Use non-admin card with composer-rest-server in hyperledger fabric - hyperledger-fabric

I am not able to start a composer-rest-server without a network admin card.
When I tried a normal user card, it generates the following error:
Connection fails: Error: 2 UNKNOWN: error executing chaincode:
transaction returned with failure:
AccessException: Participant 'com.tuzz.agloan.Dccb#dccb1' does not have 'READ' access to resource 'org.hyperledger.composer.system.Network#aloan#0.0.2-deploy.17'

You can try adding a rule that gives the participant access to the network.
in .acl file, add this rule then update the network and start the REST server
rule Rule1 {
description: "Grant access to the network"
participant: "com.tuzz.agloan.Dccb"
operation: READ
resource: "org.hyperledger.composer.system.Network"
action: ALLOW
}
For more details, you can refer Granting network access control section in ACL reference

Related

Error: 2 UNKNOWN: access denied: channel [composerchannel] creator org

Trying to add a new organisation from a separate host.(Modifying steps from ./eyfn.sh when necessary).
Managed to create and import network admin card using Hyperledger Composer. (https://medium.com/#mahoney_33893/hyperledger-composer-adding-another-organization-to-an-existing-running-multi-organization-fff5c8104a82).
However when pinging the network I got:
Error: Error trying to ping. Error: 2 UNKNOWN: access denied: channel [composerchannel] creator org [Org3MSP]
Upon getting the logs from peer I got
-Principal deserialization failure (MSP Org3MSP is unknown) for identity
-[channel: composerchannel] Client authorization revoked for deliver request from 10.0.1.6:48262: Failed evaluating policy on signed data during check policy on channel [composerchannel] with policy [/Channel/Application/Readers]: [Failed to reach implicit threshold of 1 sub-policies, required 1 remaining]
My problem is actually similar to that of Hyperledger-Composer: Getting "access denied" when pinging network admin card.
The solution did mention to include msp files of my new org into volumes of the orderer which I did as
docker cp msp <containername>:/etc/hyperledger/msp/peerOrganizations/org3.example.com
My first organisation was set up using the default ./startFabric.sh
Take note that im not using TLS for the time being.
The error still persist though and Im wondering why. I do however suspect that the way im giving msp to the orderer is somehow wrong. or Im putting it in a wrong file.
Maybe you will need to migrate from Composer to other framework.
Hundreds of devs are taking is using Convector. Convector is a Hyperledger Labs project that was created before Hyperledger Composer was deprecated but that looks similar to developers. It follows a model controller pattern (similar to Composer assets and transactions) however it compiles natively to Fabric code and does not create a runtime.

upgrading from hyperledger composer v0.16 to v0.20.2

I am upgrading my tutorial from composer v0.16 to composer v0.20.2 Most of the upgrade has gone smoothly, however I'm running into an authentication problem that I can't get around. I'm going through a step-wise process to create and activate a user. In v0.16, I did the following:
ADD a new member to a registry
ISSUE identity for the new member
CREATE and IMPORT a card for the new member
PING the business network using the new member ID
The last step 'activated' the member, so that they could do productive work in the network. In v0.20, the first 3 steps still work flawlessly, however the PING step now returns the following error:
transaction returned with failure: AccessException:
Participant 'org.acme.Z2BTestNetwork.Buyer#rdd#xyz.com' does not have 'READ' access to resource
'org.hyperledger.composer.system.Network#zerotoblockchain-network#0.1.5'
I've simplified my permissions.acl file down to just the following 3 statements:
rule Z2BTestFullAccess {
description: "Allow all participants access to all resources"
participant: "org.acme.Z2BTestNetwork.Buyer"
operation: READ
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
rule NetworkAdminUser {
description: "Grant business network administrators full access to user resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "**"
action: ALLOW
}
rule NetworkAdminSystem {
description: "Grant business network administrators full access to system resources"
participant: "org.hyperledger.composer.system.NetworkAdmin"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
I can further simplify the first rule to be
rule Z2BTestFullAccess {
description: "Allow all participants access to all resources"
participant: "ANY"
operation: ALL
resource: "org.hyperledger.composer.system.**"
action: ALLOW
}
But it still fails with the same error message.
composer card list for the new card returns:
userName: rdd-xyz.com
description:
businessNetworkName: zerotoblockchain-network
identityId: 6c6eab0d11d26ccfc4a8164dbe971814d2120802e84d1b3b98b16ceb2cb80334
roles: none
connectionProfile:
name: hlfv1
x-type: hlfv1
credentials: Credentials set
composer network ping for the new card returns the same error as the nodejs code.
How do I determine the root cause of this error and, more importantly, how do I resolve this? Happy to add code segments for each step if that will help.

Hyperledger Fabric - Lost my network card, how to export it again?

