Set up Traction Contractor Credential Issuers for CSB/CDT #95
Comments
|
From meeting discussion for onboarding steps |
|
For technical contacts, are we limited to a single contact, or can we have multiple? |
|
@loneil, What documentation (steps) need to be followed in order to request the tenant for CSB. |
|
@loneil, Once we have answers to enough of the questions to created the CDT tenants, we should walk through that together with @HemanthKona so he has an overview of what needs to be done with the CSB tenant. |
|
There are no endorser rules configured for CANdy |
|
Details on defining and publishing rules can be found here; https://github.com/hyperledger/aries-endorser-service?tab=readme-ov-file#granular-configuration-of-auto-endorsement The related API docs (for |
On the actual Tenant record in Traction there's just the 1. It's set to the email who requested the tenant and that fills into a "Contact Email" that can be changed through the management UI after it's created if need be.
It's self-serve so I think should prompted through well enough by just going to the Tenant UI and starting the process, then there's emails sent to the requester confirming with details about next steps, and an email saying what to do once the approval happens. We don't have step by step documentation for this on devhub, may want to add that, or maybe the process is self-documented enough.
Sounds good
Yeah this part I wasn't sure of yet? Will the allow list for transactions here be on the DID, or specific to the particular schema or cred def. |
This is where I was going to start my work, fleshing out the rules for both agents and submitting a draft PR pending the details needed for the rules. |
- Details can be found in bcgov/DITP#95 Signed-off-by: Wade Barnes <[email protected]>
|
Draft rules with placeholders for the DIDs created here; bcgov/dts-endorser-service#51 |
|
I've proposed some tenant names and technical contacts in the description of this ticket. Confirming a technical contact for CSB. |
For |
I'd like to see some rules defined. I'm fine with opening it up with wild cards in |
- bcgov/DITP#95 (comment) Signed-off-by: Wade Barnes <[email protected]>
|
@esune, The discussion about the rules does raise a question though ... What is the order of precedence given to the rules? It's not explicitly defined in the documentation. There are the global settings, per connection settings, and granular settings (rules). I know the global settings take precedence over the per connection settings. Do the per connection settings then take precedence over the granular settings (rules)? I'm asking so we don't inadvertently break any of the existing agents we've configured with per connection settings by introducing the rules. |
When checking rules, the service will check if:
@Gavinok implemented the logic and should be able to The idea with our deployments is that everything is set to deny-by-default and then allow as needed, either by using a granular rule OR allowing things on a per-connection basis. |
|
Also 👍🏻 to proposed tenant names |
|
@WadeBarnes As far as priority the following code handles the rejection or endorsement |
|
For the
We were unable to write the CSB cred-def rules due to errors encountered in the Swagger UI when attempting to post the rule file. @loneil will be following up on that. We also did not write CSB's contractor-credential cred-def to the ledger. Partly due to the above issue, but also due to the fact that the Tenant UI does not support creating a cred-def from another issuer's schema, for example creating the CSB contractor-credential cred-def from the CDT contractor-credential schema. @loneil will follow-up on the steps needed to create the CSB cred-def from the CDT schema. Ledger transactions were created through the tenant UI, endorser rules were registered by uploading the rules files through the endorser's swagger API. |
|
A fix for the issues affecting the endorser rule registration has been deployed the |
|
@loneil, Do you want to try registering the endorser rules in |
This part's done in Candy DEV 👍
I was mistaken about this I think, tried it out on one of my Tenants and believe just the Copy Schema From Ledger feature should work the way we want. Can go into the tenant UI as CSB tenant and
|
rev reg size: 3000 |
|
@WadeBarnes request from Kyle to do it with Created a |
|
@loneil, Looking to the future the cred-def is not specific to transcribers, the same cred-def would be used for other contracted services such as interpreters. So we should likely tag it as |
|
@WadeBarnes - it depends on the use case, but in this case, I think the best solution would be to use different cred defs/tags for different purposes. For CSB, the next one would be "interpreter". There is certainly multiple ways to handle it though. |
