A demo for account and contract permissioning with besu

This runs a private ethereum network of three besu nodes, one of which is a validator. Besu is running using the flexible permissioning extension that allows to control account behavior using a smart contract. Two trivial smart contracts are included to demonstrate how OpenZeppelin access control can be used either on a per-contract basis (DirectContract) or using a central authority for all contracts (DelegateContract).

Running the demo

Start the nodes via

docker-compose up -d

If you want to see the besu node logs, omit the -d and run this command in a separate terminal.

Then compile and deploy all contracts to your network using

./deploy

and follow the instructions given there.

Cleaning up

Stop the besu network via

docker-compose down

This retains the state of the blockchain. To erase all blockchain data and start from scratch run

rm -r docker-data/node*/{DATABASE_METADATA.json,caches,database}

Contract deployment sequence

Permissioning setup happens in three phases:

A bootstrap contract is included in the genesis file. Besu nodes are started with --permissions-accounts-contract-enabled --permissions-accounts-contract-address=0x0000000000000000000000000000000000008888 to activate account permissioning using this particular contract. The bootstrap contract allows all blockchain interactions and has the sole purpose of being a placeholder before being updated by the actual account permissioning contract.
The AccountRules contract is deployed by an arbitrary account. By deploying, this account becomes the admin account for entire blockchain.
The CentralAccessControl contract is deployed. Again, the account deploying it becomes the administrator of that contract.

All subsequently deployed contracts are derived from the DelegatedAccessControl contract and linked to the CentralAccessControl instance on deployment.

Permissiong control flow

Every blockchain interaction is checked on two levels:

Transactions are checked by looking up whether the sender is permitted in the AccountRules contract.
Calls in a transaction are checked by looking up whether the caller has the required role in the CentralAccessControl contract.

Name		Name	Last commit message	Last commit date
Latest commit History 217 Commits
contracts		contracts
docker-config		docker-config
docker-data		docker-data
migrations		migrations
permissioning-smart-contract		permissioning-smart-contract
test		test
README.md		README.md
accounts.env		accounts.env
contract-calls.plantuml		contract-calls.plantuml
contract-calls.png		contract-calls.png
contract-deployment.plantuml		contract-deployment.plantuml
contract-deployment.png		contract-deployment.png
demo.js		demo.js
deploy.sh		deploy.sh
docker-compose.yml		docker-compose.yml
package.json		package.json
truffle-config.js		truffle-config.js
yarn.lock		yarn.lock

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

A demo for account and contract permissioning with besu

Running the demo

Cleaning up

Contract deployment sequence

Permissiong control flow

About

Releases

Packages

Contributors 14

Languages

taccatisid/fine-grained-permissioning-demo

Folders and files

Latest commit

History

Repository files navigation

A demo for account and contract permissioning with besu

Running the demo

Cleaning up

Contract deployment sequence

Permissiong control flow

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Contributors 14

Languages

Packages