Modify existing endorsement policy (Hyperledger Fabric) - hyperledger-fabric

I had 2 organization in Hyperledger Fabric blockchain network initially. Recently I added one more organization on a different host using swarm. When I try to invoke chaincode from 1st or 2nd organization then it's working fine and I can see the updated transaction from org3. But when I invoke a transaction from org3, I am getting the following error.
"[2019-02-06 06:44:21.895] [ERROR] invoke - The transaction was
invalid, code = ENDORSEMENT_POLICY_FAILURE"
Initially, chaincode was initiated using the following policy.
-P "OR ('Org1MSP.peer','Org2MSP.peer')"
So I think I will have to update existing endorsement policy to include org3.
Could anyone help to modify existing endorsement policy or to resolve the issue?

The way to upgrade the chaincode is as followed:
Increment the version of ccRequest containing ccPackage
Re-Install the ccRequest on all orgs in the channel.
Ex: peer chaincode install -n mycc -v 2.0 -p github.com/chaincode/chaincode_example02/go/
Create new ccPolicy with correct rules containing required orgs as endorsers.
Upgrade the chaincode by running upgradeCC command
Ex: peer chaincode upgrade -o orderer.example.com:7050 --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA -C $CHANNEL_NAME -n mycc -v 2.0 -c '{"Args":["init","a","90","b","210"]}' -P "OR ('Org1MSP.peer','Org2MSP.peer','Org3MSP.peer')"
Test with a query on chaincode with peer chaincode query -C $CHANNEL_NAME -n mycc -c '{"Args":["query","a"]}'
For more details refer docs or ask on rockerchat

Yes, you can do that using peer chaincode upgrade command.
peer chaincode upgrade -o orderer.example.com:7050 --tls --cafile
$ORDERER_CA -C mychannel -n mycc -v 1.2 -c
'{"Args":["init","a","100","b","200","c","300"]}' -P "AND
('Org1MSP.peer','Org2MSP.peer','Org3MSP.peer')"
refer : peer chaincode upgrade

Related

What is the meaning of “peer chaincode install -p" in Hyperledger Fabric?

I passed "first-network", no problem.
In CLI:/opt/gopath/src/github.com/hyperledger/fabric/peer:, execute these commands:
peer chaincode install -n mycc -v 1.0 -p github.com/chaincode/chaincode_example02/go/
peer chaincode instantiate -o orderer.example.com:7050 --tls true --cafile $ORDERER_CA -C mychannel -n mycc -v 1.0 -c '{"Args":["init","a","100","b","200"]}' -P "AND('Org1MSP.peer','Org2MSP.peer')"
peer chaincode query -C mychannel -n mycc -c '{"Args":["query","a"]}'
peer chaincode invoke -o orderer.example.com:7050 --tls true --cafile $ORDERER_CA -C mychannel -n mycc -c '{"Args":["invoke","a","b","10"]}' --peerAddresses peer0.org2.example.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt --peerAddresses peer0.org1.example.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
There are no problem. But when I execute these commands in the subdirectory of the peer /opt/gopath/src/github.com/hyperledger/fabric/peer/scripts:, install、instantiate and query success, but invoke error:
Error: endorsement failure during invoke. response: status:500 message:"cannot retrieve package for chaincode mycc/1.0, error open /var/hyperledger/production/chaincodes/mycc.1.0: no such file or directory".
This happens when CLI connects to peer0.ogr1, but I find this file at peer0.ogr1:
enter image description here
I replaced the peer node through the CLI, and the same problem occurred under the same path.
The problem may arise from the path specified by chaincode install -p. The official document says that this is a path relative to $GOPATH/src, so I feel that this path should have nothing to do with the current directory.
After searching, I found two similar problems, but the reasons are completely different and cannot be used for reference. Therefore, I can only raise new problems and hope to find solutions.
two similar problems:
Install a different version of chaincode (Hyperledger fabic)
Hyperledger Fabric - How to limit Org2 to install/instantiate/upgrade the chaincode to the channel?
version: Fabric1.4.4, Ubuntu18.04
structure: one order, four peers, each distributed on five machines, there is no problem with normal transactions

