javascript tab="geth console"
> quorumPermission.addNode("ABC.SUB1.SUB2.SUB3", "enode://239c1f044a2b03b6c4713109af036b775c5418fe4ca63b04b1ce00124af00ddab7cc088fc46020cdc783b6207efe624551be4c06a994993d8d70f684688fb7cf@127.0.0.1:21006?discport=0&raftport=50407", {from: eth.accounts[1]})
"Action completed successfully"
```
### `quorumPermission_updateNodeStatus`
This api can be executed by the organization admin account to update the status of a node.
#### Parameters
* `orgId`: org or sub org id to which the node belongs
* `enodeId`: complete enode id
@ -694,66 +737,76 @@ This api can be executed by the organization admin account to update the status
* 1 - for deactivating the node
* 2 - for activating a deactivated node
* 3 - for blacklisting a node
#### Returns
* `msg`: response message
* `status`: `bool` indicating if the operation was success or failure
#### Example
Via JSON RPC
```jshelllanguage
#### Examples
```jshelllanguage tab="JSON RPC"
// Request
curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPermission_updateNodeStatus","params":["ABC.SUB1.SUB2.SUB3", "enode://239c1f044a2b03b6c4713109af036b775c5418fe4ca63b04b1ce00124af00ddab7cc088fc46020cdc783b6207efe624551be4c06a994993d8d70f684688fb7cf@127.0.0.1:21006?discport=0&raftport=50407",1, {"from":"0xed9d02e382b34818e88b88a309c7fe71e65f419d"}],"id":10}' --header "Content-Type: application/json"
// Response
{"jsonrpc":"2.0","id":10,"result":"Action completed successfully"}
```
Via `geth` console
```javascript
```javascript tab="geth console"
> quorumPermission.updateNodeStatus("ABC.SUB1.SUB2.SUB3", "enode://239c1f044a2b03b6c4713109af036b775c5418fe4ca63b04b1ce00124af00ddab7cc088fc46020cdc783b6207efe624551be4c06a994993d8d70f684688fb7cf@127.0.0.1:21006?discport=0&raftport=50407",3, {from: eth.accounts[1]})
"Action completed successfully"
```
Once a node is blacklisted it can only be recovered by network admins. Refer to [quorumPermission_recoverBlackListedNode](#quorumpermission_recoverblacklistednode) and [quorumPermission_approveBlackListedNodeRecovery](#quorumpermission_approveblacklistednoderecovery) for further details.
### `quorumPermission_recoverBlackListedNode`
This api can be executed by the network admin account to initiate the recovery of a blacklisted node. Post majority approval from network admin accounts, the blacklisted node will be marked as active.
#### Parameters
* `orgId`: org or sub org id to which the node belongs
* `enodeId`: complete enode id
#### Returns
* `msg`: response message
* `status`: `bool` indicating if the operation was success or failure
Via JSON RPC
```jshelllanguage
#### Examples
```jshelllanguage tab="JSON RPC"
// Request
curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPermission_recoverBlackListedNode","params":["ABC.SUB1.SUB2.SUB3", "enode://239c1f044a2b03b6c4713109af036b775c5418fe4ca63b04b1ce00124af00ddab7cc088fc46020cdc783b6207efe624551be4c06a994993d8d70f684688fb7cf@127.0.0.1:21006?discport=0&raftport=50407", {"from":"0xed9d02e382b34818e88b88a309c7fe71e65f419d"}],"id":10}' --header "Content-Type: application/json"
// Response
{"jsonrpc":"2.0","id":10,"result":"Action completed successfully"}
```
Via `geth` console
```javascript
```javascript tab="geth console"
> quorumPermission.recoverBlackListedNode("ABC.SUB1.SUB2.SUB3", "enode://239c1f044a2b03b6c4713109af036b775c5418fe4ca63b04b1ce00124af00ddab7cc088fc46020cdc783b6207efe624551be4c06a994993d8d70f684688fb7cf@127.0.0.1:21006?discport=0&raftport=50407", {from: eth.accounts[1]})
"Action completed successfully"
```
### `quorumPermission_approveBlackListedNodeRecovery`
This api can be executed by the network admin approve the recovery of a blacklisted node. Once majority approvals from network admin accounts is received, the node is marked as active.
