同行管理员没有写订购者权限时如何创建频道?

问题描述 投票:0回答:1

在所有fabric-samples中,通道的创建是由对等管理员用户完成的。但是,该用户甚至没有写订购者的权限。那么如何成功呢?以first-network的特定示例为例:

- CORE_PEER_LOCALMSPID=Org1MSP
- CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/[email protected]/msp

因此通道创建是在org1的管理员凭据下执行的。但是当我们看configtx.yaml

 - &OrdererOrg
        # DefaultOrg defines the organization which is used in the sampleconfig
        # of the fabric.git development environment
        Name: OrdererOrg

        # ID to load the MSP definition as
        ID: OrdererMSP

        # MSPDir is the filesystem path which contains the MSP configuration
        MSPDir: crypto-config/ordererOrganizations/example.com/msp

        # Policies defines the set of policies at this level of the config tree
        # For organization policies, their canonical path is usually
        #   /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
        Policies:
            Readers:
                Type: Signature
                Rule: "OR('OrdererMSP.member')"
            Writers:
                Type: Signature
                Rule: "OR('OrdererMSP.member')"
            Admins:
                Type: Signature
                Rule: "OR('OrdererMSP.admin')"

为了写给订购者,必须是OrdererMSP.member,而org1的管理员显然不是。那么它如何通过策略检查?

[当我们尝试使用结构样本中的模式开发应用程序时,尝试在对等管理员凭据下创建频道时会出错,]

2019-03-12 17:05:09.337 UTC [orderer/common/msgprocessor] ProcessConfigUpdateMsg -> DEBU 0d9 Processing config update message for channel dscsa
2019-03-12 17:05:09.337 UTC [policies] Evaluate -> DEBU 0da == Evaluating *policies.implicitMetaPolicy Policy /Channel/Writers ==
2019-03-12 17:05:09.337 UTC [policies] Evaluate -> DEBU 0db This is an implicit meta policy, it will trigger other policy evaluations, whose failures may be benign
2019-03-12 17:05:09.337 UTC [policies] Evaluate -> DEBU 0dc == Evaluating *policies.implicitMetaPolicy Policy /Channel/Orderer/Writers ==
2019-03-12 17:05:09.337 UTC [policies] Evaluate -> DEBU 0dd This is an implicit meta policy, it will trigger other policy evaluations, whose failures may be benign
2019-03-12 17:05:09.337 UTC [policies] Evaluate -> DEBU 0de == Evaluating *cauthdsl.policy Policy /Channel/Orderer/ord/Writers ==
2019-03-12 17:05:09.337 UTC [msp] DeserializeIdentity -> DEBU 0df Obtaining identity
2019-03-12 17:05:09.337 UTC [msp/identity] newIdentity -> DEBU 0e0 Creating identity instance for cert -----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
2019-03-12 17:05:09.338 UTC [cauthdsl] func1 -> DEBU 0e1 0xc42000e1e8 gate 1552410309337999686 evaluation starts
2019-03-12 17:05:09.338 UTC [cauthdsl] func2 -> DEBU 0e2 0xc42000e1e8 signed by 0 principal evaluation starts (used [false])
2019-03-12 17:05:09.338 UTC [cauthdsl] func2 -> DEBU 0e3 0xc42000e1e8 processing identity 0 with bytes of ...
2019-03-12 17:05:09.338 UTC [cauthdsl] func2 -> DEBU 0e4 0xc42000e1e8 identity 0 does not satisfy principal: the identity is a member of a different MSP (expected ordMSP, got org1MSP)
2019-03-12 17:05:09.338 UTC [cauthdsl] func2 -> DEBU 0e5 0xc42000e1e8 principal evaluation fails
2019-03-12 17:05:09.338 UTC [cauthdsl] func1 -> DEBU 0e6 0xc42000e1e8 gate 1552410309337999686 evaluation fails
2019-03-12 17:05:09.338 UTC [policies] Evaluate -> DEBU 0e7 Signature set did not satisfy policy /Channel/Orderer/ord/Writers
2019-03-12 17:05:09.338 UTC [policies] Evaluate -> DEBU 0e8 == Done Evaluating *cauthdsl.policy Policy /Channel/Orderer/ord/Writers
2019-03-12 17:05:09.338 UTC [policies] func1 -> DEBU 0e9 Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ ord.Writers ]
2019-03-12 17:05:09.338 UTC [policies] Evaluate -> DEBU 0ea Signature set did not satisfy policy /Channel/Orderer/Writers
2019-03-12 17:05:09.338 UTC [policies] Evaluate -> DEBU 0eb == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Orderer/Writers
2019-03-12 17:05:09.338 UTC [policies] func1 -> DEBU 0ec Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ Orderer.Writers Consortiums.Writers ]
2019-03-12 17:05:09.338 UTC [policies] Evaluate -> DEBU 0ed Signature set did not satisfy policy /Channel/Writers
2019-03-12 17:05:09.338 UTC [policies] Evaluate -> DEBU 0ee == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Writers
2019-03-12 17:05:09.338 UTC [orderer/common/broadcast] Handle -> WARN 0ef [channel: dscsa] Rejecting broadcast of config message from 10.0.0.192:54232 because of error: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining: permission denied

在所有结构样本中,通道的创建是由对等管理员用户完成的。但是,该用户甚至没有写订购者的权限。那么如何成功呢?以特定的...

hyperledger-fabric
1个回答
0
投票

我希望您现在已经回答了,因为这个问题已有11个月了。如果没有,这是我的解释。订购者组织的政策是阅读,更改订购者组织/订购者系统渠道。不来申请渠道。 Ord1管理员可以按照confitx.yaml的“应用程序”部分的策略中定义的进行更改,confitx.yaml是由参与的Orgs的签名策略构造的ImplecitMeta。

© www.soinside.com 2019 - 2024. All rights reserved.