I am trying the Hyperledger fabric-samples/first-network sample. I am working with 3 nodes. I am testing with different endorsement policies while instantiating the chaincode. The instantiation is successful. However, when I invoke the chaincode, it is failing. Only the one OR condition is working.
Here is the list of options i tried with the output result.
-P "OR ('Org1MSP.member', 'Org2MSP.member','Org3MSP.member'))" -Response Success
-P "OR ('Org1MSP.member', AND('Org2MSP.member','Org3MSP.member'))" -Response Failed
-P "AND ('Org1MSP.member','Org2MSP.member','Org3MSP.member')"
-Response Status Failed
-P "OR ('Org1MSP.member','Org3MSP.member'))" -Response Failed
-P "AND ('Org1MSP.member','Org3MSP.member'))" -Response Failed
Please help me in solving the endorsement policy issue.
For endorsement policies that require signatures from N peers, you have to first collect the signatures from all those peers and then submit a TX.
The Hyperledger Fabric SDKs (at least node SDK) lets you do that. The peer CLI currently won't.
If you are using one of the Hyperledger Fabric SDKs, then we'll need details of the environment and logs to debug.
Hope this helps!
Related
I have set up a fabric network of three organizations. 1 endorser peer each. 1 orderer across all three. I packaged the contract code(node) and installed on all three. Instantiated it via CLI of one of the peer.
Points to consider:
My chaincode tries to create a key value or I should say update the
World State.On invoking the function that does so, I always end up
getting [ENDORSEMENT_POLICY_FAILURE].
I have specified AND policy. OR policy seems to work fine. But I
have a scenario where AND is the necessity.
I invoke the chaincode via CLI of one peer. All other peers start
showing activity but ends up saying [ENDORSEMENT_POLICY_FAILURE].
Exact Error : "VSCCValidateTx for transaction txId =
3c0f7b5c5f81b5c261d1a981720273cdc617424ea264b157898dd17ad2de07ce
returned error: VSCC error: endorsement policy failure, err:
signature set did not satisfy policy".
I have monitored the chaincode containers of all three orgs. Only
the the container of the chaincode corresponding to the calling peer
shows activity.
As I perceive from my reading of the book Hands-On Blockchain with
Hyperledger, all the peers execute the chaincode. But in my case,
nothing is happening on other two peers' chaincode container.
I would be grateful to obtain help on this issue.
My fabric network's consortium(in configtx.yaml) has two organizations: ORG1 and ORG2. ORG1 has 4 main peers and ORG2 has only 1 peer. ORG2 peer's only purpose is to have the copy of the ledger(for the auditing purpose).
They all joined the same channel and let's say ORG1's admin already installed/instantiated the chaincode version 0.1
Now, ORG2's admin will be also able to 'peer chaincode upgrade" to version 0.2 with the same chaincode name and when the proposal reaches one of the ORG1 peers, it will say something like :
endorsement failure during invoke. response: status:500 message:"cannot retrieve package for chaincode [chaincode name]/0.2, error open /var/hyperledger/production/chaincodes/[chaincode name]/0.2: no such file or directory"
How we completely prevent ORG2 from upgrading the chaincode version? so that only ORG1's admin can perform the administrative operations?
I have searched the ACL, but it seems the administrative operations are not controlled by ACL settings.
After the research, we figured out we can set this on the instantiate policy on chaincode package.
please see below fabric document:
https://hyperledger-fabric.readthedocs.io/en/release-1.4/commands/peerchaincode.html#peer-chaincode-package
with the flag -i, you can set the instantiate policy when packing the chaincode. Then only the Org(s) allowed on the policy will be able to instantiate or upgrade the chaincode on the channel
I referenced the web page : http://hyperledger-fabric.readthedocs.io/en/latest/arch-deep-dive.html
And I want to ask you about this picture and Endorsement Policy.
In section 2.3 of the website, the following statement appears. And that is related to ③ of the picture.
"The exact number of “enough” depend on the chaincode endorsement
policy"
And in section 2.4 of this web site, the following statement appears for a peer. that is related to ④ of the picture.
It checks that the blob.endorsement is valid according to the policy
of the chaincode (blob.tran-proposal.chaincodeID) to which it refers.
Question
What is the difference between an ③ endorsement policy and ④ a policy of
the chaincode?
Is ESCC related to ③, and ④ related to VSCC?
Question
What is the difference between an ③ endorsement policy and ④ a policy of the chaincode?
At stage 3, the peer actually proceed with endorsement, meaning literally signing the results of the chaincode invocation. While at 4 this is happens at commit time, where peer ensures whenever endorsement policy satisfied.
NOTE: It's up to the client to collect required number of endorsements.
Is ESCC related to ③, and ④ related to VSCC?
Yes, ESCC or Endorsement System ChainCode is the actually a system chaincode which responsible to "endorse" transaction, where VSCC or Validation System ChainCode is a system chaincode to check whenever endorsement policy satisfied.
I will ask you thought Endorsement Policy example below
peer chaincode instantiate -C <channelid> -n mycc -P "AND('Org1.member', 'Org2.member')"
My understanding(Promise)
Org1.member or Org2.member refer to Peer.
The example means that Org1.member and Org2.member should have to get the same result as instantiating mycc.
Question
If Org1.member and Org2.member have same chaincode, could their
result be different?
Are Org1.member and Org2.member refer to one peer of Organization?
(2-1. If so, does the peer be set on organization randomly?)
Can I use regular expressions like "AND('Org1.member > 10', 'Org2.member > 10')"
I hope you have referred to the fabric documentation on endorsement already. If not, then please find it here endorsement-policies
A principal is described in terms of the MSP that is tasked to validate the identity of the signer and of the role that the signer has within that MSP. Currently, two roles are supported: member and admin. Principals are described as MSP.ROLE, where MSP is the MSP ID that is required, and ROLE is either one of the two strings member and admin. Examples of valid principals are 'Org0.admin' (any administrator of the Org0 MSP) or 'Org1.member' (any member of the Org1 MSP).
AND (Org1.member, Org2.member) means that for successful endorsement, the transaction proposal response which is sent to Orderer ( from the client SDK) is expected to be signed by the member certificate of Peer of org1 and member certificate of the Peer of org2
It is possible to have different result if your chaincode is Non-Deterministic ( ie, say its getting current time etc and putState() ). So write sets can be different.
Org1.member & Org2.member are two different Peers. One peer belonging to Org1 and another peer belonging to Org2. [ You cannot have the Peer belonging to two organizations randomly ]
I am not sure. Please check the link of Fabric Documentation above.
I am a beginner on hyperledger fabric programming. I was wondering where exactly we define the signature policy (SignaturePolicy / ImplicitMetaPolicy) for the network? Is it in some configuration file?
I saw video in below link but I could not understand: "Signature Policy Sample"
Can anyone please guide me?
The signature, or endorsement policy is defined when instantiating a chaincode deployed to a given channel using the -P switch using the following syntax: EXPR(E[, E...]) where EXPR is a boolean expression (AND or OR) and E is either a principle or a nested boolean.
For instance, a policy of AND(Org1.member, Org2.member) would require that a member of Org1 and Org2 each sign a transaction for it to be validated. A policy of AND(Org1.member, OR(Org2.member, Org3.member)) would require a member of Org1 and a member of Org2 or Org3 sign a transaction for it to be validated.
Here's an example chaincode instantiate command:
peer chaincode instantiate -C <channelid> -n mycc -P "AND('Org1.member', 'Org2.member')"
The documentation can be found in the Endorsement Policy section of of the Hyperledger Fabric documentation.