I am upgrading my tutorial from composer v0.16 to composer v0.20.2 Most of the upgrade has gone smoothly, however I'm running into an authentication problem that I can't get around. I'm going through a step-wise process to create and activate a user. In v0.16, I did the following:
ADD a new member to a registry
ISSUE identity for the new member
CREATE and IMPORT a card for the new member
PING the business network using the new member ID
The last step 'activated' the member, so that they could do productive work in the network. In v0.20, the first 3 steps still work flawlessly, however the PING step now returns the following error:
transaction returned with failure: AccessException:
Participant 'org.acme.Z2BTestNetwork.Buyer#rdd#xyz.com' does not have 'READ' access to resource
'org.hyperledger.composer.system.Network#zerotoblockchain-network#0.1.5'
I've simplified my permissions.acl file down to just the following 3 statements:
rule Z2BTestFullAccess {
description: "Allow all participants access to all resources"
participant: "org.acme.Z2BTestNetwork.Buyer"
operation: READ
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
rule NetworkAdminUser {
description: "Grant business network administrators full access to user resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "**"
action: ALLOW
}
rule NetworkAdminSystem {
description: "Grant business network administrators full access to system resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
I can further simplify the first rule to be
rule Z2BTestFullAccess {
description: "Allow all participants access to all resources"
participant: "ANY"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
But it still fails with the same error message.
composer card list for the new card returns:
userName: rdd-xyz.com
description:
businessNetworkName: zerotoblockchain-network
identityId: 6c6eab0d11d26ccfc4a8164dbe971814d2120802e84d1b3b98b16ceb2cb80334
roles: none
connectionProfile:
name: hlfv1
x-type: hlfv1
credentials: Credentials set
composer network ping for the new card returns the same error as the nodejs code.
How do I determine the root cause of this error and, more importantly, how do I resolve this? Happy to add code segments for each step if that will help.
Related
I deployed infrastructure using this repo. The logs of my application gateway pod looks like :
Event(v1.ObjectReference{Kind:"Pod", Namespace:"kube-system", Name:"ingress-appgw-deployment
-bf6785d8d-87lgm", UID:"uiuiduid-4dff-4496-ba43-0ed031542ed7", APIVersion:"v1", ResourceVersion:"102567", FieldPath:""}): type: 'Warning
' reason: 'FailedApplyingAppGwConfig' network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Origina
l Error: Code="LinkedAuthorizationFailed" Message="The client 'xxxxxxxx-551c-46a7-b1c2-e4eb093784ce' with object id 'xxxxxxxx-551c-46a7-
b1c2-e4eb093784ce' has permission to perform action 'Microsoft.Network/applicationGateways/write' on scope '/subscriptions/xxxxxxxx-6a2d
-49e7-a103-74011445fdf5/resourceGroups/rg-kubota-dev/providers/Microsoft.Network/applicationGateways/agw-kubota-dev'; however, it does n
ot have permission to perform action 'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action' on the linked scope(s) '/subscript
ions/xxxxxxx-6a2d-49e7-a103-74011445fdf5/resourcegroups/rg-kubota-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-agw
-keyvault-kubota-dev' or the linked scope(s) are invalid."
This issue is similar to mine. and i run :
az role assignment create --role "Managed Identity Operator" --assignee xxxxxxxx-551c-46a7-b1c2-e4eb093784ce --scope /subscriptions/xxxxxxxx-6a2d-49e7-a103-74011445fdf5/resourceGroups/rg-kubota-dev/providers/Microsoft.Network/applicationGateways/agw-kubota-dev
and the permission was added successfully:
But the error mentioned in application gateway logs, still present.