#### Parameters
* `orgId`: org or sub org id to which the node belongs
* `enodeId`: complete enode id
#### Returns
* `msg`: response message
* `status`: `bool` indicating if the operation was success or failure
Via JSON RPC
```jshelllanguage
#### Examples
```jshelllanguage tab="JSON RPC"
// Request
curl -X POST http://127.0.0.1:22000 --data '{"jsonrpc":"2.0","method":"quorumPermission_approveBlackListedNodeRecovery","params":["ABC.SUB1.SUB2.SUB3", "enode://239c1f044a2b03b6c4713109af036b775c5418fe4ca63b04b1ce00124af00ddab7cc088fc46020cdc783b6207efe624551be4c06a994993d8d70f684688fb7cf@127.0.0.1:21006?discport=0&raftport=50407", {"from":"0xed9d02e382b34818e88b88a309c7fe71e65f419d"}],"id":10}' --header "Content-Type: application/json"
// Response
{"jsonrpc":"2.0","id":10,"result":"Action completed successfully"}
```
Via `geth` console
```javascript
```javascript tab="geth console"
> quorumPermission.approveBlackListedNodeRecovery("ABC.SUB1.SUB2.SUB3", "enode://239c1f044a2b03b6c4713109af036b775c5418fe4ca63b04b1ce00124af00ddab7cc088fc46020cdc783b6207efe624551be4c06a994993d8d70f684688fb7cf@127.0.0.1:21006?discport=0&raftport=50407", {from: eth.accounts[1]})
"Action completed successfully"
```

65
docs/Permissioning/Usage.md
View File

@ -101,15 +101,16 @@ then the network will have the following configuration once it has started up:
### Proposing a new organization into the network
Once the network is up, the network admin accounts can then propose a new organization into the network. Majority approval from the network admin accounts is required before an organization is approved. The APIs for [proposing](../Permissioning%20apis#quorumpermissionaddorg) and [approving](../Permissioning%20apis#quorumpermissionapproveorg) an organization are documented in [permission APIs](../Permissioning%20apis)
#### example
#### Example
An example to propose and approve an organization by name `ORG1` is as shown below:
```
```javascript
> quorumPermission.addOrg("ORG1", "enode://de9c2d5937e599930832cecc1df8cc90b50839bdf635c1a4e68e1dab2d001cd4a11c626e155078cc65958a72e2d72c1342a28909775edd99cc39470172cce0ac@127.0.0.1:21004?discport=0", "0x0638e1574728b6d862dd5d3a3e0942c3be47d996", {from: "0xed9d02e382b34818e88b88a309c7fe71e65f419d"})
"Action completed successfully"
```
Once the org is proposed, it will be in `Proposed` state awaiting approval from other network admin accounts. The org status is as shown below:
```
```javascript
> quorumPermission.orgList[1]
{
fullOrgId: "ORG1",
@ -121,8 +122,10 @@ Once the org is proposed, it will be in `Proposed` state awaiting approval from
ultimateParent: "ORG1"
}
```
The network admin accounts can then approve the proposed organizations and once the majority approval is achieved, the organization status is updated as `Approved`
```
```javascript
> quorumPermission.approveOrg("ORG1", "enode://de9c2d5937e599930832cecc1df8cc90b50839bdf635c1a4e68e1dab2d001cd4a11c626e155078cc65958a72e2d72c1342a28909775edd99cc39470172cce0ac@127.0.0.1:21004?discport=0", "0x0638e1574728b6d862dd5d3a3e0942c3be47d996", {from: "0xca843569e3427144cead5e4d5999a3d0ccf92b8e"})
"Action completed successfully"
> quorumPermission.orgList[1]
@ -136,8 +139,9 @@ The network admin accounts can then approve the proposed organizations and once
ultimateParent: "ORG1"
}
```
The details of the new organization approved are as below:
```
```javascript
> quorumPermission.getOrgDetails("ORG1")
{
acctList: [{
@ -179,7 +183,7 @@ The new node belonging to the organization can now join the network. In case the
Once the organization is approved and the node of the organization has joined the network, the organization admin can then create sub organizations, roles, add additional nodes at organization level, add accounts to the organization and change roles of existing organization level accounts.
