-
Notifications
You must be signed in to change notification settings - Fork 212
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move all identity APIs under /namespaces #804
Conversation
Codecov Report
@@ Coverage Diff @@
## main #804 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 301 300 -1
Lines 19743 19811 +68
=========================================
+ Hits 19743 19811 +68
Continue to review full report at Codecov.
|
Instead of broadcasting identities globally on the special "ff_system" namespace, they must now be registered on each namespace where you wish to use them. Signed-off-by: Andrew Richardson <andrew.richardson@kaleido.io>
Signed-off-by: Andrew Richardson <andrew.richardson@kaleido.io>
Signed-off-by: Andrew Richardson <andrew.richardson@kaleido.io>
Signed-off-by: Andrew Richardson <andrew.richardson@kaleido.io>
This functionality could come back at some point, but it needs to be done in some hierarchical fashion (without assuming there is a global "ff_system" namespace that always exists). Signed-off-by: Andrew Richardson <andrew.richardson@kaleido.io>
Signed-off-by: Andrew Richardson <andrew.richardson@kaleido.io>
Some fields are now only unique within a namespace. Signed-off-by: Andrew Richardson <andrew.richardson@kaleido.io>
5f0b28b
to
26fbb0b
Compare
Allow forward slash to be used in names so that applications can define their own DID types such as "person/john" and "division/acme". Disallow the reserved prefixes "org/" and "node/" on custom identities. Signed-off-by: Andrew Richardson <andrew.richardson@kaleido.io>
Signed-off-by: Andrew Richardson <andrew.richardson@kaleido.io>
Signed-off-by: Andrew Richardson <andrew.richardson@kaleido.io>
Signed-off-by: Andrew Richardson <andrew.richardson@kaleido.io>
I have a migration question @awrichar. Take this example:
With the migration approach you described, of disabling |
@peterbroadhurst I think the new member would have to join with |
internal/coreconfig/namespace.go
Outdated
// NamespaceName is a long description for a pre-defined namespace | ||
NamespaceDescription = "description" | ||
// NamespaceOrgKey is a default signing key for blockchain transactions within a namespace (overrides top-level org.key) | ||
NamespaceOrgKey = "org.key" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Per comments on the FIR, I think this should be in a multiparty.rootIdentity
(or similar) scoped sub-section of the config, in the new world.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yea, still an open discussion on exactly how to spell that. I think it does need to have "org" in the name though, since the root identity is ultimately always an org.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess the question is whether we want to merge this and go through a period of flux in main
, or hold it out until we close on the config design.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems like the discussion on the FIR has converged for now, so I've reworked the config here to match. Changes in the new commit:
- Replace "mode: multiparty" with "multiparty.enabled: true"
- Default to multiparty mode if org name or key is set
- Remove previously-deprecated "org.identity" root key
- Add new "defaultKey" config to namespaces (valid for both multiparty and gateway namespaces, overrides "multiparty.org.key" for signing)
Signed-off-by: Andrew Richardson <andrew.richardson@kaleido.io>
Signed-off-by: Andrew Richardson <andrew.richardson@kaleido.io>
Updated on top of the latest, and replaced the |
Signed-off-by: Andrew Richardson <andrew.richardson@kaleido.io>
Signed-off-by: Andrew Richardson <andrew.richardson@kaleido.io>
@@ -96,3 +96,16 @@ var batchPinEventABI = ABIElementMarshaling{ | |||
}, | |||
}, | |||
} | |||
|
|||
var networkVersionMethodABI = ABIElementMarshaling{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I note this might have a merge conflict with @nguyer who I believe is moving all of these to the firefly-signer/pkg/abi package.
... or if it doesn't then this is another place we should remove a duplicate interface definition.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks like this one is ready first - sorry @nguyer
Inputs: []ABIArgumentMarshaling{}, | ||
Outputs: []ABIArgumentMarshaling{ | ||
{ | ||
InternalType: "uint8", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder whether a bytes32
would be the most efficient option here, and using a semver
structure. uint8
gets stored as a unit256
anyway.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(added more discussion on this in a separate comment)
mux sync.Mutex | ||
address string | ||
fromBlock string | ||
networkVersion int |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note comment above over int
vs. semver. Probably an open discussion, rather than a proposal.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I ramble with half-formed thoughts here... I wonder whether it's actually a network-options block, where we've reserved a byte for a version integer, but other contract implementations could express additional details in that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess I may be completely overthinking this, as fundamentally this is just a constructor argument with a getter on the contract. So any extensibility to other options might be contract specific.
