Endorsement policy in Hyperledger Fabric - hyperledger-fabric

I am using Hyperledger Fabric version 1.2. I have created a channel with 1 orderer and 10 peer nodes, all belonging to the same organisation. I want to instantiate the chaincode with the endorsement policy such that all the peers of ORG1 are the endorsing peer, not just 1. What is the valid expression for the same?
Currently using the following policy:
docker exec -e "CORE_PEER_ADDRESS=peer0.org1.example.com:7051" cli peer chaincode instantiate -o orderer.example.com:7050 -C mychannel -n chainname -v 1.0 -c '{"Args":[""]}' -P "AND('Org1MSP.member')"
Fabric documentation contains examples of including peers from different organisations.

This can be achived while invoking the chaincode. You have to pass the peer addresses of all the peer nodes who you want to act as endorsing peers
peer chaincode invoke -o orderer0.abc.com:7050 -C abcchannel -n fabcar --peerAddresses peer0.org1.example.com:7051 --peerAddresses peer1.org1.example.com:7051 -c '{"Args":["initLedger"]}'

Unfortunately! there no valid command for that, you can follow two steps if you want to achieve this:
Write your own custom endorsement logic by a plugin. This method is little cumbersome and you can follow this link if you want to do that. Pluggable endorsement and validation logic
Or, you can have an alternate solution by creating 10 Orgs with 1 peer each and define the endorsement policy through the command that you want as:
-P "OutOf(10, 'Org1.peer', 'Org2.peer', ...., 'Org10.peer')"
But, having all the peers as an endorsing peer is never a good idea as if a peer goes down, you will have to face serious problems as no transaction will be committed

Related

Examining the Behaviour of Hyperledger Fabric when one of the stateDB is Tampered

https://kctheservant.medium.com/exploring-the-behaviour-of-hyperledger-fabric-when-world-state-is-tampered-764676fe90f2
I am trying a similar approach as in this link but with some changes. I want to examine the same scenario with only one organisation and two peers.
I looked it up and people had suggested to make both the peers and endorsing peers or either just create one more organisation. Couldn't find anything helpful in the hyperledger docs as well. Can someone please help me with this. Also, I am fairly new to all of this.
Using hyperledger-fabric version 2.3.0
You need to have the AND endorsement policy in the chaincode and then invoke the transaction.
The possible solutions to your problem are
Make both the peers as endorsing peers or
Add a new organization to your network
You need to have the AND endorsement policies to mimic this scenario. Whenever we invoke the chaincode we need to pass the endorsing peers using the --peerAddresses and their TLS certificates using --tlsRootCertFiles flags
peer chaincode invoke -n basic -C mychannel -o localhost:7050 --ordererTLSHostnameOverride orderer.example.com --tls --cafile "$ORDERER_CA" --peerAddresses localhost:7051 --tlsRootCertFiles ${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt --peerAddresses localhost:9051 --tlsRootCertFiles ${PWD}/organizations/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt -c '{"Args":["CreateAsset", "1001","red", "20","aditya","100"]}'

Can I use `peer channel fetch config` with only orderer nodes, no peer nodes?

I've brought up an etcdraft based orderer cluster with 3 nodes and no peer nodes are deployed for now. And now I want to modify the orderer cluster like removing or adding members. Instructions I've found require firstly fetching the current config with the 'peer channel fetch config' command.
My question is how I can do to fetch the current system channel config with 'peer channel fetch config' command before/without any peer up and running, or is there any other way to achieve this.
fabric version: 1.4.4
You need to invoke it against an orderer since you also need to do this for the system channel, and peers don't have the system channel in them.
Use something like:
peer channel fetch config mychannel.block -c mychannel --orderer orderer.example.com:7050 --cafile ca.crt

How to define peer is endorsing peer or Anchor peer

I have doubt on creating the peer, where to configure, peer is endoser or Anchor.Lets say, After defining the peer of any-type,Is it possible to update peer type, from endoser to anchor viceversa.
Only peers with chaincode installed can act as endorser, in order to make a node endorser install the chaincode otherwise it'll be simple verify node.
for Anchor peers you need to provide in channel def.
example:
peer channel update -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/Org1MSPanchors.tx --tls --cafile tlsca.example.com-cert.pem
Fabric provide three types of peer:
endorser , anchor and simple peer(verify).
endorser peer: peer on which chaincode is installed is called endorser peer.this peer is used to execute smart contract ad return result to client application. client app select that result which is return same from most endorsers.
Anchor peer: this peer is used when peer from one org need to communicate with other org.
for example:
org1 need to communicate with org2. now communication will be done between anchor peer of org1 and org2.
As you asked in comment peer can act as anchor or endorser peer at same time. Example : you can find it in byfn example. where peer0.org1.example.com is anchor as well as endorser.