To add a sub org at `ORG1` level refer to [addSubOrg API](../Permissioning%20apis#quorumpermissionaddsuborg)
```
```javascript
> quorumPermission.addSubOrg("ORG1", "SUB1", "enode://239c1f044a2b03b6c4713109af036b775c5418fe4ca63b04b1ce00124af00ddab7cc088fc46020cdc783b6207efe624551be4c06a994993d8d70f684688fb7cf@127.0.0.1:21006?discport=0", {from: eth.accounts[0]})
"Action completed successfully"
> quorumPermission.getOrgDetails("ORG1.SUB1")
@ -194,15 +198,17 @@ To add a sub org at `ORG1` level refer to [addSubOrg API](../Permissioning%20api
subOrgList: null
}
```
For adding a sub org the enode id is not mandatory. For the newly created sub org if the org admin desires to add an administration account, the org admin account will have to first create a role with `isAdmin` flag as `Y` and then assign this role to the account which belongs to the sub org. Once assigned the account will act as org admin at sub org level. Refer to [addNewRole API](../Permissioning%20apis#quorumpermissionaddnewrole)
```
```javascript
> quorumPermission.addNewRole("ORG1.SUB1", "SUBADMIN", 3, false, true,{from: eth.accounts[0]})
"Action completed successfully"
> eth.accounts[0]
"0x0638e1574728b6d862dd5d3a3e0942c3be47d996"
```
The role `SUBADMIN` can now be assigned to an account at sub org `SUB1` for making the account admin for the sub org.
```
```javascript
> quorumPermission.addAccountToOrg("0x42ef6abedcb7ecd3e9c4816cd5f5a96df35bb9a0", "ORG1.SUB1", "SUBADMIN", {from: "0x0638e1574728b6d862dd5d3a3e0942c3be47d996"})
"Action completed successfully"
> quorumPermission.getOrgDetails("ORG1.SUB1")
@ -230,8 +236,9 @@ The role `SUBADMIN` can now be assigned to an account at sub org `SUB1` for maki
subOrgList: null
}
```
The account `0x42ef6abedcb7ecd3e9c4816cd5f5a96df35bb9a0` is now the admin for sub org `SUB1` and will be able to add roles, accounts and nodes to the sub org. It should be noted that the org admin account at master org level has the admin rights on all the sub organizations below. However the admin account at sub org level has control only in the sub org to which it is linked.
```
```javascript
> quorumPermission.addNewRole("ORG1.SUB1", "TRANSACT", 1, false, true,{from: "0x42ef6abedcb7ecd3e9c4816cd5f5a96df35bb9a0"})
"Action completed successfully"
> quorumPermission.getOrgDetails("ORG1.SUB1").roleList
@ -251,8 +258,9 @@ The account `0x42ef6abedcb7ecd3e9c4816cd5f5a96df35bb9a0` is now the admin for su
roleId: "TRANSACT"
}]
```
To add an account to an organization refer to [addAccountToOrg API](../Permissioning%20apis#quorumpermissionaddaccounttoorg).
```
```javascript
> quorumPermission.addAccountToOrg("0x283f3b8989ec20df621166973c93b56b0f4b5455", "ORG1.SUB1", "SUBADMIN", {from: "0x42ef6abedcb7ecd3e9c4816cd5f5a96df35bb9a0"})
"Action completed successfully"
> quorumPermission.getOrgDetails("ORG1.SUB1").acctList
@ -271,8 +279,9 @@ To add an account to an organization refer to [addAccountToOrg API](../Permissio
status: 2
}]
```
To suspend an account [updateAccountStatus](../Permissioning%20apis#quorumpermissionupdateaccountstatus) API can be invoked with action as 1.