I'm just feeling an extensibility worry, and wondering if there's some way to do something now that would give future-us some more flexibility for some (currently unknown) migration challenge ahead, that could avoid the need for another contract migration by allowing more options to be encoded in the existing contract without change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think these are all good points, and probably worthy of a lengthy discussion in their own right. Perhaps if an int
is "good enough" for this PR, that discussion can be deferred to a follow-up issue or FIR? We can make a separate call on whether it's all part of 1.1 (and thus can break/replace all the logic here).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've opened #846 as a placeholder to continue this discussion.
Signed-off-by: Andrew Richardson <andrew.richardson@kaleido.io>
Signed-off-by: Andrew Richardson <andrew.richardson@kaleido.io>
- Replace "mode: multiparty" with "multiparty.enabled: true" - Default to multiparty mode if org name or key is set - Remove previously-deprecated "org.identity" root key - Add new "defaultKey" config to namespaces (valid for both multiparty and gateway namespaces, overrides "multiparty.org.key" for signing) Signed-off-by: Andrew Richardson <andrew.richardson@kaleido.io>
internal/identity/identitymanager.go
Outdated
orgKey = config.GetString(coreconfig.OrgIdentityDeprecated) | ||
if orgKey != "" { | ||
log.L(ctx).Warnf("The %s config key has been deprecated. Please use %s instead", coreconfig.OrgIdentityDeprecated, coreconfig.OrgKey) | ||
defaultKey := im.namespace.GetDefaultKey(namespace) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's important that we do not use the defaultKey
in the case of a root org registration.
e.g. when I have an NS config like this:
defaultKey: 0xaaa
multiparty:
enabled: true
org:
name: bob
key: 0xbbb
Then my organization must be registered as 0xbbb
not 0xaaa
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alright, pushed another commit to differentiate and ensure that the "register org" path only looks at the multiparty.org.key
, but all other paths should let defaultKey
take precedence.
- Replace "node owner org" terminology with "multiparty root org" - Use "default key" first in all identity resolution paths, then fall back to "root org key", except when registering the root org (which will always use the "root org key"). Signed-off-by: Andrew Richardson <andrew.richardson@kaleido.io>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 - sorry this one turned got so intertwined with other things. Looks great
Part of hyperledger/firefly-fir#12
Summary
/namespaces/{ns}
ff_system
)ff_system
is deprecated (but existing identities saved onff_system
can be used to resolve identities in any namespace if network "V1" mode is in use)did:firefly:{identity}
.Network Rules V2
As noted above, the rules for FireFly multiparty networks are now versioned. As of now, the differences are:
ff_system
Note that the rules for V2 are still evolving and are planned to change further before the next minor release.
Notable API Changes
Most apps should not be broken by these changes - but usage of deprecated APIs should be corrected, and the migration steps below should be reviewed carefully.
The following top-level APIs are deprecated and replaced:
Note the addition of
/namespaces/{ns}/identities/{did}
in parallel with the existing/namespaces/{ns}/identities/{id}
- regex patterns ensure you can look up an identity by DID (if it starts withdid:
) or ID (if it does not).The following APIs are moved from the top-level to reside under
/namespaces/{ns}
:Because of the changes in #792, existing apps that query these URLs without a
/namespaces/{ns}
prefix will still work (they will just be hitting the default namespace instead of the legacyff_system
namespace).The
/status
API response is tweaked, so that instead of returning the default namespace indefaults.namespace
, it instead returns the name of the current namespace asnamespace
.Migration Steps
To migrate existing multi-party networks, the following steps are required:
ff_system
namespace, which will cause all parties to move onto the new contract (and therefore network "V2" rules), and stop using any identities that were previously broadcast onff_system
The migration is designed to work without a significant "freeze" on use of the system. All members should complete step 1 first, then steps 2-3 can be completed at any time while normal network operations continue. Once all members have performed the setup, usage of the network should be momentarily paused to execute step 4, which will move all members simultaneously to the new logic.
Breaking changes to note:
/network/nodes
and/network/organizations
endpoints will return empty result sets. Applications that rely on these APIs may need to query/namespaces/ff_system/network/nodes
and/namespaces/ff_system/network/organizations
in order to look up the legacy identities stored there.ff_system
.