在使用RAM账号调用区块链服务API前,需要主账号通过创建授权策略对RAM账号进行授权。在授权策略中,使用资源描述符(Alibaba Cloud Resource Name,ARN)指定授权资源。

本文提供了在区块链服务中通过访问控制实现团队或者部门成员鉴权、跨账号资源授权以及跨云服务授权的RAM鉴权规则。在了解如何使用访问控制RAM授权和访问区块链服务之前,确保您已阅读了RAM产品文档RAM API文档

可授权的Hyperledger Fabric资源类型

在进行RAM子账号授权时,Hyperledger Fabric资源的描述方式如下:

资源类型 授权策略中的资源描述方法
联盟 acs:baas:$regionId:$accountId:consortium/$consortiumId
组织 acs:baas:$regionId:$accountId:organization/$organizationId
通道 acs:baas::$accountId:channel/$channelId
链码 acs:baas::$accountId:chaincode/$chiancodeId

其中,$regionId为具体资源所在的region。$accountId为具体资源属主的阿里云云账号Id。$consortiumId/$organizationId/$channelId/$chiancodeId为具体资源在区块链服务中的资源Id。

说明 通道和链码属于全局资源,region必须为“*”。
  1. </section>
  2. <section class="section" id="section-jmn-qp9-ro8">
  3. <h2 class="title sectiontitle" id="title-sa0-ltc-axs">可授权的Hyperledger Fabric接口</h2>
  4. <p class="p" id="p-o06-or5-nxq">下表列举了Hyperledger Fabric区块链中默认授权的API(子账号以及STS Token持有者默认拥有权限):</p>
  5. <table class="table" id="table-ils-rpe-217">
  6. <caption></caption>
  7. <colgroup>
  8. <col style="width:100%">
  9. </colgroup>
  10. <thead class="thead" id="thead-y3h-m0m-8g8">
  11. <tr id="row-8lt-fa2-qcz">
  12. <th class="entry" id="concept-1375180-entry-5r2-yq9-xqm">API</th>
  13. </tr>
  14. </thead>
  15. <tbody class="tbody" id="tbody-scq-15c-fc6">
  16. <tr id="row-f2n-5m2-7ry">
  17. <td class="entry" id="entry-qji-d02-s0z">CheckFabricConsortiumDomain</td>
  18. </tr>
  19. <tr id="row-gik-6jm-jqj">
  20. <td class="entry" id="entry-pq6-g2f-yrd">CheckFabricOrganizationDomain</td>
  21. </tr>
  22. <tr id="row-pbs-ms0-b59">
  23. <td class="entry" id="entry-dlx-7gy-7h9">DescribeTasks</td>
  24. </tr>
  25. <tr id="row-dbu-fph-vx2">
  26. <td class="entry" id="entry-0xo-oea-k35">DescribeRootDomain</td>
  27. </tr>
  28. <tr id="row-zq6-ipo-x4f">
  29. <td class="entry" id="entry-0xo-oea-k35">DescribeFabricConsortiumConfig</td>
  30. </tr>
  31. <tr id="row-c1w-1n6-wfg">
  32. <td class="entry" id="entry-0xo-oea-k35">DescribeFabricConsortiumSpecs</td>
  33. </tr>
  34. <tr id="row-uen-akc-eu2">
  35. <td class="entry" id="entry-0xo-oea-k35">DescribeFabricOrganizationSpecs</td>
  36. </tr>
  37. <tr id="row-v9q-68j-54s">
  38. <td class="entry" id="entry-nmq-hvt-l6j">DescribeFabricInviter</td>
  39. </tr>
  40. <tr id="row-ufl-cjb-hm2">
  41. <td class="entry" id="entry-emm-x3o-u76">DescribeFabricChaincodeUploadPolicy</td>
  42. </tr>
  43. <tr id="row-web-dk8-tus">
  44. <td class="entry" id="entry-emm-x3o-u76">AcceptFabricInvitation</td>
  45. </tr>
  46. </tbody>
  47. </table>
  48. <p class="p" id="p-dwx-of6-bzs">下表列举了Hyperledger Fabric中可授权的API及其描述方式:</p>
  49. <table class="table" id="table-izh-4h0-jce">
  50. <caption></caption>
  51. <colgroup>
  52. <col style="width:36.63003663003663%">
  53. <col style="width:63.369963369963365%">
  54. </colgroup>
  55. <thead class="thead" id="thead-8vz-ufo-lfd">
  56. <tr id="row-qtm-pfw-ecp">
  57. <th class="entry" id="concept-1375180-entry-vbu-q42-6wi">API</th>
  58. <th class="entry" id="concept-1375180-entry-xpu-y2v-717">资源描述</th>
  59. </tr>
  60. </thead>
