According to hyperledger-fabric node-sdk documentation both functions
'queryChannels' and 'queryInstalledChaincodes' must be called by admin. I am
able to access 'queryChannels'(both from the Client class) but on accessing
queryInstalledChaincodes, an error occurs saying :
(status: 500, message: Authorization for GETINSTALLEDCHAINCODES on channel getinstalledchaincodes has been denied with error Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin])
Can somebody propose a solution? Thanks in advance.
Well this is sample, you should find out which identity you are using for the client.
The problem is your fabric ACL policy(which is in the configtx.yaml) has set the chaincode area to a Admin access.
Which means you should use the admin identity to call the queryInstalledChaincodes function.
Further infos please check this page:
https://hyperledger-fabric.readthedocs.io/en/release-1.4/access_control.html#what-is-an-access-control-list
Also this question has been asked 1 year, 6 months ago, so I bet you have worked it out on your own, congrats!
Related
I am trying to set up OKTA as an external identity provider in Azure B2C with custom policies. When I try to sign in, I receive the following error
AADB2C90289: We encountered an error connecting to the identity provider.
Please try again later.
Correlation ID: xxx
Timestamp: 2021-10-14 16:53:12Z
I have followed this tutorial - https://learn.microsoft.com/en-gb/azure/active-directory-b2c/tutorial-create-user-flows?pivots=b2c-custom-policy.
I also followed a number of articles on this but no concrete solution anywhere.
I create new ORG for network hyperledger fabric. When I run (cli peer0.org1)
peer channel update -f org3_update_in_envelope.pb -c mychannel -o orderer0.orderer.io:7050
I get error message:
got unexpected status: BAD_REQUEST -- error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: Failed to reach implicit threshold of 2 sub-policies, required 1 remaining
Anybody can help me? Thank you!
BAD_REQUEST -- error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: Failed to reach implicit threshold of 2 sub-policies, required 1 remaining
which means
Channel update by default fabric has turned on majority of Admins
So you have to get the majority of admin signatures in order to update the channel
Majority: Suppose 4 organizations you need 3 organization admin signatures
The problem here is that you are working with wrong MSP directory and MSP ID. By default in order to be able to update channel configuration, e.g. to send config update transaction you need to be admin of orderer organization, therefore you need to correctly setup your CORE_PEER_MSPCONFIGPATH to point to Admin user and not regular one and MSP ID should be of orderer org, for instance:
export CORE_PEER_MSPCONFIGPATH=./crypto-config/ordererOrganizations/example.com/users/Admin#example.com/msp
export CORE_PEER_LOCALMSPID=OrdererMSP
of course you also need to point CORE_PEER_MSPCONFIGPATH based on you configtx.yaml configuration file. Meaning it should point to corresponded MSPDir.
I am trying to decrypt a encrypted string through C# code and azure key vault certificate key, the encryption part works fine but while decrypting, an exception occurs saying : "Operation returned an invalid status code 'Forbidden'", "Operation decrypt is not permitted on this key."
I have allowed all the permissions while registering this to Azure AD "App registrations" option from the AD blade. Is there any other place where I need to add any more permissions. Have followed this article to setup the Certificate and association with AD.
A line of the code I am using for decryption:
var decryptedData = kv.DecryptAsync(key.Key.Kid,JsonWebKeyEncryptionAlgorithm.RSAOAEP, encryptedTextNew).GetAwaiter().GetResult();
If any one has done this, please write back in the comment, will be of great help.
Maybe my situation is difference, but I'm going to drop some detail here just in case someone runs into the same problem.
I created a certificate (note: a certificate, not a key) on Azure Key Vault UI and used it for encrypt/decrypt and got the Operation returned an invalid status code 'Forbidden' error.
I tried to create a new certificate but this time I checked all the Advanced Policy Configuration options (you should only check the options you need though) and the new one worked for me:
Operation returned an invalid status code 'Forbidden'
As I have tested, It seems that you do not configure the Access Policy in Key Vault for your application, to access keys or to process encryption/decryption.
