Question

I am working on a tutorial and i have the following command there:

fabric-ca-client register  --id.name admin2 --id.type user --id.affiliation org1.department1 --id.attrs  '"hf.Registrar.Roles=peer,user",hf.Revoker=true'

I have a few questions.. Why is admin2 used and not admin? what are the roles of admin2 compared to admin? What is admin and hf.Registrar.Roles?

Answer 1

The "hf.Registrar.Roles" attribute is used to control the type of identity that can be registered by an identity. The "hf.Revoker" attribute is used to control which identities can revoke certificates. admin2 is not a role, its the name of the user.. you can use other names instead of admin2(but it should be defined). As admin2 is a user, its roles compared to admin depends on the privileges it has.. in this case, it is just a normal user.

An admin has special privileges, ex: it can enroll other users.. adminWithoutRoles is a user with no special privileges.

Answer 2

admin2 is just a name given to the admin. You can give any name to the admin.

Answer 3

An admin user is allowed to register certain nodes in the network. So while registering the admin, you need to specify which nodes the admin can register. To specify this, the flag hf.Registrar.Roles is used. In the above command, it is specified that admin2 can register peers and users.

Answer 4

Suppose you want to revoke a certificate or an identity, then any random node cannot do this. There are particular admin nodes in the network that have permission to do this. There are different types of identities: user, peer, orderer, etc. And different admins can be assigned to register/revoke different types of identities. To specify which admin has permission to revoke which type of identity, hf.Registrar.Roles is used. The admin can revoke or register only those types of identities that is allowed to. 

Comments

Nice explanation @Tina. I didn't know that this can be used to revoke identities too. I thought it was only for registration.