  61. <tbody class="tbody" id="tbody-j7k-503-b6q">
  62. <tr id="row-ylt-ofb-po0">
  63. <td class="entry" id="entry-zxd-0mv-asp">CreateFabricOrganization</td>
  64. <td class="entry" id="entry-1ik-pm9-lh7">acs:baas:$regionId:$accountId:organization/*</td>
  65. </tr>
  66. <tr id="row-wom-lav-om2">
  67. <td class="entry" id="entry-zkj-vb2-huc">DescribeFabricOrganization</td>
  68. <td class="entry" id="entry-r6h-rkj-u9t">acs:baas:$regionId:$accountId:organization/$organizationId</td>
  69. </tr>
  70. <tr id="row-9g2-6nf-3af">
  71. <td class="entry" id="entry-z2d-v94-m11">DescribeFabricOrganizationDeletable</td>
  72. <td class="entry" id="entry-qlx-nbe-vjc">acs:baas:$regionId:$accountId:organization/$organizationId</td>
  73. </tr>
  74. <tr id="row-4kx-wfq-9dv">
  75. <td class="entry" id="entry-0ir-x0t-5lm">DescribeFabricOrganizations</td>
  76. <td class="entry" id="entry-dss-mhb-tdv">acs:baas:*:$accountId:organization/*</td>
  77. </tr>
  78. <tr id="row-1zq-at0-aj8">
  79. <td class="entry" id="entry-xqr-pfi-x7s">DescribeFabricCandidateOrganizations</td>
  80. <td class="entry" id="entry-zsj-8nj-cz5">acs:baas:*:$accountId:organization/*</td>
  81. </tr>
  82. <tr id="row-ep5-7eu-x22">
  83. <td class="entry" id="entry-18b-air-cdj">CreateFabricChannel</td>
  84. <td class="entry" id="entry-8ua-2ey-e2y">acs:baas:*:$accountId:channel/*
  85. <p class="p" id="p-b0s-mv7-jzw">acs:baas:$regionId:$accountId:consortium/$consortiumId</p>
  86. </td>
  87. </tr>
  88. <tr id="row-faq-1et-z4v">
  89. <td class="entry" id="entry-ext-5tc-o5s">DescribeFabricOrganizationChannels</td>
  90. <td class="entry" id="entry-j55-z38-ofv">acs:baas:$regionId:$accountId:organization/$organizationId</td>
  91. </tr>
  92. <tr id="row-ojk-czo-9n4">
  93. <td class="entry" id="entry-s6g-lus-let">DescribeFabricConsortiumChannels</td>
  94. <td class="entry" id="entry-xl7-p6f-6cl">acs:baas:$regionId:$accountId:consortium/$consortiumId</td>
  95. </tr>
  96. <tr id="row-yvd-xks-1vd">
  97. <td class="entry" id="entry-e39-jg7-gba">CreateFabricChannelMember</td>
  98. <td class="entry" id="entry-6wp-6kd-67e">acs:baas:*:$accountId:channel/$channelId</td>
  99. </tr>
  100. <tr id="row-k4d-jht-vkg">
  101. <td class="entry" id="entry-33b-0k9-qai">DescribeFabricChannelMembers</td>
  102. <td class="entry" id="entry-569-4n9-hxj">acs:baas:*:$accountId:channel/$channelId</td>
  103. </tr>
  104. <tr id="row-f6y-6nn-7m9">
  105. <td class="entry" id="entry-34v-x4u-03h">JoinFabricChannel</td>
  106. <td class="entry" id="entry-u1j-8g8-uh6">acs:baas:*:$accountId:channel/$channelId</td>
  107. </tr>
  108. <tr id="row-3r9-8h2-uas">
  109. <td class="entry" id="entry-x6x-acy-3jf">CreateFabricConsortium</td>
  110. <td class="entry" id="entry-ln7-3tx-cie">acs:baas:$regionId:$accountId:consortium/*</td>
  111. </tr>
  112. <tr id="row-w74-vg4-667">
  113. <td class="entry" id="entry-zcr-83d-grx">CreateFabricConsortiumMember</td>
  114. <td class="entry" id="entry-vma-ad4-kjt">acs:baas:$regionId:$accountId:consortium/$consortiumId</td>
  115. </tr>
  116. <tr id="row-i4u-sge-fxq">
