Solution - Access Control Issue

To explain how to handle access control, it is necessary to understand the two contracts "DataObject" and "AddressGroup" provided by this service.

  • AddressGroup

    AddressGroup is a group of addresses, as the name implies.

    It manages a group of specific addresses.

    A tree structure can be created with multiple AddressGroups.

  • DataObject

    A DataObject is an object that creates a one-to-one relationship between data that requires access control and a structure object.

    It does not record the actual data content in the field, but records the hash value of the data content.

  • conceptual image

    The conceptual image is as follows. .
    Access control concept image

    Put simply, the read/write restrictions on DataObject are managed by readerId and writerId, these ID's being keys into the AddressGroup contract.

    Both the DataObject contract and the AddressGroup contract are registered in the CNS provided by GMO, and have the following class configuration.

  • Detailed image

    Detailed image

Write Control

The flow of a data write operation is shown in the next sequence. (With various abbreviations to more easily grasp the whole image.)

  • Write Sequence

    Image to be written

    The sky blue part is provided by this service, implementation by the service provider is not necessary.

    Here's what the service provider needs to implement:

    • Calling the client API

      AltExecCnsAPI#sendData

      As specified by the API.

    • Implementation of the Ethereum Contract

      After proper validation, the API server calls the Contract prepared by the service provider with Contract, Function, and Parameter from the specified CNS [1.2].

      During this call, the service provider creates a DataObject with the logic in the contract and sets the Hash value [1.2.3].

    The service API records the uploaded data after the service provider's contract call is successfully completed [1.3] and confirms the Hash value for the specified object again.

    This double confirmation process has the following significance.

    • The service provider can not set Hash unilaterally while this service does not put data in the data store.
    • This service side can not set Hash value unilaterally.

Read Control

The flow of a data read operation is the next sequence. (We are doing various abbreviations to grasp the whole image.)

  • Read Sequence

    Read image

    The sky blue part is provided by the framework of this service, so implementation by the service provider is not necessary.

    Here's where the service provider needs to implement:

    • Call client API

      AltExecCnsAPI#getData

      As specified by the API.

    • Implementation of Ethereum Contract

      After proper checking, the API server calls Contract prepared by the service provider with Contract, Function, and Parameter from the specified CNS [1.2].

      The service provider implements a contract to return objectId(s) for fetching the data.

The service API confirms on the Contract whether or not the requesting user has access authority for the returned objectId(s) [1.4].

If the requesting user has read permission, we get the data from the data store. If there is no read permission we return an error.

results matching ""

    No results matching ""