I have a very case-specific query related to the implementation of private data collection and I am seeking recommendations/suggestions from the experts here. We have a product running on Hyperledger Fabric 2.3.3 and the platform can have any number of organizations. For instance, initially, there will be 4 organizations, next week 10 more organizations can join the network. The problem arises when these organizations start transactions with each other. These transactions can have a number of objects that need to be private between these organizations only. For this, we can create private data collections with names:
collection_org1 collection_org2 collection_org3 collection_org1_org2 collection_org1_org3 collection_org1_org2_org3 collection_org2_org3
Assume if the network has 20 organizations as participants, how many private data collection combinations will be there.
This is because, at a given time, any organization can begin a transaction with another organization or a series of organizations in the network. The problem here is that we have to create a large number of private data collections using the pattern and maintain it.
Because of this problem, we removed this implementation and used the implicit private data collection for each organization. Now if there is an object that should be shared only with org1, org2 & org3, the object is pushed to collection_org1, collection_org2, collection_org3. We did this using setting memberOnlyRead: false and memberOnlyWrite: false and added the validations at the chaincode level.
This implementation solved the above problem but has created a new problem. Now, we wanted to implement key-level endorsement policy such that if org1 changes a private object that is shared among org2 & org3, the org1 has to obtain the endorsements from org2 & org3 peers. This means that the peers will read the object from their own private data collection resulting in a different read-set in endorsement proposal response which further leads to an error saying read/write sets do not match.
For example, org1 during the endorsement proposal will read object key: key1 from its own private data collection collection_org1. In a similar way, org2 will read the same key during endorsement from its own collection collection_org2, and likewise for org3. This leads to a different read-set in the endorsement proposal.
I am seeking suggestions to implement this whole functionality in a better way. Please let me know your suggestions/recommendations.
GetPrivateDataHash() is your answer. You can use this function to verify that each of the endorsers have the same value, and ensure that your read sets are consistent.
See the secured transfer tutorial and sample for an example of using it for this purpose.