Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SPIKE: manual connection to Endorser for tenants #110

Closed
esune opened this issue Aug 31, 2023 · 2 comments
Closed

SPIKE: manual connection to Endorser for tenants #110

esune opened this issue Aug 31, 2023 · 2 comments

Comments

@esune
Copy link
Member

esune commented Aug 31, 2023

As part of our plan to move Traction to production use, we need the process of connecting to an endorser to be:

  1. configurable: each tenant will decide which endorser they want to connect to, based on permissions (Select which Ledger/Endorser to connect to - Tenant UI traction#681)
  2. controllable: the endorser will be able to gate access to functionality based on allow-lists (Granular endorser configuration hyperledger/aries-endorser-service#32)

As a mitigation plan for #2 while the solution is implemented, the use of NetworkPolicies to limit ingress traffic to the Endorser instances. The work is being tracked here: #100
A concern being raised is this this approach would require private endpoints to be published to the ledger, since the discovery of the endorser agent happens by public DID, and this would not be desirable.

A stop-gap option that could allow us to move forward without having to implement temporary ad-hoc patches, would be to manually set-up the connection to the endorser agent, since this is a one-time procedure and it will likely only be necessary for one or two agents at most.

  • Traction determines if the agent is connected to an endorser by the connection alias, specified at deployment time.
  • Not including the endorser public DID will prevent tenants from initiating a connection request.
  • Manually accepting a connection request from the endorser in the Traction tenant using the expected alias, and setting the connection metadata role as author for the tenant (this is what the Traction plug-in is doing), should result in an active connection with the endorser being recognized by the tenant.
  • Endorsement of publishing the DID as well as creating a schema should work seamlessly assuming the appropriate configuration flags were set at the endorser level.

The ticket is to evaluate and validate that this approach would work and be a feasible temporary alternative in production until the granular endorser configuration work is completed and deployed.
@WadeBarnes
Copy link
Member

Scripts to automate the manual connection between author and endorser can be found here:

The scripts are well documented and contain links to the "official" documentation on the subject. These can be used, at least, to inform the process. The scripts initiate the connection between the author and endorser and then configure the endorser settings at the connection level, allowing the settings at the global level to remain manual/private.

@esune
Copy link
Member Author

esune commented Oct 18, 2023

Closing, done as part of bcgov/traction#797

@esune esune closed this as completed Oct 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@esune @WadeBarnes