I'm aware that hyperledger is suitable for businesses who care about their data confidentiality. But, I'd like to use it for the cases where data transparency matters too.
Questions: In hyperledger fabric, can we set our blockchain in a way that public can read it, but only certificate holders can write (or send transaction) to it?
Yes. I just created a registered guest account. It still uses certs and the chaincode controls access. Set to read only for GUEST. Technically a query is a transaction. You could have the web app just login as guest when the page loads.
BPN Dev Network Org 1
BPN Dev Network Org 2
Related
When using an application which utilizes a hyperledger fabric network the application has an identity, e.g. a user identity. When invoking functions, it has to be send to and singed by all endorsing peers. The application needs to handle this whole process, so it has to have knowledge about the blockchain network/logic.
I think that this might not be a good design for an sdk. It would be better that the application connects to a peer and sends it invocation request to the connected peer. The peer then handles all the blockchain logic, including the endorsement and the sending to the orderer peer.
E.g. Tendermint does it like this. The interface between application and blockchain then becomes thin and easy to work with.
Is this also possible with hyperledger fabric sdk? E.g. assume there is an endorsement policy which states that two peers have to endorse a transaction. It is possible to communicate just whith one peer and let it automatically handle the whole transaction flow?
When invoking functions, it has to be send to and singed by all
endorsing peers. The application needs to handle this whole process,
so it has to have knowledge about the blockchain network/logic.
Yep, unfortunately, right now - the application needs to code the endorsement policy logic inside of it.
Another problematic aspect is that it needs to be preconfigured with the endpoints of the peers.
However, not for long! hopefully in v1.2 or v1.3 Fabric will have a service discovery mechanism in which the Fabric SDK would query peers for network metadata information, like where are the other peers running, and also for information like "given chaincode foo in channel bar, which peers should I ask endorsements from?"
And the application won't have to deal with all that infrastructure-level knowledge, and would focus only on business logic.
When you use Playground tied to a Connection Profile of your Fabric, meaning running Playground Locally, you're able to deploy your own chaincode, and issue identities. Since you do so as PeerAdmin, and you can manage your wallet with different identities, are those identities Local? If I check the Playground from another device, I have the same wallet there, with PeerAdmin rights.
So, is it possible to run playground with the same chaincode in different devices but with different roles, identities or wallets? In a similar fashion as how it is when you use the RestAPI with OAuth, where you can establish each participant as an identity, using the same API "address".
I guess it maybe possible to run a local instance of playground in another device and establish the connection profile to the remote one and then it would have a different wallet?
Playground uses a local credential store, by default stored in the user's home directory, which may be on the host, or inside a Docker container, depending how you are running Playground.
We are working on designs for how credentials can be imported/exported from Playground at the moment. You can follow progress here:
https://github.com/hyperledger/composer/issues/902
I have been trying to connect my Hyperledger composer to my bluemix instance with no visible result. in the process I accidentally did rewrite my admin account with a different password.
Since there is no visual way seemingly to control the users in the wallet my question is: is there any way to manager the users inside a hyperledger composer wallet?
There is currently no way to visually manage wallets in the playground, other than to issue or add new identities.
The playground just uses local storage for identities in your wallet at the moment so, if it starts causing problems, you could try using a private browser window. (A different browser or entering localstorage.clear() in the browser console should also give you an empty wallet).
There are some ideas around for expanding identity management in the future. Have a look at issue 817 in the hyperledger composer repository if you're interested in finding out more.
I have seen other questions on SO about this (here, here, and here), but I am not satisfied with any of the solutions, so I am asking it again. I am starting a web application that will utilize OAuth from multiple providers (Google, Facebook, Twitter, Yahoo) for authentication. I am struggling to find a configuration suitable to use for both a local development environment and a production environment.
The leading solutions I've found are to register multiple apps within each provider, receiving a different consumer key and secret for each:
"My App Production" - with a callback URI to http://www.myapp.com/callback
"My App Development" - with a callback URI to http://local.myapp.com/callback
Add an entry to your local hosts file to point local.myapp.com to 127.0.0.1 and some configuration for your application to use the proper consumer keys based on the environment, and you are good to go, right?
But my application is responsive and I need to test my development environment running on my PC from multiple other devices, like my iPhone and iPad, neither of which will be able to resolve the development callback URI.
Let's say I already have a DNS server on my network and am able to add the entry for local.myapp.com there instead of my local hosts file and can now access my development instance from any device on the network.
But my development team all operates on the same local network. Now local.myapp.com points to the same IP for everyone. Let's go back to setting the hosts file on each developer's computer so that they can all work independently from within their workstation. Now no one can test their development instance from their iPhone again. It hardly seems like the right answer for each developer to register an application with the provider just so they can specify a unique callback URI.
Normally when I get way down in the weeds with a complicated solution for a seemingly straightforward issue, it usually means I'm doing something fundamentally wrong. Am I missing something about OAuth, is it not intended to be used like this? I am tempted to scrap OAuth altogether and just go with OpenID (no app registration required and can specify the callback URI from within the app), but then I lose two of the big hitters in Facebook and Twitter. I don't really need any of the user's data, it's just a nice to have if it's available. Can someone talk me back into OAuth?
I can't speak for FB or Twitter, but in Google's Oauth implementation you can register several oauth callback URLs. So you simply need some logic in your app which senses that it is in test mode, and then starts the Oauth flow with the appropriate callback URL. There are downsides, eg clashes between the live and the test refresh tokens, but they are manageable.
In my app I have a singleton which manages all of this. When my app needs to start an Oauth flow it calls the singleton with the request URL and any other salient data (eg. debug flag) and the singleton returns the correct callback URL, client ID etc.
I posted the following answer about a rails app I wrote:
OAuth2 in development and production
It was a gem called figaro which did per env configs for google OAuth2.
I have yet to find a less manual approach that enables dev access to all concerned devices:
Assign each developer's machine a fixed IP through the local network's DHCP system based on their MAC address, or (less recommended) have them choose an IP and hope for the best
(optional*) Assign each developer's machine a DNS hostname in the local network based on that IP
Register an oauth entry for developer on each provider with the hostname of the developer's machine.
Each developer configures their application to use their unique oauth dev tokens.
Assuming all the devices in the network rely on the same DHCP and DNS servers you'll then be able to visit alice.dev.myapp.com or bob.dev.myapp.com from any device on the network.
Note, you'd manage the oauth configuration for each an every other environment separately, but following the same approach.
There are likely tools to automate registering a developer's machine IP and hostname to ease that part of the puzzle. Registering the oauth config on each provider per dev is the most tedious step.
UPDATE
*You can skip the DNS part if you use a xip.io url e.g. 10.0.0.123.xip.io if you know Alice is 10.0.0.123, but you'd still want that IP to be fixed as you don't want to keep updating the url for the oauth tokens in step 4.
I have generated an Yammer API key within a network and the API key is working for read/write data across this network. But when I try to use the same API key to access data from a different network it shows an error.
unexpected token at 'Your network is not allowed to request an OAuth token for this Application'
Is the API key restricted to using on that particular network only ? Is it possible to use a single API key more generally to retrieve data from another networks ?
By default it is tied to your organisation. You need to publish the app to the app directory for it to be available for everyone. Are there only particular networks where you want it to work? This requires additional configuration on the Yammer side. A clunky workaround is to create app IDs in the other networks where you need to run your app and allow the user to select the appropriate one. It depends on what you are trying to do.
Note : Verbatim copy from the Yammer Developer Network, as answered to my question here, https://www.yammer.com/yammerdevelopersnetwork/#/Threads/show?threadId=292877375