Not sure what is the cause ? Any pointers would be helpful
Event(v1.ObjectReference{Kind:"Pod", Namespace:"kube-system", Name:"ingress-appgw-deployment bf6785d8d-87lgm", UID:"uiuiduid-4dff-4496-ba43-0ed031542ed7", APIVersion:"v1", ResourceVersion:"102567", FieldPath:""}): type: 'Warning'reason: 'FailedApplyingAppGwConfig' network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=0 – Original Error: Code="LinkedAuthorizationFailed" Message="The client 'xxxxxxxx-551c-46a7-b1c2-e4eb093784ce' with object id 'xxxxxxxx-551c-46a7-b1c2-e4eb093784ce' has permission to perform action 'Microsoft.Network/applicationGateways/write' on scope '/subscriptions/xxxxxxxx-6a2d49e7-a103-74011445fdf5/resourceGroups/rg-kubota-dev/providers/Microsoft.Network/applicationGateways/agw-kubota-dev'; however, it does not have permission to perform action 'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action' on the linked scope(s) '/subscriptions/xxxxxxx-6a2d-49e7-a103-74011445fdf5/resourcegroups/rg-kubota-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-agw keyvault-kubota-dev' or the linked scope(s) are invalid."
According the above error, the linked scope is invalid.
You have given the incorrect scope id in your existing Azure CLI command. Thus, you will have to execute the commands with correct scope ID and only then you will be able to configure the application gateway with the permission of "Managed identity operator role". Ensure that the below scope for your environment is mentioned in your Azure CLI command and it is executed once again for the correct scope permission to be valid.
Correct scope: -
/subscriptions/xxxxxxx-6a2d-49e7-a103-74011445fdf5/resourcegroups/rg-kubota-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-agw-keyvault-kubota-dev ’
Reference:
application-gateway-kubernetes-ingress/appgw-ssl-certificate.md at master · Azure/application-gateway-kubernetes-ingress (github.com)
I have created a storage account, however, unable to access it. Error showing access denied.
The steps I have followed to create the storage account:
The error I'm getting is:
This is how the firewall and virtual network is looking like from the portal.Is there any specific things I need to select here? If I need to do some extra selection - how can I understand the meaning of that?
Also, blob storage is not appearing, do I need to select "premium" for blob storage?
I don't see any network setting now from the Azure portal.
What am I doing wrong? Any step by step method with good explanation to create a storage account?
Also,I'm unable to see blob storage.
The connectivity check is showing me error:
Failed to list containers: authMode: 4
code: AuthorizationFailure
content: _CYCLIC_OBJECT_
message: This request is not authorized to perform this operation.
RequestId:cce36eae-901e-001e-0472-415a25000000
Time:2020-06-13T11:02:14.4850017Z
name: StorageError
requestId: cce36eae-901e-001e-0472-415a25000000
url: https://example.blob.core.windows.net/?comp=list&_=1592046134245
xhr: {}
Failed to list queues: authMode: 4
code: AuthorizationFailure
content: _CYCLIC_OBJECT_
message: This request is not authorized to perform this operation.
RequestId:9c699d17-4003-0050-3672-4174ad000000
Time:2020-06-13T11:02:13.5044983Z
name: StorageError
requestId: 9c699d17-4003-0050-3672-4174ad000000
url: https://exmaple.queue.core.windows.net/?comp=list&_=1592046133224
xhr: {}
Failed to list containers: authMode: 1
code: AuthorizationFailure
content: _CYCLIC_OBJECT_
message: This request is not authorized to perform this operation.
RequestId:a5b1514f-e01e-0066-2e72-41f9dd000000
Time:2020-06-13T11:02:14.7298198Z
name: StorageError
requestId: a5b1514f-e01e-0066-2e72-41f9dd000000
url: https://example.blob.core.windows.net/?comp=list&_=1592046134491&sv=2019-10-10&ss=bqtf&srt=sco&sp=rwdlacuptfx&se=2020-06-13T19:02:13Z&sig=E4jZb9I6BjWBTrIzMnD9keq1BU8UfI%2F%2BZA1820lt3qk%3D
xhr: {}
Thanks.
To fix the access issue, please allow your client IP address to access the storage account.
I am not able to start a composer-rest-server without a network admin card.
