Please have a look into my issue .I am using hyperledger fabric 1.2 . I am exploring ACL at the time of channel creation. I just copied default Writers Policy and rename it with PankajPolicy and put into the Channel.Application in configtx.yaml see here.
Now the issue is that I just replaced peer/Propose: /Channel/Application/Writers With PankajPolicy in peer/Propose: /Channel/Application/PankajPoilicy. For complete configtx.yaml please have a look see here.
When i create genesis block with this and trying to create the channel evrything goes fine .But at the time of query am getting error
Error: error endorsing query: rpc error: code = Unknown desc = failed evaluating policy on signed data during check policy [/Channel/Application/PankajPoilicy]: [policy /Channel/Application/PankajPoilicy not found] - proposal response: <nil>
Instead if something is wrong then it should stop on write operation means at the time of peer chaincode instansiate.
Thanks in advance !!!
You created your own policy. So according to the comment on sample configtx.yaml
Policies defines the set of policies at this level of the config tree
# For Channel policies, their canonical path is
# /Channel/<PolicyName>
Your custom defined policy will be accessible on this path /Channel/<PolicyName>
Please use this peer/Propose: /Channel/PankajPoilicy
instead of this
peer/Propose: /Channel/Application/PankajPoilicy
I do not know why your write operations are working with the current configuration.
Related
I have seen that default mod_policy is set to Admins policy at that level of configuration, however if I want to set it to MyPolicy (which may be any custom valid policy) then how to do that?
Can I achieve it in configtx.yaml itself?
Yes, this could be done. You can check the article which shows how to create a new custom policy and how to update the ACL from configtx.yaml only.
I could achieve this successfully by following the below steps:
Started the fabric-samples/first-network.
Perform docker exec into the cli container.
Set the environment corresponding to peer0.org1.example.com and that organization's admin user: Admin#org1.example.com. Fetch the latest application channel (here mychannel) configuration block.
Edit the decoded JSON block by changing the mod_policy value under the policies section for the Org1MSP under the Application group. Change it from Admins to Readers.
Submit the channel update transaction by encoding and signing the delta block into a protobuf envelope.
Now, our task is to verify this new mod_policy is working fine or not. For this, do the following:
Set the cli environment to peer0.org1.example.com and that organization's user: User1#org1.example.com. Fetch the latest application channel (here mychannel) configuration block.
Edit the decoded JSON block by changing the Readers policy in the Org1MSP from "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')" to "OR('Org1MSP.admin', 'Org1MSP.peer')" by keeping the JSON syntax of policies in mind.
Submit the channel update transaction. The successful update denotes that the Readers policy (the new mod_policy for that section) was satisfied as we submitted the channel update on behalf of the User1#org1.example.com (a client user). Note that while updating channel configuration at this moment, the Readers policy will be evaluated as "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')" as the update has not been processed.
Now using the same cli environment, try to fetch the latest application channel configuration block. The following error appears:
2020-04-09 22:25:48.990 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2020-04-09 22:25:49.001 UTC [cli.common] readBlock -> INFO 002 Got status: &{FORBIDDEN}
This is because now to read the configuration block, User1#org1.example.com with client OU won't be able to satisfy the new Readers policy i.e. "OR('Org1MSP.admin', 'Org1MSP.peer')".
EYFN allows to add an organization Org3 to existing channel "mychannel". I am trying to add add Org1 and Org3 to a new channel, by dynamically creating the channel in a running network. For this, I understand, there is a need to define consortium with Org1 and Org3.
when following the document, it was mentioned "In practice, consortium definition X2 has been added to the network configuration NC4. We discuss the exact mechanics of this operation elsewhere in the documentation." (https://hyperledger-fabric.readthedocs.io/en/release-1.4/network/network.html)
Is it possible to do this by updating the network configuration? or any alternative?
yes,it is possible,Instead of fetching the application channel,you must fetch the system channel block and add the new organization into the existing consortium,and add a new profile in the configtx and genarate a new transaction file and create your new channel
I'm trying to query channel info with node sdk (https://fabric-sdk-node.github.io/release-1.4/Channel.html - channel.queryInfo()).