Hyperledger fabric 1.4 Error on Instantiate chaincode

Setting up Built Your First Network (BYFN), after creating and joining Channel, chaincode is installed on both organization peers using following cli command -
peer chaincode install -n mycc -v 1.0 -p github.com/chaincode/chaincode_example02/go/
Chaincode Installation is successful.
While I tried to Instantiate chaincode from the CLI using following command given by HLF document.
The following error occurred while Instantiate the chaincode in Hyperledger fabric v 1.4.
root#8804d95b7083:/opt/gopath/src/github.com/hyperledger/fabric/peer# peer chaincode instantiate -o orderer.example.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem -C $CHANNEL_NAME -n mycc -v 1.0 -c '{"Args":["init","a", "100", "b","200"]}' -P "AND ('Org1MSP.peer','Org2MSP.peer')"
Error: must supply value for chaincode name parameter
Usage:
peer chaincode instantiate [flags]
Flags:
-C, --channelID string The channel on which this command should be executed
--collections-config string The fully qualified path to the collection JSON file including the file name
Is there any alternative way to resolve this error other than re-setup the Network?
There is a conflict with the CLI command there. You used go cli command for installing the chaincode and NodeJS cli command for instantiating the chaincode.

Error when invoking chaincode: signature set did not satisfy policy

I have a little network up in Hyperledger Fabric 1.4 which is very similar to the basic-network from the examples.
It has:
One orderer organization with orderer peer
One Hospital organization with two peers.
A single channel on which the peers of the hospital are.
I tried to write a very simple demo smart contract/chaincode and have it invoked.
(The smart contract is called bananascc)
Running from the docker container cli /bin/bash associated to a peer0.hospital1.health.com peer, I successfully install and instantiate:
peer chaincode install -n bananascc -v 1.0 -l node -p /opt/gopath/src/github.com/chaincode/chaincode_bananas/node
peer chaincode instantiate -o orderer.health.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/health.com/orderers/orderer.health.com/msp/tlscacerts/tlsca.health.com-cert.pem -C hospital1channel -n bananascc -l node -v 1.0 -c '{"Args":["init","edo","100"]}' -P "OR ('Hospital1MSP.admin', 'Hospital1MSP.peer' )"
With policy -P "OR ('Hospital1MSP.admin', 'Hospital1MSP.peer' )"
But when I try to invoke the chaincode, the transaction is sent successfully but the operation is not executed, as I get a
peer0.hospital1.health.com | 2019-03-06 10:36:44.525 UTC [vscc] Validate -> ERRO 07e VSCC error: stateBasedValidator.Validate failed, err validation of endorsement policy for chaincode bananascc in tx 6:0 failed: signature set did not satisfy policy
peer0.hospital1.health.com | 2019-03-06 10:36:44.525 UTC [committer.txvalidator] validateTx -> ERRO 07f VSCCValidateTx for transaction txId = d6726e0b2daf11d0e3ef24e86fa0e7a5530f2d98dcc4ad1f0d266ca642be1ee3 returned error: validation of endorsement policy for chaincode bananascc in tx 6:0 failed: signature set did not satisfy policy
I reckon that the transaction has to be evaluated against a valid signature set, but I can't understand where I can specify this, or why it should be wrong according to VSCC.
I'd be very happy if anyone could help me figure out. I have already broadly looked for an answer which I haven't found.
Let me know if you need other information on the issue.
Thank you very much.
The problem is probably caused by the order of instantiating the policies.
Can you simply swap the declaration to:
peer chaincode instantiate -o orderer.health.com:7050 --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/health.com/orderers/orderer.health.com/msp/tlscacerts/tlsca.health.com-cert.pem -C hospital1channel -n bananascc -l node -v 1.0 -c '{"Args":["init","edo","100"]}' -P "OR ('Hospital1MSP.peer','Hospital1MSP.admin')"
To avoid this pitfall, identities should be specified from most privileged to least privileged in the policy identities specification, and signatures should be ordered from least privileged to most privileged in the signature set.
Read here: https://hyperledger-fabric.readthedocs.io/en/release-1.4/policies.html
If there is only one organization, does not make sense the need of a policy (only used between organizations), so I removed and it worked!
My code line:
peer chaincode instantiate -o orderer.orgX.com:7050 --tls $CORE_PEER_TLS_ENABLED --cafile $ORDERER_CA -C $CHANNEL_NAME -n mycc -l ${LANGUAGE} -v 1.0 -c '{"Args":["init","a","100","b","200"]}' >&log.txt