Also, please have a check that if you add the role assignments of app registered to azure keyvault.
For more details, you could refer to this article which I have a test and it works fine.
This error also occurs if you try to use this kind of certificate in a Logic app with AS2Decode.
The error you will get then is:
Integration account operation failed with status code: Forbidden and
error KeyVaultOperationFailed : Communication with key vault
'..........KeyVault' failed. Please authorize logic apps to perform
operations on key vault by granting access for the logic apps service
principal '7cd684f4-8a78-49b0-91ec-6a35d38739ba' for 'list', 'get',
'decrypt' and 'sign' operations.
Thank you for this solution!
I had the same issue. Make sure that during certificate upload or generation, you set the Data encipherment option in Advanced Policy Configuration. This can only be done during initial set-up. Changing it later does not work.
Advanced Policy Configuration
Trying to add a new organisation from a separate host.(Modifying steps from ./eyfn.sh when necessary).
Managed to create and import network admin card using Hyperledger Composer. (https://medium.com/#mahoney_33893/hyperledger-composer-adding-another-organization-to-an-existing-running-multi-organization-fff5c8104a82).
However when pinging the network I got:
Error: Error trying to ping. Error: 2 UNKNOWN: access denied: channel [composerchannel] creator org [Org3MSP]
Upon getting the logs from peer I got
-Principal deserialization failure (MSP Org3MSP is unknown) for identity
-[channel: composerchannel] Client authorization revoked for deliver request from 10.0.1.6:48262: Failed evaluating policy on signed data during check policy on channel [composerchannel] with policy [/Channel/Application/Readers]: [Failed to reach implicit threshold of 1 sub-policies, required 1 remaining]
My problem is actually similar to that of Hyperledger-Composer: Getting "access denied" when pinging network admin card.
The solution did mention to include msp files of my new org into volumes of the orderer which I did as
docker cp msp <containername>:/etc/hyperledger/msp/peerOrganizations/org3.example.com
My first organisation was set up using the default ./startFabric.sh
Take note that im not using TLS for the time being.
The error still persist though and Im wondering why. I do however suspect that the way im giving msp to the orderer is somehow wrong. or Im putting it in a wrong file.
Maybe you will need to migrate from Composer to other framework.
Hundreds of devs are taking is using Convector. Convector is a Hyperledger Labs project that was created before Hyperledger Composer was deprecated but that looks similar to developers. It follows a model controller pattern (similar to Composer assets and transactions) however it compiles natively to Fabric code and does not create a runtime.
I am able to invoke my chaincode from docker cli successfully (fabric-shim).
i ran enrollAdmin.js and registerUser.js sucessfully,
but when i try to run invoke.js or query.js, i get Error: 2 UNKNOWN: access denied: channel [mychannel] creator org [Org1MSP].
Though there are limited information shows above, the peer log give the essential hint about the problem:
WARN 044 channel [mychannel]: MSP error: the supplied identity is not valid: x509: certificate signed by unknown authority (possibly because of "x509: ECDSA verification failure" while trying to verify candidate authority certificate "ca.org1.example.com"
Here is the suggestions that may help your to solve this problem:
Change your peer's logging level to DEBUG on docker-compose file, you will be more easily to find the solution followed by the debug information.
Make sure your CA container is running and its logs not throws out error, like some certifications verify error, which commonly causes by wrong configuration.
Now that the logs shows up some information about x509 ECDSA, which related to the signature and and the peers endorsement keycert. Also, this keycerts may storage on /tmp/hfc-key-store or any other place that you defined on you code. Try to clean up this temporary file and restart network again.
Noticed that your are using the fabric-sample repo, I think this problem may not caused by some code issues since you just modified a few parameters. So I recommend you to follow this tutorial to get the right step.
I came across similar issue.
I found out then channel name in network config and the channel I created was different. So I changed the channel name in the network config and it got fixed.