  117. <td class="entry" id="entry-3gj-8ot-x3s">ConfirmFabricConsortiumMember</td>
  118. <td class="entry" id="entry-xq5-r3a-r4q">acs:baas:$regionId:$accountId:consortium/$consortiumId</td>
  119. </tr>
  120. <tr id="row-5hw-vkb-0yh">
  121. <td class="entry" id="entry-vb6-11h-2tz">DescribeFabricOrganizationMembers</td>
  122. <td class="entry" id="entry-9gt-2bk-tk2">acs:baas:$regionId:$accountId:organization/$organizationId</td>
  123. </tr>
  124. <tr id="row-xjt-onf-qbc">
  125. <td class="entry" id="entry-vez-587-34d">DescribeFabricOrganizationPeers</td>
  126. <td class="entry" id="entry-iu8-rm5-ibo">acs:baas:$regionId:$accountId:organization/$organizationId</td>
  127. </tr>
  128. <tr id="row-3o9-2bl-5n4">
  129. <td class="entry" id="entry-y28-ujs-83t">DescribeFabricConsortiums</td>
  130. <td class="entry" id="entry-yjk-26x-uha">acs:baas:*:$accountId:consortium/*</td>
  131. </tr>
  132. <tr id="row-s87-j8l-204">
  133. <td class="entry" id="entry-bnv-9qt-p94">DescribeFabricConsortiumAdminStatus</td>
  134. <td class="entry" id="entry-2rl-re3-ru8">acs:baas:*:$accountId:consortium/*</td>
  135. </tr>
  136. <tr id="row-o6k-hr0-iwg">
  137. <td class="entry" id="entry-zek-5uv-yjg">DescribeFabricConsortiumMembers</td>
  138. <td class="entry" id="entry-d58-5ky-v8x">acs:baas:$regionId:$accountId:consortium/$consortiumId</td>
  139. </tr>
  140. <tr id="row-i48-in8-9yk">
  141. <td class="entry" id="entry-l4a-fvf-xpc">DescribeFabricConsortiumMemberApproval</td>
  142. <td class="entry" id="entry-c4b-vp4-a2m">acs:baas:$regionId:$accountId:consortium/$consortiumId</td>
  143. </tr>
  144. <tr id="row-c1l-zgb-1ig">
  145. <td class="entry" id="entry-2m1-e71-xm8">DescribeFabricConsortiumOrderers</td>
  146. <td class="entry" id="entry-259-lti-ryd">acs:baas:$regionId:$accountId:consortium/$consortiumId</td>
  147. </tr>
  148. <tr id="row-1ao-z23-vsj">
  149. <td class="entry" id="entry-xjv-8a1-wgy">DescribeFabricConsortiumDeletable</td>
  150. <td class="entry" id="entry-inj-t2m-rfp">acs:baas:$regionId:$accountId:consortium/$consortiumId</td>
  151. </tr>
  152. <tr id="row-4pv-mec-pzi">
  153. <td class="entry" id="entry-cf5-yul-yg8">CreateFabricChaincode</td>
  154. <td class="entry" id="entry-lr7-jgm-ylo">acs:baas:*:$accountId:chaincode/*
  155. <p class="p" id="p-bm3-03j-jfe">acs:baas:*:$accountId:channel/$channelId</p>
  156. <p class="p" id="p-ogf-mzc-cwe">acs:baas:$regionId:$accountId:consortium/$consortiumId</p>
  157. <p class="p" id="p-4vp-qil-kvk">acs:baas:$regionId:$accountId:organization/$organizationId</p>
  158. </td>
  159. </tr>
  160. <tr id="row-ed6-bim-wff">
  161. <td class="entry" id="entry-48z-inj-atr">DescribeFabricOrganizationChaincodes</td>
  162. <td class="entry" id="entry-eho-pft-6ql">acs:baas:$regionId:$accountId:organization/$organizationId</td>
  163. </tr>
  164. <tr id="row-g4y-cnd-m51">
  165. <td class="entry" id="entry-khr-rl2-9h4">DescribeFabricConsortiumChaincodes</td>
  166. <td class="entry" id="entry-wnb-ssx-2ul">acs:baas:$regionId:$accountId:consortium/$consortiumId</td>
  167. </tr>
  168. <tr id="row-ioe-7lg-nge">
