Solution - Access Control Issue
To explain how to handle access control, it is necessary to understand the two contracts "DataObject" and "AddressGroup" provided by this service.
AddressGroup is a group of addresses, as the name implies.
It manages a group of specific addresses.
A tree structure can be created with multiple AddressGroups.
A DataObject is an object that creates a one-to-one relationship between data that requires access control and a structure object.
It does not record the actual data content in the field, but records the hash value of the data content.
The conceptual image is as follows. .
Put simply, the read/write restrictions on DataObject are managed by readerId and writerId, these ID's being keys into the AddressGroup contract.
Both the DataObject contract and the AddressGroup contract are registered in the CNS provided by GMO, and have the following class configuration.
The flow of a data write operation is shown in the next sequence. (With various abbreviations to more easily grasp the whole image.)
The sky blue part is provided by this service, implementation by the service provider is not necessary.
Here's what the service provider needs to implement:
Calling the client API
As specified by the API.
Implementation of the Ethereum Contract
After proper validation, the API server calls the Contract prepared by the service provider with Contract, Function, and Parameter from the specified CNS [1.2].
During this call, the service provider creates a DataObject with the logic in the contract and sets the Hash value [1.2.3].
The service API records the uploaded data after the service provider's contract call is successfully completed [1.3] and confirms the Hash value for the specified object again.
This double confirmation process has the following significance.
- The service provider can not set Hash unilaterally while this service does not put data in the data store.
- This service side can not set Hash value unilaterally.
The flow of a data read operation is the next sequence. (We are doing various abbreviations to grasp the whole image.)
The sky blue part is provided by the framework of this service, so implementation by the service provider is not necessary.
Here's where the service provider needs to implement:
Call client API
As specified by the API.
Implementation of Ethereum Contract
After proper checking, the API server calls Contract prepared by the service provider with Contract, Function, and Parameter from the specified CNS [1.2].
The service provider implements a contract to return objectId(s) for fetching the data.
The service API confirms on the Contract whether or not the requesting user has access authority for the returned objectId(s) [1.4].
If the requesting user has read permission, we get the data from the data store. If there is no read permission we return an error.