Hyperledger Fabric RAM authentication - Blockchain as a Service

Before you call the BaaS API as a RAM user, you must grant the RAM user corresponding permissions by using your Alibaba Cloud account. In the authorization policy, an Alibaba Cloud Resource Name (ARN) is used as the unique identifier of the resource to authorize.

This topic describes how to use Alibaba Cloud Resource Names (ARN) in BaaS to authenticate users or user groups, grant RAM user accounts access to resources, and implement access authorization across cloud services. Make sure that you have read the RAM documentation and RAM API reference carefully before you use RAM to authorize the access to BaaS.

Hyperledger Fabric API operations

The following table describes the ARN format for different types of Hyperledger Fabric resources.


Resource type	ARN format
Consortium	acs:baas:$regionId:$accountId:consortium/$consortiumId
Organization	acs:baas:$regionId:$accountId:organization/$organizationId
Channel	acs:baas:*:$accountId:channel/$channelId
Chaincode	acs:baas:*:$accountId:chaincode/$chaincodeId

$regionId indicates the region ID of the resource. $accountId indicates the Alibaba Cloud Account ID of the resource owner. $consortiumId/$organizationId/$channelId/$chaincodeId indicates the of the resource in the blockchain service.

Note The channel and chaincode are global resources, and their regions must be "*".

Hyperledger Fabric API operations

The following table lists the default authorized API operations in the Hyperledger Fabric blockchain (RAM users and STS Token holders have default permissions).


API operation
CheckFabricConsortiumDomain
CheckFabricOrganizationDomain
DescribeTasks
DescribeRootDomain
DescribeFabricConsortiumConfig
DescribeFabricConsortiumSpecs
DescribeFabricOrganizationSpecs
DescribeFabricInviter
DescribeFabricChaincodeUploadPolicy
AcceptFabricInvitation

The following table lists Hyperledger Fabric API operations that can be authorized and the corresponding ARN formats.


API Operation	ARN format
CreateFabricOrganization	acs:baas:$regionId:$accountId:organization/*
DescribeFabricOrganization	acs:baas:$regionId:$accountId:organization/$organizationId
DescribeFabricOrganizationDeletable	acs:baas:$regionId:$accountId:organization/$organizationId
DescribeFabricOrganizations	acs:baas::$accountId:organization/
DescribeFabricCandidateOrganizations	acs:baas::$accountId:organization/
CreateFabricChannel	acs:baas::$accountId:channel/ acs:baas:$regionId:$accountId:consortium/$consortiumId
DescribeFabricOrganizationChannels	acs:baas:$regionId:$accountId:organization/$organizationId
DescribeFabricConsortiumChannels	acs:baas:$regionId:$accountId:consortium/$consortiumId
CreateFabricChannelMember	acs:baas:*:$accountId:channel/$channelId
DescribeFabricChannelMembers	acs:baas:*:$accountId:channel/$channelId
JoinFabricChannel	acs:baas:*:$accountId:channel/$channelId
CreateFabricConsortium	acs:baas:$regionId:$accountId:consortium/*
CreateFabricConsortiumMember	acs:baas:$regionId:$accountId:consortium/$consortiumId
ConfirmFabricConsortiumMember	acs:baas:$regionId:$accountId:consortium/$consortiumId
DescribeFabricOrganizationMembers	acs:baas:$regionId:$accountId:organization/$organizationId
DescribeFabricOrganizationPeers	acs:baas:$regionId:$accountId:organization/$organizationId
DescribeFabricConsortiums	acs:baas::$accountId:consortium/
DescribeFabricConsortiumAdminStatus	acs:baas::$accountId:consortium/
DescribeFabricConsortiumMembers	acs:baas:$regionId:$accountId:consortium/$consortiumId
DescribeFabricConsortiumMemberApproval	acs:baas:$regionId:$accountId:consortium/$consortiumId
DescribeFabricConsortiumOrderers	acs:baas:$regionId:$accountId:consortium/$consortiumId
DescribeFabricConsortiumDeletable	acs:baas:$regionId:$accountId:consortium/$consortiumId
CreateFabricChaincode	acs:baas::$accountId:chaincode/ acs:baas:*:$accountId:channel/$channelId acs:baas:$regionId:$accountId:consortium/$consortiumId acs:baas:$regionId:$accountId:organization/$organizationId
DescribeFabricOrganizationChaincodes	acs:baas:$regionId:$accountId:organization/$organizationId
DescribeFabricConsortiumChaincodes	acs:baas:$regionId:$accountId:consortium/$consortiumId
DeleteFabricChaincode	acs:baas:*:$accountId:chaincode/$chaincodeId
InstallFabricChaincode	acs:baas:*:$accountId:chaincode/$chaincodeId acs:baas:$regionId:$accountId:organization/$organizationId
InstantiateFabricChaincode	acs:baas:*:$accountId:chaincode/$chaincodeId acs:baas:$regionId:$accountId:organization/$organizationId
UpgradeFabricChaincode	acs:baas:*:$accountId:chaincode/$chaincodeId acs:baas:$regionId:$accountId:organization/$organizationId
SynchronizeFabricChaincode	acs:baas:*:$accountId:chaincode/$chaincodeId acs:baas:$regionId:$accountId:organization/$organizationId
CreateFabricOrganizationUser	acs:baas:$regionId:$accountId:organization/$organizationId
DescribeFabricOrganizationUsers	acs:baas:$regionId:$accountId:organization/$organizationId
ResetFabricOrganizationUserPassword	acs:baas:$regionId:$accountId:organization/$organizationId
DownloadFabricOrganizationSDK	acs:baas:$regionId:$accountId:organization/$organizationId
DescribeFabricInvitationCode	acs:baas:$regionId:$accountId:consortium/$consortiumId

Examples of Hyperledger Fabric RAM authorization rules

Example 1: Authorize BaaS to read-only operations. This type of permission allows the user to view the blockchain status through the console or API and download the SDK.

{
   "Statement": [{ 
       "Action": ["baas:Describe*","baas:DownloadFabricOrganizationSDK"],
       "Effect": "Allow",
       "Resource": "acs:baas:*:*:*"
   }],
   "Version": "1"
}

Example 2: Authorize BaaS to chaincode management operations, including uploading, installing, and instantiating chaincodes. This type of permission allows the user to manage all chaincodes through the console or API.

{
  "Statement": [{
     "Action": "baas:*Chaincode",
     "Effect": "Allow",
     "Resource": ["acs:baas:*:*:chaincode/*","acs:baas:*:*:organization/*", "acs:baas:*:*:consortium/*","acs:baas:*:*:channel/*"]
  }],
  "Version": "1"
}

Example 3: Chaincode development authorization. This permission usually requires all read-type operations and chaincode management operations of specific organizations. Based on the principle of minimum permission, the user must be restricted only to create chaincodes for specific consortia, organizations, and channels, and install or instantiate chaincodes in specific organizations. Replace $consortiumId/$organizationId/$channelId with the ID of the specific resource in the blockchain service.

{
 "Statement": [{
   "Action": ["baas:Describe*","baas:DownloadFabricOrganizationSDK"],
   "Effect": "Allow",
   "Resource": "acs:baas:*:*:*"
 },
 {
   "Action": "baas:*Chaincode",
   "Effect": "Allow",
   "Resource": ["acs:baas:*:*:chaincode/*","acs:baas:*:*:organization/$organizationId","acs:baas:*:*:consortium/$consortiumId","acs:baas:*:*:channel/$channelId"]
 }],
 "Version": "1"
}