According to the hyperledger ACL documentation and ACL trading tutorial, ACL's can be used to add user access restrictions to certain assets and transactions within a hyperledger composer business network.
Can ACL's be implemented to restrict participant access to certain queries as well ?
It's not possible to use ACLs to restrict the available pre-defined queries a participant can invoke, but ACL rules are applied to the results of queries allowing you to restrict what information is returned from a query for a specific participant, ie the list of assets returned by a query are processed by the ACL rules and only those that are ALLOWED are added to the results returned.
Related
I'm currently working on a project where I would need to Read and possibly update information from tracking records. I haven't found anything in the Knowledge Base that refers to any kind of tracking record (LoanApp, Account, Share, etc) access through the API. Is it possible to read and or update fields in any of the tracking records?
There isn't much support for reading and updating tracking records (I'm assuing you mean SymXchange external tracking records) via the API. Updating, in particular, is not available.
For reading, one option may be to have the Banno Admin at the financial institution enable the Restricted Claim which is https://api.banno.com/consumer/claim/external_tracking_records (that's a scope name, not a URL). You'll want to read this page in the Authentication Framework docs: https://jackhenry.dev/open-api-docs/authentication-framework/overview/openidconnectoauth/
The gist is that the claim (when enabled by the admin at the FI, and also requested by your code) provides SymXchange external tracking records as part of the Identity Token.
I need to filter subscriptions through logged users (i.e. user_id or organization_id) in a generic context.
The requirements are that any users can manage (edit or delete) only own subscriptions.
As far as I know, there isn't APIs to filter subscriptions by userid, so how can get from orion all subscriptions inserted by owners?
Orion doesn't support the ownership concept in subscriptions. A possible workaround could be to use some descriptive field (in particular, the description field) and a PEP-like proxy using that information to implement a mechanism like the one you want.
At subscription creation time the proxy set the description to the user issuing the creation request.
At subscription modification time, the proxy check if the user issuing the update request matches the one in the description.
The proxy should forbid any attempt of setting/modifying the description field.
Not perfect, but may suffice your case. A proxy like that shouldn't be complex to implement in technologies like Nodejs.
If I have multiple Hazelcast cluster members using the same IMap and I want to configure the IMap in a specific manner programmatically, do I then need to have the configuration code in all the members, or should it be enough to have the configuration code just once in one of the members?
In other words, are the MapConfigs only member specific or cluster wide?
Why I'm asking is that Hazelcast documentation http://docs.hazelcast.org/docs/latest/manual/html-single/index.html#configuring-programmatically
says that
As dynamically added data structure configuration is propagated across
all cluster members, failures may occur due to conditions such as
timeout and network partition. The configuration propagation mechanism
internally retries adding the configuration whenever a membership
change is detected.
this gives me the impression that the configurations propagate.
Now if member A specifies a certain MapConfig for IMap "testMap", should member B see that config when it does
hzInstance.getConfig.findMapConfig("testMap") #or .getMapConfig("testMap")
In my testing B did not see the MapConfig done by A.
I also tried specifying at A mapConfig.TimeToLiveSeconds(60), and at B mapConfig.TimeToLiveSeconds(10).
It seemed that the items in the IMap that were owned by A were evicted in 60 seconds, while the items owned by B were evicted in 10 seconds. This supports the idea that each member needs to do the same configuration if I want consistent behaviour for the IMap.
Each member owns certain partitions of the IMap. A member's IMap configuration has effect only on its owned partitions.
So it is normal to see different TTL values of the entries of the same map in different members when they have different configurations.
As you said, all members have should have same IMap configuration to have a cluster-wide persistent behavior.
Otherwise, each member will apply its own configuration to its own partitions.
But if add a dynamic configuration as described here, then that configuration is propagated to all members and change their behavior as well.
In brief, if you add the configuration before creating the instance, that is local configuration. But, if you add it after creating the instance, that is dynamic configuration and propagates to all members.
I'm trying to automate the deployment of OpenShift Origin into AWS, because it's a dependency of another product which I also need to deploy on demand. There are various solutions for this, but they all require a Pool ID at some point in the process. What is a Pool ID? I realise it's associated with a Redhat subscription, but can I script the generation of a Pool ID? And if so, is it necessary to treat it as a secret?
You can obtain the subscriptions available pool with :
subscription-manager list --available --pool-only
If you are many subscription, you can filter the result with --matches option (filter can contain regex) :
--matches=FILTER_STRING
lists only subscriptions or products containing the
specified expression in the subscription or product
information, varying with the list requested and the
server version (case-insensitive).
It seems that MySQL provides some sort of API interface to it. I have never used it, but I think it would be an interesting feature if I could:
Specify which tables a user has access to
Restrict read, update, and delete operations only to records the users created (so an ownership concept needs to be supported)
Will the API support that? If not, are there any other solutions that might allow me to do so?
As the author of mysql-crud-api I can say that I understand your question. Although the permission rules regarding tables and/or users are application specific and should thus need to be configurable.
You may want to read about multitenancy. You may want to support multiple users, but the ownership and permissions may vary between applications. That is why I think the tool you are looking for does not exist.
In order to support multitenancy mysql-crud-api supports a multi-database mode. Using MySQL's built-in permission system you can use it to partition the database.
Not sure this helps you, as I do not know what you want to use it for.
I've used a MySQL API for python and it lets you directly interact with your databases by name (an empty string in the database name parameter will get you to your root database where you can create databases, grant all permissions, etc). You are able to execute sql queries directly on the database.
SQL is an API to a database; there are numerous other interfaces supported as well (either that compile into SQL or that use some other API).
You question appears to be more about row-level permissioning than about a particular API. MySQL does not have a built-in permissioning system at the row-level. A quick glance at the web (Google: "MySQL row level permissions") yields hits such as this.