hyperledger-fabric - 当 peer admin 无权写入 orderer 时,如何创建通道?
问题描述
在所有结构样本中,通道的创建都是由对等管理员用户完成的。但是,该用户甚至没有写入订购者的权限。那么它怎么可能成功呢?以first-network为例:
- CORE_PEER_LOCALMSPID=Org1MSP
- CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp
因此频道创建是在 org1 的管理员凭据下执行的。但是当我们查看configtx.yaml时:
- &OrdererOrg
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: OrdererOrg
# ID to load the MSP definition as
ID: OrdererMSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: crypto-config/ordererOrganizations/example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Writers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Admins:
Type: Signature
Rule: "OR('OrdererMSP.admin')"
为了写信给订购者,必须是OrdererMSP.member
显然 org1 的管理员不是。那么如何才能通过策略检查呢?
当我们尝试使用 fabric-samples 中的模式开发应用程序时,我们在尝试在对等管理员凭据下创建通道时遇到错误:
2019-03-12 17:05:09.337 UTC [orderer/common/msgprocessor] ProcessConfigUpdateMsg -> DEBU 0d9 Processing config update message for channel dscsa
2019-03-12 17:05:09.337 UTC [policies] Evaluate -> DEBU 0da == Evaluating *policies.implicitMetaPolicy Policy /Channel/Writers ==
2019-03-12 17:05:09.337 UTC [policies] Evaluate -> DEBU 0db This is an implicit meta policy, it will trigger other policy evaluations, whose failures may be benign
2019-03-12 17:05:09.337 UTC [policies] Evaluate -> DEBU 0dc == Evaluating *policies.implicitMetaPolicy Policy /Channel/Orderer/Writers ==
2019-03-12 17:05:09.337 UTC [policies] Evaluate -> DEBU 0dd This is an implicit meta policy, it will trigger other policy evaluations, whose failures may be benign
2019-03-12 17:05:09.337 UTC [policies] Evaluate -> DEBU 0de == Evaluating *cauthdsl.policy Policy /Channel/Orderer/ord/Writers ==
2019-03-12 17:05:09.337 UTC [msp] DeserializeIdentity -> DEBU 0df Obtaining identity
2019-03-12 17:05:09.337 UTC [msp/identity] newIdentity -> DEBU 0e0 Creating identity instance for cert -----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
2019-03-12 17:05:09.338 UTC [cauthdsl] func1 -> DEBU 0e1 0xc42000e1e8 gate 1552410309337999686 evaluation starts
2019-03-12 17:05:09.338 UTC [cauthdsl] func2 -> DEBU 0e2 0xc42000e1e8 signed by 0 principal evaluation starts (used [false])
2019-03-12 17:05:09.338 UTC [cauthdsl] func2 -> DEBU 0e3 0xc42000e1e8 processing identity 0 with bytes of ...
2019-03-12 17:05:09.338 UTC [cauthdsl] func2 -> DEBU 0e4 0xc42000e1e8 identity 0 does not satisfy principal: the identity is a member of a different MSP (expected ordMSP, got org1MSP)
2019-03-12 17:05:09.338 UTC [cauthdsl] func2 -> DEBU 0e5 0xc42000e1e8 principal evaluation fails
2019-03-12 17:05:09.338 UTC [cauthdsl] func1 -> DEBU 0e6 0xc42000e1e8 gate 1552410309337999686 evaluation fails
2019-03-12 17:05:09.338 UTC [policies] Evaluate -> DEBU 0e7 Signature set did not satisfy policy /Channel/Orderer/ord/Writers
2019-03-12 17:05:09.338 UTC [policies] Evaluate -> DEBU 0e8 == Done Evaluating *cauthdsl.policy Policy /Channel/Orderer/ord/Writers
2019-03-12 17:05:09.338 UTC [policies] func1 -> DEBU 0e9 Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ ord.Writers ]
2019-03-12 17:05:09.338 UTC [policies] Evaluate -> DEBU 0ea Signature set did not satisfy policy /Channel/Orderer/Writers
2019-03-12 17:05:09.338 UTC [policies] Evaluate -> DEBU 0eb == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Orderer/Writers
2019-03-12 17:05:09.338 UTC [policies] func1 -> DEBU 0ec Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ Orderer.Writers Consortiums.Writers ]
2019-03-12 17:05:09.338 UTC [policies] Evaluate -> DEBU 0ed Signature set did not satisfy policy /Channel/Writers
2019-03-12 17:05:09.338 UTC [policies] Evaluate -> DEBU 0ee == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Writers
2019-03-12 17:05:09.338 UTC [orderer/common/broadcast] Handle -> WARN 0ef [channel: dscsa] Rejecting broadcast of config message from 10.0.0.192:54232 because of error: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining: permission denied
解决方案
我希望你现在得到你的答案,因为这是 11 个月大的问题。如果没有,这是我的解释。Orderer org 的政策是阅读、更改 Orderer 组织/orderer 系统通道。不是申请渠道。Ord1 管理员可以按照 confitx.yaml 的 Application 部分的策略中定义的方式进行更改,该策略是由参与 Orgs 的签名策略构建的 IplecitMeta。
我希望它有帮助。
推荐阅读
- javascript - 使用javascript添加图像后浏览器滚动条移位
- lambda-calculus - Beta 减少 - Lambda 演算
- db2 - Data too long db2 中 Varchar(600) 类型列的错误(Windows 和 10.0.22 版本)
- wpf - WPF 表单使用 Powershell 获取 O365 客户端访问设置
- validation - 如何在测试我的应用程序时从验证团队获取有关错误的详细信息
- sql-server - 运行 PowerShell 命令以通过 T-SQL (xp_cmdshell) 强制停止进程
- iot - Thingsboard 是否默认将遥测数据存储到数据库中?
- go - 使用工厂模式时应该在哪里定义接口?
- phpmyadmin - 无效的设置。mysqli_real_connect(): (HY000/1130): Host 'localhost' is not allowed to connect to this MariaDB server
- javascript - “adb devices”在 Ubuntu 上返回空的“附加设备列表”