Error when invoking chaincode: signature set did not satisfy policy

I have a little network up in Hyperledger Fabric 1.4 which is very similar to the basic-network from the examples.
It has:
One orderer organization with orderer peer
One Hospital organization with two peers.
A single channel on which the peers of the hospital are.
I tried to write a very simple demo smart contract/chaincode and have it invoked.
(The smart contract is called bananascc)
Running from the docker container cli /bin/bash associated to a peer0.hospital1.health.com peer, I successfully install and instantiate:
peer chaincode install -n bananascc -v 1.0 -l node -p /opt/gopath/src/github.com/chaincode/chaincode_bananas/node
peer chaincode instantiate -o orderer.health.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/health.com/orderers/orderer.health.com/msp/tlscacerts/tlsca.health.com-cert.pem -C hospital1channel -n bananascc -l node -v 1.0 -c '{"Args":["init","edo","100"]}' -P "OR ('Hospital1MSP.admin', 'Hospital1MSP.peer' )"
With policy -P "OR ('Hospital1MSP.admin', 'Hospital1MSP.peer' )"
But when I try to invoke the chaincode, the transaction is sent successfully but the operation is not executed, as I get a
peer0.hospital1.health.com | 2019-03-06 10:36:44.525 UTC [vscc] Validate -> ERRO 07e VSCC error: stateBasedValidator.Validate failed, err validation of endorsement policy for chaincode bananascc in tx 6:0 failed: signature set did not satisfy policy
peer0.hospital1.health.com | 2019-03-06 10:36:44.525 UTC [committer.txvalidator] validateTx -> ERRO 07f VSCCValidateTx for transaction txId = d6726e0b2daf11d0e3ef24e86fa0e7a5530f2d98dcc4ad1f0d266ca642be1ee3 returned error: validation of endorsement policy for chaincode bananascc in tx 6:0 failed: signature set did not satisfy policy
I reckon that the transaction has to be evaluated against a valid signature set, but I can't understand where I can specify this, or why it should be wrong according to VSCC.
I'd be very happy if anyone could help me figure out. I have already broadly looked for an answer which I haven't found.
Let me know if you need other information on the issue.
Thank you very much.
The problem is probably caused by the order of instantiating the policies.
Can you simply swap the declaration to:
peer chaincode instantiate -o orderer.health.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/health.com/orderers/orderer.health.com/msp/tlscacerts/tlsca.health.com-cert.pem -C hospital1channel -n bananascc -l node -v 1.0 -c '{"Args":["init","edo","100"]}' -P "OR ('Hospital1MSP.peer','Hospital1MSP.admin')"
To avoid this pitfall, identities should be specified from most privileged to least privileged in the policy identities specification, and signatures should be ordered from least privileged to most privileged in the signature set.
Read here: https://hyperledger-fabric.readthedocs.io/en/release-1.4/policies.html
If there is only one organization, does not make sense the need of a policy (only used between organizations), so I removed and it worked!
My code line:
peer chaincode instantiate -o orderer.orgX.com:7050 --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA -C $CHANNEL_NAME -n mycc -l ${LANGUAGE} -v 1.0 -c '{"Args":["init","a","100","b","200"]}' >&log.txt

ENDORSEMENT_POLICY_FAILURE when chaincode is invoked using node.js SDK

Steps followed:
1. Started a Hyperledger Fabric network with 1 organization,1 Peer,1
couch db and 1 CA
2. Created channel
docker exec command -e"CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/users/Admin#org1.example.com/msp" peer0.org1.example.com peer channel create -o orderer.example.com:7050 -c mychannel -f /etc/hyperledger/configtx/channel.tx
3. Joined peer to the channel using docker exec command
docker exec -e "CORE_PEER_LOCALMSPID=Org1MSP" -e "CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/users/Admin#org1.example.com/msp" peer0.org1.example.com peer channel join -b mychannel.block
4. Installed chaincode
docker exec -e "CORE_PEER_LOCALMSPID=Org1MSP" -e "CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin#org1.example.com/msp" cli peer chaincode instantiate -o orderer.example.com:7050 -C mychannel -n fabcar -v 1.0 -c '{"Args":[""]}' -P "AND ('Org1MSP.member','Org2MSP.member')"
5. Started the client
6. Used node SDK to enroll and register a user
7. Ran invoke.js [from fabcar example] to initledger with 10 cars
8. The invoke query throws ENDORSEMENT_POLICY_FAILURE error.Please note that endorsement policy is set as "AND" Image
Your endorsement policy requires a peer from Org1 and a peer from Org2 to endorse the transaction. Given you are only running a single peer from Org1, there is no way to satisfy this endorsement policy.
Try setting the endorsement policy to
-P "AND ('Org1MSP.member')"
or adding a peer from Org2 to the channel and install the chaincode.

Resources