When I tried a normal user card, it generates the following error:
Connection fails: Error: 2 UNKNOWN: error executing chaincode:
transaction returned with failure:
AccessException: Participant 'com.tuzz.agloan.Dccb#dccb1' does not have 'READ' access to resource 'org.hyperledger.composer.system.Network#aloan#0.0.2-deploy.17'
You can try adding a rule that gives the participant access to the network.
in .acl file, add this rule then update the network and start the REST server
rule Rule1 {
description: "Grant access to the network"
participant: "com.tuzz.agloan.Dccb"
operation: READ
resource: "org.hyperledger.composer.system.Network"
action: ALLOW
}
For more details, you can refer Granting network access control section in ACL reference
I issued new identity to already existing participant by composer rest server and got it activated. Now in wallet section section I selected the new card to use composer rest server. ACL for participant is:
rule SimpleRule {
description: "Description of the ACL rule"
participant: "org.example.auction.Buyer"
operation: ALL
resource: "org.example.auction.*"
action: ALLOW
}
When I try to query the network I get error
"Error trying to query business network. Error: chaincode error (status: 500, message: Error: Participant 'org.example.auction.Buyer#Buyer2' does not have 'READ' access to resource 'org.hyperledger.composer.system.Network#auction-network#0.0.1')",
Give access to read the business network.
Add another rule to .acl file
rule Rule1 {
description: "Description of the ACL rule"
participant: "org.example.auction.Buyer"
operation: READ
resource: "org.hyperledger.composer.system.*"
action: ALLOW
}
Update the network, restart the REST server and try again.
as Sneha as indicated, you need your ACLs updated to grant access to the business network ie grant access to all operations and commands in the business network, including network access and business access.
See the trade-network example for an example of a permissions ACL file. https://github.com/hyperledger/composer-sample-networks/blob/master/packages/trade-network/permissions.acl
I have a NServiceBus 3.0 publisher which runs under a domain service account. The publisher has no external dependencies and locally the only dependencies are the input queue and ravendb.
I have granted the service account full control over the input queue.
When I add the service account into the local admin group the service starts fine. If I remove the service account from local admins I am getting an error in the system log on start up:
The BlahBlahBlah service failed to start due to the following error:
Access is denied.
If I look in the security log the following 4 entries are written:
Entry 1:
A logon was attempted using explicit credentials.
Subject:
Security ID: SYSTEM
Account Name: MYSERVER$
Account Domain: MYDOMAIN
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name: svc_AppPrototype
Account Domain: MYDOMAIN
Logon GUID: {a224c91b-adce-3a5b-ca32-32265f073d2b}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x1ec
Process Name: C:\Windows\System32\services.exe
Network Information:
Network Address: -
Port: -
Entry 2:
An account was successfully logged on.
Subject:
Security ID: SYSTEM
Account Name: MYSERVER$
Account Domain: MYDOMAIN
Logon ID: 0x3e7
Logon Type: 5
New Logon:
Security ID: MYDOMAIN\svc_AppPrototype
Account Name: svc_AppPrototype
Account Domain: MYDOMAIN
Logon ID: 0x9c6bfc2
Logon GUID: {a224c91b-adce-3a5b-ca32-32265f073d2b}
Process Information:
Process ID: 0x1ec
Process Name: C:\Windows\System32\services.exe
Network Information:
Workstation Name: MYSERVER
Source Network Address: -
Source Port: -
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
Entry 3:
Special privileges assigned to new logon.
Subject:
Security ID: MYDOMAIN\svc_AppPrototype
Account Name: svc_AppPrototype
Account Domain: MYDOMAIN
Logon ID: 0x9c6bfc2
Privileges: SeImpersonatePrivilege
Entry 4:
An account was logged off.
Subject:
Security ID: MYDOMAIN\svc_AppPrototype
Account Name: svc_AppPrototype
Account Domain: MYDOMAIN
Logon ID: 0x9c6bfc2
Logon Type: 5
All entries are recorded during the service startup.
My question is what explicit permissions do I need to set to start this service without having the service account in the local admins?
This is still unresolved so we had to grant local admins permissions to our service account. Luckily this was just on our integration environment and we didn't encounter this issue in production.