Why only ADMIN user have permission to query installed/instantiated chaincodes in Hyperledger Fabric

Question

I read the Node SDK tutorial ( https://fabric-sdk-node.github.io/tutorial-app-dev-env-setup.html ) and their were these lines:

user identities provisioned this way are only of the MEMBER role, which means it won't be able to perform certain operations reserved for the ADMIN role:

create/update channel

install/instantiate chaincode

query installed/instantiated chaincodes

For these privileged operations, the client must use an ADMIN user to submit the request.

And I have a question that why only ADMIN have the permission to query installed/instantiated chaincodes?

Calling a ADMIN users only for query will cause the extra latency in the network / Response instead of other MEMBER users ( reducing the load on one user that is ADMIN user ) in a given channel.

If there is any security implications for the above statement that I referenced then what are they.

Answer 1

Let me try to answer your question. In my opinion, chain code is something very sensitive or private. Nobody wants their chain code open, which includes the business logic and even some info flow. It is better restrict this privilege.

Actually not only query chain code, but also installation and instantiation get this restriction too.

Answer 2

When we made the decision to install chaincode out of band on individual peers, we decided that it should be an "administrative action". In keeping with that, it made sense that actually querying a peer for the chaincodes which are installed and running on the peer should be administrative actions as well.

We are working on an updated access control model which will allow you to set the access control policies for these APIs.