```
```javascript
> quorumPermission.updateAccountStatus("ORG1.SUB1", "0x283f3b8989ec20df621166973c93b56b0f4b5455", 1, {from: "0x42ef6abedcb7ecd3e9c4816cd5f5a96df35bb9a0"})
"Action completed successfully"
> quorumPermission.getOrgDetails("ORG1.SUB1").acctList
@ -290,8 +299,9 @@ To suspend an account [updateAccountStatus](../Permissioning%20apis#quorumpermis
status: 1
}]
```
To revoke suspension of an account [updateAccountStatus](../Permissioning%20apis#quorumpermissionupdateaccountstatus) API can be invoked with action as 2.
```
```javascript
> quorumPermission.updateAccountStatus("ORG1.SUB1", "0x283f3b8989ec20df621166973c93b56b0f4b5455", 2, {from: "0x42ef6abedcb7ecd3e9c4816cd5f5a96df35bb9a0"})
"Action completed successfully"
> quorumPermission.getOrgDetails("ORG1.SUB1").acctList
@ -310,8 +320,9 @@ To revoke suspension of an account [updateAccountStatus](../Permissioning%20apis
status: 2
}]
```
To [blacklist an account updateAccountStatus](../Permissioning%20apis#quorumpermissionupdateaccountstatus) API can be invoked with action as 3. Once blacklisted no further activity will be possible on the account.
```
```javascript
> quorumPermission.updateAccountStatus("ORG1.SUB1", "0x283f3b8989ec20df621166973c93b56b0f4b5455", 3, {from: "0x42ef6abedcb7ecd3e9c4816cd5f5a96df35bb9a0"})
"Action completed successfully"
> quorumPermission.getOrgDetails("ORG1.SUB1").acctList
@ -330,8 +341,9 @@ To [blacklist an account updateAccountStatus](../Permissioning%20apis#quorumperm
status: 5
}]
```
To [add nodes addNode ](../Permissioning%20apis#quorumpermissionaddnode) at organization and sub organization level by the org admin.
```
```javascript
> quorumPermission.addNode("ORG1.SUB1", "enode://eacaa74c4b0e7a9e12d2fe5fee6595eda841d6d992c35dbbcc50fcee4aa86dfbbdeff7dc7e72c2305d5a62257f82737a8cffc80474c15c611c037f52db1a3a7b@127.0.0.1:21005?discport=0", {from: "0x42ef6abedcb7ecd3e9c4816cd5f5a96df35bb9a0"})
"Action completed successfully"
> quorumPermission.getOrgDetails("ORG1.SUB1").nodeList
@ -345,8 +357,9 @@ To [add nodes addNode ](../Permissioning%20apis#quorumpermissionaddnode) at orga
url: "enode://eacaa74c4b0e7a9e12d2fe5fee6595eda841d6d992c35dbbcc50fcee4aa86dfbbdeff7dc7e72c2305d5a62257f82737a8cffc80474c15c611c037f52db1a3a7b@127.0.0.1:21005?discport=0"
}]
```
Org admin can manage the status of the nodes by using [updateNodeStatus](../Permissioning%20apis#quorumpermissionupdatenodestatus) API. To deactivate a node the API can be invoked with action 1.
```
```javascript
> quorumPermission.getOrgDetails("ORG1.SUB1").nodeList
[{
orgId: "ORG1.SUB1",
@ -358,8 +371,9 @@ Org admin can manage the status of the nodes by using [updateNodeStatus](../Perm
url: "enode://eacaa74c4b0e7a9e12d2fe5fee6595eda841d6d992c35dbbcc50fcee4aa86dfbbdeff7dc7e72c2305d5a62257f82737a8cffc80474c15c611c037f52db1a3a7b@127.0.0.1:21005?discport=0"
}]
```
To activate the node back invoke [updateNodeStatus](../Permissioning%20apis#quorumpermissionupdatenodestatus) API with action 2.