Hyperledger Fabric tutorial "Error: unknown flag: --peerAddresses"

I am following along the tutorial at http://hyperledger-fabric.readthedocs.io/en/latest/build_network.html
I am copy&pasting along the way and opted for the Node.js variants where choice was offered.
peer chaincode invoke -o orderer.example.com:7050 --tls true --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem -C $CHANNEL_NAME -n mycc --peerAddresses peer0.org1.example.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt --peerAddresses peer0.org2.example.com:7051 --tlsRootCertFiles /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org2.example.com/peers/peer0.org2.example.com/tls/ca.crt -c '{"Args":["invoke","a","b","10"]}'
When I get to the code above, it gives me the error "Error: unknown flag: --peerAddresses"
Please see below the terminal history:
https://paste.ubuntu.com/p/xC5NNQVJyW/
Please do tell if you need additional information
This is sort of a half answer but I think you should be following the tutorial for http://hyperledger-fabric.readthedocs.io/en/release-1.1/build_network.html (Note: release-1.1 not latest). The only difference is that the endorsement policy when you instantiate is -P "OR ('Org1MSP.peer','Org2MSP.peer')" instead of -P "AND ('Org1MSP.peer','Org2MSP.peer')" and when you invoke the chaincode you only endorse it against one peer (the default being peer0 of org1).
The CLI being able to get endorsements from multiple peers at once is a new feature (ref: https://github.com/hyperledger/fabric/commit/368b1511e23d55355d572fd267223bb1bd4de890?short_path=6a6833d#diff-6a6833de704771c6c6879904e353c025) and I think the latest docker image for hyperledger/fabric-tools as of this post (1.1.0) does not reflect this change.

ENDORSEMENT_POLICY_FAILURE when chaincode is invoked using node.js SDK

Steps followed:
1. Started a Hyperledger Fabric network with 1 organization,1 Peer,1
couch db and 1 CA
2. Created channel
docker exec command -e"CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/users/Admin#org1.example.com/msp" peer0.org1.example.com peer channel create -o orderer.example.com:7050 -c mychannel -f /etc/hyperledger/configtx/channel.tx
3. Joined peer to the channel using docker exec command
docker exec -e "CORE_PEER_LOCALMSPID=Org1MSP" -e "CORE_PEER_MSPCONFIGPATH=/etc/hyperledger/msp/users/Admin#org1.example.com/msp" peer0.org1.example.com peer channel join -b mychannel.block
4. Installed chaincode
docker exec -e "CORE_PEER_LOCALMSPID=Org1MSP" -e "CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin#org1.example.com/msp" cli peer chaincode instantiate -o orderer.example.com:7050 -C mychannel -n fabcar -v 1.0 -c '{"Args":[""]}' -P "AND ('Org1MSP.member','Org2MSP.member')"
5. Started the client
6. Used node SDK to enroll and register a user
7. Ran invoke.js [from fabcar example] to initledger with 10 cars
8. The invoke query throws ENDORSEMENT_POLICY_FAILURE error.Please note that endorsement policy is set as "AND" Image
Your endorsement policy requires a peer from Org1 and a peer from Org2 to endorse the transaction. Given you are only running a single peer from Org1, there is no way to satisfy this endorsement policy.
Try setting the endorsement policy to
-P "AND ('Org1MSP.member')"
or adding a peer from Org2 to the channel and install the chaincode.

Resources