  169. <td class="entry" id="entry-lgk-1cx-hds">DeleteFabricChaincode</td>
  170. <td class="entry" id="entry-ull-dlo-xx0">acs:baas:*:$accountId:chaincode/$chaincodeId</td>
  171. </tr>
  172. <tr id="row-7zr-45j-8jc">
  173. <td class="entry" id="entry-agp-fm9-py2">InstallFabricChaincode</td>
  174. <td class="entry" id="entry-281-d7h-sjv">acs:baas:*:$accountId:chaincode/$chaincodeId
  175. <p class="p" id="p-q9h-tvx-zah">acs:baas:$regionId:$accountId:organization/$organizationId</p>
  176. </td>
  177. </tr>
  178. <tr id="row-rem-u7e-ym4">
  179. <td class="entry" id="entry-w3w-7xu-tqv">InstantiateFabricChaincode</td>
  180. <td class="entry" id="entry-u87-bvv-ewk">acs:baas:*:$accountId:chaincode/$chaincodeId
  181. <p class="p" id="p-bo7-zhf-u82">acs:baas:$regionId:$accountId:organization/$organizationId</p>
  182. </td>
  183. </tr>
  184. <tr id="row-w3c-rgy-ex4">
  185. <td class="entry" id="entry-8rt-t2q-tps">UpgradeFabricChaincode</td>
  186. <td class="entry" id="entry-rpe-rdc-pwc">acs:baas:*:$accountId:chaincode/$chaincodeId
  187. <p class="p" id="p-r4d-u7s-qmz">acs:baas:$regionId:$accountId:organization/$organizationId</p>
  188. </td>
  189. </tr>
  190. <tr id="row-uqe-k8l-t3s">
  191. <td class="entry" id="entry-l4g-1cq-evh">SynchronizeFabricChaincode</td>
  192. <td class="entry" id="entry-raq-lmz-uch">acs:baas:*:$accountId:chaincode/$chaincodeId
  193. <p class="p" id="p-wxi-svs-a5s">acs:baas:$regionId:$accountId:organization/$organizationId</p>
  194. </td>
  195. </tr>
  196. <tr id="row-myo-5ra-asw">
  197. <td class="entry" id="entry-02y-hbc-w6y">CreateFabricOrganizationUser</td>
  198. <td class="entry" id="entry-yvu-hog-v86">acs:baas:$regionId:$accountId:organization/$organizationId</td>
  199. </tr>
  200. <tr id="row-e8b-92p-xbi">
  201. <td class="entry" id="entry-27o-o3l-3in">DescribeFabricOrganizationUsers</td>
  202. <td class="entry" id="entry-tww-y20-mic">acs:baas:$regionId:$accountId:organization/$organizationId</td>
  203. </tr>
  204. <tr id="row-poy-1qa-o90">
  205. <td class="entry" id="entry-a4t-3z2-k27">ResetFabricOrganizationUserPassword</td>
  206. <td class="entry" id="entry-t40-9xu-078">acs:baas:$regionId:$accountId:organization/$organizationId</td>
  207. </tr>
  208. <tr id="row-hb4-4xd-24o">
  209. <td class="entry" id="entry-m3w-1ua-u55">DownloadFabricOrganizationSDK</td>
  210. <td class="entry" id="entry-c50-erw-k4k">acs:baas:$regionId:$accountId:organization/$organizationId</td>
  211. </tr>
  212. <tr id="row-76p-rka-wky">
  213. <td class="entry" id="entry-ii2-kqc-v4l">DescribeFabricInvitationCode</td>
  214. <td class="entry" id="entry-des-p0p-qbe">acs:baas:$regionId:$accountId:consortium/$consortiumId</td>
  215. </tr>
  216. </tbody>
  217. </table>
  218. </section>
  219. <section class="section" id="section-ko0-gzr-w3r">
  220. <h2 class="title sectiontitle" id="title-rpo-fiw-yen">Hyperledger Fabric RAM规则示例</h2>
  221. <p class="p" id="p-a0a-wtk-zvf">例1 :授权BaaS服务只读类操作。这种类型的权限能够允许用户通过控制台或API查看区块链状态,下载SDK。</p>
  222. <pre class="pre codeblock" id="codeblock-1ns-hgc-4iv"><code>{