I have two networks setup (Network setup not done by me. So, I don't know what are the differences).
In one network, I'm able to query successfully.
In the other one, I'm getting this error:
Error: access denied for [GetChainInfo][ ]: [failed
evaluating policy on signed data during check policy
[/Channel/Application/Readers]: [Failed to reach implicit threshold of
1 sub-policies, required 1 remaining]]
But, when I call with useAdmin=true, i.e., channel.queryInfo(undefined, true) it works. I'm wondering what could cause such error in one network and not in the other. Is there any params that is passed while creating the channel to allow/disallow non admins from querying?
The ACL of a channel has the default field of
#ACL policy for qscc's "GetChainInfo" function
qscc/GetChainInfo: /Channel/Application/Readers
And the Reader of each org is defined in the configtx.yaml like
Policies: &org1Policies
Readers:
Type: Signature
Rule: "OR('org1.example.com.member')"
It looks like here is where your problem might be. Make sure Readers is .member not .admin of the OrgMSP.
Trying to add a new organisation from a separate host.(Modifying steps from ./eyfn.sh when necessary).
Managed to create and import network admin card using Hyperledger Composer. (https://medium.com/#mahoney_33893/hyperledger-composer-adding-another-organization-to-an-existing-running-multi-organization-fff5c8104a82).
However when pinging the network I got:
Error: Error trying to ping. Error: 2 UNKNOWN: access denied: channel [composerchannel] creator org [Org3MSP]
Upon getting the logs from peer I got
-Principal deserialization failure (MSP Org3MSP is unknown) for identity
-[channel: composerchannel] Client authorization revoked for deliver request from 10.0.1.6:48262: Failed evaluating policy on signed data during check policy on channel [composerchannel] with policy [/Channel/Application/Readers]: [Failed to reach implicit threshold of 1 sub-policies, required 1 remaining]
My problem is actually similar to that of Hyperledger-Composer: Getting "access denied" when pinging network admin card.
The solution did mention to include msp files of my new org into volumes of the orderer which I did as
docker cp msp <containername>:/etc/hyperledger/msp/peerOrganizations/org3.example.com
My first organisation was set up using the default ./startFabric.sh
Take note that im not using TLS for the time being.
The error still persist though and Im wondering why. I do however suspect that the way im giving msp to the orderer is somehow wrong. or Im putting it in a wrong file.
Maybe you will need to migrate from Composer to other framework.
Hundreds of devs are taking is using Convector. Convector is a Hyperledger Labs project that was created before Hyperledger Composer was deprecated but that looks similar to developers. It follows a model controller pattern (similar to Composer assets and transactions) however it compiles natively to Fabric code and does not create a runtime.
I referenced the web page : http://hyperledger-fabric.readthedocs.io/en/latest/arch-deep-dive.html
And I want to ask you about this picture and Endorsement Policy.
In section 2.3 of the website, the following statement appears. And that is related to ③ of the picture.
"The exact number of “enough” depend on the chaincode endorsement
policy"
And in section 2.4 of this web site, the following statement appears for a peer. that is related to ④ of the picture.
It checks that the blob.endorsement is valid according to the policy
of the chaincode (blob.tran-proposal.chaincodeID) to which it refers.
Question
What is the difference between an ③ endorsement policy and ④ a policy of
the chaincode?
Is ESCC related to ③, and ④ related to VSCC?
Question
What is the difference between an ③ endorsement policy and ④ a policy of the chaincode?
At stage 3, the peer actually proceed with endorsement, meaning literally signing the results of the chaincode invocation. While at 4 this is happens at commit time, where peer ensures whenever endorsement policy satisfied.
NOTE: It's up to the client to collect required number of endorsements.
Is ESCC related to ③, and ④ related to VSCC?
Yes, ESCC or Endorsement System ChainCode is the actually a system chaincode which responsible to "endorse" transaction, where VSCC or Validation System ChainCode is a system chaincode to check whenever endorsement policy satisfied.