```
```javascript
> quorumPermission.updateNodeStatus("ORG1.SUB1", "enode://eacaa74c4b0e7a9e12d2fe5fee6595eda841d6d992c35dbbcc50fcee4aa86dfbbdeff7dc7e72c2305d5a62257f82737a8cffc80474c15c611c037f52db1a3a7b@127.0.0.1:21005?discport=0",2, {from:"0x42ef6abedcb7ecd3e9c4816cd5f5a96df35bb9a0"})
"Action completed successfully"
> quorumPermission.getOrgDetails("ORG1.SUB1").nodeList
@ -373,8 +387,9 @@ To activate the node back invoke [updateNodeStatus](../Permissioning%20apis#quor
url: "enode://eacaa74c4b0e7a9e12d2fe5fee6595eda841d6d992c35dbbcc50fcee4aa86dfbbdeff7dc7e72c2305d5a62257f82737a8cffc80474c15c611c037f52db1a3a7b@127.0.0.1:21005?discport=0"
}]
```
To blacklist a node invoke [updateNodeStatus](../Permissioning%20apis#quorumpermissionupdatenodestatus) API with action 3. Once blacklisted the node will never be able join the network again.
```
```javascript
> quorumPermission.getOrgDetails("ORG1.SUB1").nodeList
[{
orgId: "ORG1.SUB1",
@ -386,6 +401,7 @@ To blacklist a node invoke [updateNodeStatus](../Permissioning%20apis#quorumperm
url: "enode://eacaa74c4b0e7a9e12d2fe5fee6595eda841d6d992c35dbbcc50fcee4aa86dfbbdeff7dc7e72c2305d5a62257f82737a8cffc80474c15c611c037f52db1a3a7b@127.0.0.1:21005?discport=0"
}]
```
It should be noted that in the case of the `Raft` consensus mechanism, when the node is deactivated the peer id is lost and hence upon activation, the node needs to be added to Raft cluster again using `raft.addPeer` and the node should be brought up with new peer id.
Further:
@ -395,7 +411,7 @@ Further:
### Suspending an organization temporarily
If there is a need to temporarily suspend all activities of an organization [updateOrgStatus](../Permissioning%20apis#quorumpermissionupdateorgstatus) API can be invoked with action 1. This can be invoked only by the network admin accounts and will reuiqre majority voting.
```
```javascript
> quorumPermission.updateOrgStatus("ORG1", 1, {from: "0xed9d02e382b34818e88b88a309c7fe71e65f419d"})
"Action completed successfully"
> quorumPermission.orgList[2]
@ -409,8 +425,9 @@ If there is a need to temporarily suspend all activities of an organization [upd
ultimateParent: "ORG1"
}
```
To approve the org, suspension majority approval from other network admin accounts is required. The api for the same is [approveOrgStatus](../Permissioning%20apis#quorumpermissionapproveorgstatus). Once approved the org status is marked as suspended.
```
```javascript
> quorumPermission.approveOrgStatus("ORG1", 1, {from: "0xca843569e3427144cead5e4d5999a3d0ccf92b8e"})
"Action completed successfully"
> quorumPermission.orgList[2]
@ -424,12 +441,13 @@ To approve the org, suspension majority approval from other network admin accoun
ultimateParent: "ORG1"
}
```
When the org is suspended no transaction from any of the account linked to the organization or sub organizations under it is allowed. However, the nodes linked to the organization will be active and will be syncing with the network.
### Revoking suspension of an organization
To revoke the suspension of an org [updateOrgStatus](../Permissioning%20apis#quorumpermissionupdateorgstatus) can be called with action as 2. This will require majority approval (API [approveOrgStatus](../Permissioning%20apis#quorumpermissionapproveorgstatus) with action 2).
