revoke read permissions not working

+3 votes
I have used the steps for revoking read permissions for one stream created in which I have stored some data.As per site directions at https://www.multichain.com/getting-started/ section 5, the moment the permissions are revoked, the data should not be seen on the second server, but it is seen always irrespective. Steps server 1 are

- create stream store1 '{"restrict":"read,write"}'

- publish store1 id_123456 '{"json":{"source":"Singapore","destination":"Los Angeles"}}' offchain

- publish store1 id_234567 '{"json":{"source":"Rotterdam","destination":"New York"}}' offchain

- grant 1K5FhCZgZXs7GPDiE5mz8udRCyuWFbaMgbWXMj store1.read (## to grant the second server read permissions and after this i am able to see the data at second server##)

-  revoke 1K5FhCZgZXs7GPDiE5mz8udRCyuWFbaMgbWXMj store1.read

but after this step too....I am able to read the data at second server..

where I am doing wrong?
asked Sep 20 by anupam

1 Answer

0 votes

First, I assume you are using the Enterprise Demo version to test out this feature.

Second, by default each node retrieves and stores a local copy of offchain data. Removing a node's read permissions means it cannot retrieve new offchain data from a stream, but this does not stop it accessing its copy of old offchain data that was already retrieved.

(We could do something on the node level to prevent it storing/reading data it had before, but this would be fake security, since whoever controls that server could have read and copied the data in the meantime. To make the flow of data clear, we avoid putting fake security into MultiChain's programming model.)

You have a couple of options for resolving this issue:

  1. When subscribing to a stream, use the subscribe command parameters to prevent auto-retrieval of offchain stream items from the network. Then use the retrievestreamitems API to explicitly retrieve the items you want for this node.
  2. Use the purgestreamitems API to remove a node's local copy of some offchain data. (Note you need to use purgepublisheditems if the items were published from this node.)
answered Sep 20 by MultiChain
...