So I have an implicit PDC at Org1 and want to query it with Org2 (get the real data value, not just the hash)
I set up the fabric test network and used Org1 to write something in its own implicit PDC.
Then I used Org2 to query it ... and got a result - but how?
Shouldn't be the implicit PDC private to Org1 and only to Org1 ... I did not change any Endorsement Policy etc.
Did I misunderstand the idea behind implicit PDCs and do I need to secure them with state-based Endorsement Policy and checks before queries just like public data?
I hope someone can clear that up for me.
Thanks!
I would recommend reading the hyperledger fabric documentation around implicit private collections here https://hyperledger-fabric.readthedocs.io/en/latest/private-data-arch.html#implicit-private-data-collections
as it looks like it confirms the behaviour you see
Related
This is helpful but not current for HLF 1.4.3.
Hyperledger Fabric GOSSIP_BOOTSTRAP & GOSSIP_EXTERNALENDPOINTS
#GariSingh, #yacovm would you know, if our config consists of 5 orgs, each with a single peer, each with a single CA and one network orderer, would the following be correct for docker-compose-base.yaml?
IOW, is the following correct for GOSSIP for two of the example peers:
CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org1.example.com:7051
CORE_PEER_GOSSIP_BOOTSTRAP=peer0.org1.example.com:8051
CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.orgA.example.com:13051
CORE_PEER_GOSSIP_BOOTSTRAP=peer0.orgA.example.com:14051
Thanks for your help.
#CT99, it's fine, assuming orgA is a second organization
You can have a single peer per organization but it is advisable to have two peers per organization,
reg gossip:
If you use private data concept then it is must else it's optional
EYFN allows to add an organization Org3 to existing channel "mychannel". I am trying to add add Org1 and Org3 to a new channel, by dynamically creating the channel in a running network. For this, I understand, there is a need to define consortium with Org1 and Org3.
when following the document, it was mentioned "In practice, consortium definition X2 has been added to the network configuration NC4. We discuss the exact mechanics of this operation elsewhere in the documentation." (https://hyperledger-fabric.readthedocs.io/en/release-1.4/network/network.html)
Is it possible to do this by updating the network configuration? or any alternative?
yes,it is possible,Instead of fetching the application channel,you must fetch the system channel block and add the new organization into the existing consortium,and add a new profile in the configtx and genarate a new transaction file and create your new channel
My fabric network's consortium(in configtx.yaml) has two organizations: ORG1 and ORG2. ORG1 has 4 main peers and ORG2 has only 1 peer. ORG2 peer's only purpose is to have the copy of the ledger(for the auditing purpose).
They all joined the same channel and let's say ORG1's admin already installed/instantiated the chaincode version 0.1
Now, ORG2's admin will be also able to 'peer chaincode upgrade" to version 0.2 with the same chaincode name and when the proposal reaches one of the ORG1 peers, it will say something like :
endorsement failure during invoke. response: status:500 message:"cannot retrieve package for chaincode [chaincode name]/0.2, error open /var/hyperledger/production/chaincodes/[chaincode name]/0.2: no such file or directory"
How we completely prevent ORG2 from upgrading the chaincode version? so that only ORG1's admin can perform the administrative operations?
I have searched the ACL, but it seems the administrative operations are not controlled by ACL settings.
After the research, we figured out we can set this on the instantiate policy on chaincode package.
please see below fabric document:
https://hyperledger-fabric.readthedocs.io/en/release-1.4/commands/peerchaincode.html#peer-chaincode-package
with the flag -i, you can set the instantiate policy when packing the chaincode. Then only the Org(s) allowed on the policy will be able to instantiate or upgrade the chaincode on the channel
I will ask you thought Endorsement Policy example below
peer chaincode instantiate -C <channelid> -n mycc -P "AND('Org1.member', 'Org2.member')"
My understanding(Promise)
Org1.member or Org2.member refer to Peer.
The example means that Org1.member and Org2.member should have to get the same result as instantiating mycc.
Question
If Org1.member and Org2.member have same chaincode, could their
result be different?
Are Org1.member and Org2.member refer to one peer of Organization?
(2-1. If so, does the peer be set on organization randomly?)
Can I use regular expressions like "AND('Org1.member > 10', 'Org2.member > 10')"
I hope you have referred to the fabric documentation on endorsement already. If not, then please find it here endorsement-policies
A principal is described in terms of the MSP that is tasked to validate the identity of the signer and of the role that the signer has within that MSP. Currently, two roles are supported: member and admin. Principals are described as MSP.ROLE, where MSP is the MSP ID that is required, and ROLE is either one of the two strings member and admin. Examples of valid principals are 'Org0.admin' (any administrator of the Org0 MSP) or 'Org1.member' (any member of the Org1 MSP).
AND (Org1.member, Org2.member) means that for successful endorsement, the transaction proposal response which is sent to Orderer ( from the client SDK) is expected to be signed by the member certificate of Peer of org1 and member certificate of the Peer of org2
It is possible to have different result if your chaincode is Non-Deterministic ( ie, say its getting current time etc and putState() ). So write sets can be different.
Org1.member & Org2.member are two different Peers. One peer belonging to Org1 and another peer belonging to Org2. [ You cannot have the Peer belonging to two organizations randomly ]
I am not sure. Please check the link of Fabric Documentation above.
I am a beginner on hyperledger fabric programming. I was wondering where exactly we define the signature policy (SignaturePolicy / ImplicitMetaPolicy) for the network? Is it in some configuration file?
I saw video in below link but I could not understand: "Signature Policy Sample"
Can anyone please guide me?
The signature, or endorsement policy is defined when instantiating a chaincode deployed to a given channel using the -P switch using the following syntax: EXPR(E[, E...]) where EXPR is a boolean expression (AND or OR) and E is either a principle or a nested boolean.
For instance, a policy of AND(Org1.member, Org2.member) would require that a member of Org1 and Org2 each sign a transaction for it to be validated. A policy of AND(Org1.member, OR(Org2.member, Org3.member)) would require a member of Org1 and a member of Org2 or Org3 sign a transaction for it to be validated.
Here's an example chaincode instantiate command:
peer chaincode instantiate -C <channelid> -n mycc -P "AND('Org1.member', 'Org2.member')"
The documentation can be found in the Endorsement Policy section of of the Hyperledger Fabric documentation.