“Statement”: [{ “Action”: [“baas:Describe“,”baas:DownloadFabricOrganizationSDK”], “Effect”: “Allow”, “Resource”: “acs:baas:::“ }], “Version”: “1”}

例2:授权链码管理类操作(上传、安装、实例化等等)。这种类型的权限允许用户通过控制台或API管理所有链码。
  1. { Statement”: [{ Action”: baas:Chaincode”, Effect”: Allow”, Resource”: [“acs:baas:::chaincode/“,”acs:baas:::organization/“, acs:baas:::consortium/“,”acs:baas:::channel/*”] }], “Version”: “1”}

  1. <p class="p" id="p-w4f-jys-x5b">例3:更精细化的链码开发者授权。该权限通常需要全部的读类型操作,以及特定组织的链码管理类操作。按照最小权限原则,需要限制该用户仅能创建用于指定联盟、组织、通道的链码,也只能在特定组织上进行链码的安装、实例化等操作。将下面的<code class="ph codeph" id="codeph-jb1-5ue-sw6">$consortiumId/$organizationId/$channelId</code>替换为具体资源在区块链服务中的资源Id。
  2. </p>
  3. <pre class="pre codeblock" id="codeblock-rly-ikp-fgk"><code>{

“Statement”: [{ “Action”: [“baas:Describe“,”baas:DownloadFabricOrganizationSDK”], “Effect”: “Allow”, “Resource”: “acs:baas:::“ }, { “Action”: “baas:Chaincode”, “Effect”: “Allow”, “Resource”: [“acs:baas:::chaincode/“,”acs:baas:::organization/$organizationId”,”acs:baas:::consortium/$consortiumId”,”acs:baas:::channel/$channelId”] }], “Version”: “1”}

  1. </div>
  2. </article>
  3. </main>