If the credential has the same access "power" and attributes regardless of the type of contractor, then it would definitely be easier to have a more generic tag as Wade is suggesting so the application does not have to include role management and tracking when issuing/revoking. If there is some sort of access control based on the role the user has in the system then the separate tags would be easy to implement. |
|
I think managing cred-defs that differ in no other way other than tag for different use cases will not scale well and will end up causing confusion, at least at the human (developer) level. I can envision, even one of us, browsing the ledger and comparing the cred-defs and asking why there are two or more "identical" cred-defs. |
|
We already have this pattern established with the LCRB Training Credentials. There are three different cred-defs for the three different certificates (Serving It Right, Selling It Right and Special Event Server). They all use the same schema and are issued from the same DID. This is so the different proof requests can use the cred def restriction, in particular with the "OR" type clause. |
|
@krobinsonca how many different types of contractors do we forecast will have access to the systems? With LCRB it's never going to be more than 3 (I think?) and it has some specific meaning since teh credentials indicate different roles. If there are no distinct roles in the application - see my comment above - we may still do separate creddefs, but it might not really be beneficial and will increase the credential handling logic on issuance/reissuance/revocation - that's the main concern. |
|
If we do continue to use this pattern, we have to ensure we make a conscious effort to educate the product teams (there could be many all from different vendors) as to the nuances of the differences, and ensure we/they ensure the correct cred-defs are machine selected and not left up to the end user issuing the credential to select. |
|
I'm thinking it would be a good idea to deep dive into the requirements that caused this pattern to emerge to determine whether it's actually an anti-pattern and if there is a better way to accomplish the same thing in a more scalable fashion that does not require multiple cred-defs to be written to the ledger unnecessarily. I'm looking at this from a KIS and scalability perspective. |
Note: this might need some refinement, couple TBDs
Checklist here can probably become some shared documentation for this type of onboarding in the future
Tracking tasks required to set up the Court Services Branch tenants that will be used for issuing the Contractor Credential and other decisions/TODOs
There will be 2 tenants:
CDT (this writes the Schema)
BC Cyber Security and Digital Trust(https://candyscan.idlab.org/tx/CANDY_DEV/domain/34741)CSB (this creates the cred def based on CDT's schema)
BC Court Services(https://candyscan.idlab.org/tx/CANDY_DEV/domain/34743)Tasks for setting up Issuer Tenants:
Note these can be tested out on the sandbox environment except that would use the BCOVRIN-TEST ledger and have automatic endorsement.
Development environment
For CDT Tenant
This requires an IDIR to onboard. Traction Innkeeper (DITP team) will approve request for tenant creation.
Note: don't think we have devhub step by step docs on onboarding/creating a tenant? Maybe in-app and email instructions are enough.
TODO: Who should get this key/where to store?
See Integration Documentation for some details
Not in those docs but this will require some async steps with Endorser
Note: in these cases are we adding the DID to the allow list in the Endorser
For CSB Tenant
TODO: specify tag and rev reg size
Test environment
For CDT Tenant
This requires an IDIR to onboard. Traction Innkeeper (DITP team) will approve request for tenant creation.
See Integration Documentation for some details
Not in those docs but this will require some async steps with Endorser
Note: in these cases are we adding the DID to the allow list in the Endorser?
Note: is there anyone specific that must do this or other governance, what TAA acceptance type?
For CSB Tenant
TODO: specify tag and rev reg size
Production environment
For CDT Tenant
This requires an IDIR to onboard. Traction Innkeeper (DITP team) will approve request for tenant creation.
See Integration Documentation for some details
Not in those docs but this will require some async steps with Endorser
Note: in these cases are we adding the DID to the allow list in the Endorser?
Note: is there anyone specific that must do this or other governance, what TAA acceptance type?
By policy this is not allowed to do in the Tenant UI in production
For CSB Tenant
TODO: specify tag and rev reg size
The text was updated successfully, but these errors were encountered: