我一直在尝试建立一个生产结构网络,我想知道有没有办法将通道级别的管理权限分配给自定义角色?我首先想到的是使用 NodeOU,但正如我从下面的问题中了解到的那样,不可能创建自定义 NodeOU;
上面的问题讨论了为不同的角色使用不同的中间 CA,并根据从哪个中间 CA 注册的 nodeOU(客户端、对等、管理员、订购者)管理访问规则。考虑到我当前的架构,这个解决方案工作量太大。所以我正在寻找不同的解决方案。
我认为可以像这样创建一个自定义组织单位:
OrganizationalUnitIdentifiers:
- Certificate: "cacerts/cacert.pem"
OrganizationalUnitIdentifier: "COP"
NodeOUs:
Enable: false
# For each identity classification that you would like to utilize, specify
# an OU identifier.
# You can optionally configure that the OU identifier must be issued by a specific CA
# or intermediate certificate from your organization. However, it is typical to NOT
# configure a specific Certificate. By not configuring a specific Certificate, you will be
# able to add other CA or intermediate certs later, without having to reissue all credentials.
# For this reason, the sample below comments out the Certificate field.
ClientOUIdentifier:
# Certificate: "cacerts/cacert.pem"
OrganizationalUnitIdentifier: "OU_client"
PeerOUIdentifier:
# Certificate: "cacerts/cacert.pem"
OrganizationalUnitIdentifier: "OU_peer"
AdminOUIdentifier:
# Certificate: "cacerts/cacert.pem"
OrganizationalUnitIdentifier: "OU_admin"
OrdererOUIdentifier:
# Certificate: "cacerts/cacert.pem"
OrganizationalUnitIdentifier: "OU_orderer"
总的来说,我想知道的是,如果可以在我使用自定义 OU 的地方使用这样的签名策略
Admins:
Type: Signature
Rule: "OR('Org1.COP')"
或者是否有另一种方法可以使用在身份注册过程中提供的从属关系来指定签名策略,就像这样
fabric-ca-client register --id.name client1 --id.type client --id.affiliation department1 --id.secret client1pw
使用这样的签名策略
Admins:
Type: Signature
Rule: "OR('Org1.peer.departmen1')"
任何答案将不胜感激。提前致谢。