```
```javascript
> quorumPermission.updateOrgStatus("ORG1", 2, {from: "0xed9d02e382b34818e88b88a309c7fe71e65f419d"})
"Action completed successfully"
> quorumPermission.approveOrgStatus("ORG1", 2, {from: "0xed9d02e382b34818e88b88a309c7fe71e65f419d"})
@ -445,12 +463,13 @@ To revoke the suspension of an org [updateOrgStatus](../Permissioning%20apis#quo
ultimateParent: "ORG1"
}
```
Once the revoke is approved, all accounts in the organization and sub organization will be able to transact as per role level access.
### Assigning admin privileges at organization and network level
There may be a scenario where one of the accounts at the organization level needs to have network admin level permissions and be able to perform network admin activities. Similarly there can be a need to change the admin account at organization level. Both these activities can be performed by existing network admin accounts only, and will require majority approval from the network admin accounts. The API usage details are as below.
To assign network admin or org admin role to an account invoke [assignAdminRole](../Permissioning%20apis#quorumpermissionassignadminrole).
```
```javascript
> quorumPermission.assignAdminRole("ORG1", "0x0638e1574728b6d862dd5d3a3e0942c3be47d996", "ADMIN", {from: "0xed9d02e382b34818e88b88a309c7fe71e65f419d"})
"Action completed successfully"
> quorumPermission.acctList[3]
@ -462,8 +481,9 @@ To assign network admin or org admin role to an account invoke [assignAdminRole]
status: 1
}
```
To approve the assignment of network admin role invoke [approveAdminRole](../Permissioning%20apis#quorumpermissionapproveadminrole) API.
```
```javascript
> quorumPermission.approveAdminRole("ORG1", "0x0638e1574728b6d862dd5d3a3e0942c3be47d996", {from: eth.accounts[0]})
"Action completed successfully"
> quorumPermission.acctList[4]
@ -475,6 +495,7 @@ To approve the assignment of network admin role invoke [approveAdminRole](../Per
status: 2
}
```
The above account can now perform all activities allowable by a network admin account and can participate in the approval process for any actions at network level.

9
docs/Permissioning/setup.md
View File

@ -1,7 +1,9 @@
# Set up
The steps to enable new permissions model are as described below:
* For a new network, bring up the initial set of nodes which will be part of the network
## New network
* Bring up the initial set of nodes which will be part of the network
* Deploy the `PermissionsUpgradable.sol` in the network. The deployment of this contract will require a guardian account to be given as a part of deployment.
* Deploy the rest of the contracts. All the other contracts will require the address of `PermissionsUpgradable.sol` contract as a part of deployment.
* Once all the contracts are deployed create a file `permission-config.json` which will have the following construct:
@ -52,6 +54,7 @@ var intr = "0x4d3bfd7821e237ffe84209d8e638f9f309865b87" // address of the interf
## Migrating from an earlier version
The following steps needs to be followed when migrating from a earlier version for enabling permissions feature
* Bring down the running network in the earlier version.
* The `maxCodeSize` attribute in `genesis.json` need to be set to 35. Update `genesis.json` to reflect the same
```javascript
@ -70,5 +73,5 @@ The following steps needs to be followed when migrating from a earlier version f
* Bring up the network with latest geth and deploy the contracts as explained earlier in the set up. The rest of the steps will be similar to bringing up a new network
!!! Note
* It should be noted that the new permission model will be in force only when `permission-config.json` is present in data directory. If this file is not there and the node is brought up with `--permissioned` flag, node level permissions as per the earlier model will be effective.
* Please ensure that `maxCodeSize` in `genesis.json` is set to 35
* It should be noted that the new permission model will be in force only when `permission-config.json` is present in data directory. If this file is not there and the node is brought up with `--permissioned` flag, node level permissions as per the earlier model will be effective.
* Please ensure that `maxCodeSize` in `genesis.json` is set to 35