calimero-network / core

Calimero 2.0
https://calimero-network.github.io/
Other
58 stars 8 forks source link

ACL Policies #180

Open chefsale opened 7 months ago

chefsale commented 7 months ago

Overview

Access Control Lists (ACL) in the Calimero Network manage permissions for peers within a defined context. Peers are entities that interact with the network and can perform specific actions based on the permissions granted to them. ACL ensure that each peer has the appropriate rights to perform operations within a context, providing a secure and organized approach to access management.

Objectives

Provide a mechanism for defining and managing permissions for peers within various contexts. Define ACL at the time of peer invitation to establish initial permissions. Ensure security by controlling peer actions based on their assigned permissions. Support dynamic and flexible access management tailored to different operational scopes.

Example of ACLs structure

ACLs are created during peer invitation and can be updated as needed. The structure of an ACL includes:

Context Identifier: Unique ID representing the context in which the ACL applies. Peer Identifier: Unique ID for the peer to which the ACL is assigned. Actions: List of actions the peer is permitted to perform within the context. Conditions: Optional constraints or conditions under which actions can be executed.

{
  "contextId": "project-alpha",
  "peerId": "peer-789",
  "actions": [
    "readData",
    "submitTransaction",
    "executeCommand"
  ],
  "conditions": {
    "timeLimit": "2024-12-31",
    "ipRestrictions": ["192.168.1.10"]
  }
}

Dynamic ACL Updates

Modification: ACLs can be updated at any time to reflect changes in permissions or context. This includes adding, removing, or altering actions and conditions. Propagation: Changes to ACLs should be enforced promptly across the network. Audit and Log: All ACL modifications should be logged for auditing purposes, ensuring traceability and accountability.

Dependencies:

fbozic commented 3 months ago

This needs more research. I'm not even sure if this is going to be implemented on the network level. I think we might do it on the runtime level.