I have setup a dev hyperledger fabric blockchain successfully and added an user/participant to the network. Execute the operations again and the blockchain all worked fine with using the card that was generated initially. But now, I have lost this card, can I export/download it again? I tried using identity "revoke" api, but it is failing with this error -
Error: Error trying invoke business network. Error: No valid responses from any peers.
Response from attempted peer comms was an error: Error: 2 UNKNOWN: error executing chaincode: transaction returned with failure: Error: attempt to get property state on an InvalidRelationship is not allowed. InvalidRelationship created due to Object with ID 'partcipant_1' in collection with ID 'Asset:org.hyperledger.composer.system.Identity' does not exist
I am not exactly sure what you mean when you say you "lost" the card.
The process goes like this:
you have an admin user with full rights to the network and an admin card to connect with, using this admin
you request a new identity, this gives you the required certificates, both public and private
you create a network card for this new identity using the certificates. This results in a physical .card file on disk
you import the physical file and you have a properly registered card and can now interact with the ledger, using this new identity.
if anything happens to the card itself, ie you deleted the registered card and got rid of the file as well, then you need to go through the process and recreate the card from scratch.
your commands could look like this:
composer identity request -c PeerAdmin#hlfv1 -u admin -s adminpw -d alice
this requests everything for a new user called alice, using the peer admin card which is created against the original network admin
composer card create -p your_connection.json -u alice -n your-network -c alice/admin-pub.pem -k alice/admin-priv.pem
this creates the card file
composer card import -f alice#your-network.card
this imports the card
composer network ping -c alice#your-network
check everything works
so, if you no longer have a registered card, you should still have the .card file and if you have that you can simply import it again.
if you don't have the .card file either, you should still have the certificates for "alice" and should be able to create the .card file
if you don't have the certs either then request them again ( I've never tried this particular scenario so we need to see what happens in that case )

Not able to query fabric using newly created identity in hyperledger composer'

I issued new identity to already existing participant by composer rest server and got it activated. Now in wallet section section I selected the new card to use composer rest server. ACL for participant is:
rule SimpleRule {
description: "Description of the ACL rule"
participant: "org.example.auction.Buyer"
operation: ALL
resource: "org.example.auction.*"
action: ALLOW
}
When I try to query the network I get error
"Error trying to query business network. Error: chaincode error (status: 500, message: Error: Participant 'org.example.auction.Buyer#Buyer2' does not have 'READ' access to resource 'org.hyperledger.composer.system.Network#auction-network#0.0.1')",
Give access to read the business network.
Add another rule to .acl file
rule Rule1 {
description: "Description of the ACL rule"
participant: "org.example.auction.Buyer"
operation: READ
resource: "org.hyperledger.composer.system.*"
action: ALLOW
}
Update the network, restart the REST server and try again.
as Sneha as indicated, you need your ACLs updated to grant access to the business network ie grant access to all operations and commands in the business network, including network access and business access.
See the trade-network example for an example of a permissions ACL file. https://github.com/hyperledger/composer-sample-networks/blob/master/packages/trade-network/permissions.acl

Hyperledger Composer Error Identity has not been registered once issued

I have been following this Tutorial and I am able to complete it. I issue a new identity, to an existing participant and I create a business card for this identity with the following command:
composer identity issue --card admin#tutorial-network -f usr001#tutorial-network.card -u usr001 -a "resource:org.acme.biznet.Trader#usr001" -x true
Then, I import that business card via POST /wallet/import and I am able to call different REST API operations. After that, I stop the composer-rest-server and after a few minutes I start the composer-rest-server again with the command composer-rest-server -c admin#tutorial-network -m true -a true
Then, I authenticate to the REST API using the configured authentication mechanism (in this case passport-github strategy) and if I try to call one operation fro REST API it throws a A business network card has not been specified error message, then I import the previous business card via POST /wallet/import getting a no content which is supposed to be correct.
Finally, when I try to call another REST API operation I get the following error:
{
"error": {
"statusCode": 500,
"name": "Error",
"message": "Error trying to ping. Error: Error trying to query business network. Error: chaincode error (status: 500, message: Error: The current identity has not been registered: usr001)",
"stack": "Error: Error trying to ping. Error: Error trying to query business network. Error: chaincode error (status: 500, message: Error: The current identity has not been registered: usr001)\n at _checkRuntimeVersions.then.catch (/home/username/.npm-global/lib/node_modules/composer-rest-server/node_modules/composer-connector-hlfv1/lib/hlfconnection.js:679:34)\n at <anonymous>"
}
}
This is the main issue, I don't know why my identity is not being recongized by the REST API if I used it previously to call some operations.
the problem is one of persistence as captured here -> https://hyperledger.github.io/composer/v0.16/integrating/enabling-multiuser.html and the link for persisting identities (ie instructions) is captured here -> https://hyperledger.github.io/composer/v0.16/integrating/deploying-the-rest-server.html
All user information is persisted in a LoopBack data source by using a LoopBack connector. By default, the REST server uses the LoopBack "memory" connector to persist user information, which is lost when the REST server is terminated. The REST server should be configured with a LoopBack connector that stores data in a highly available data source, for example a database.

Resources