我正在尝试了解超级账本结构的完整流程中策略(org
,application
和channel
)与identities
,MSP
和NodeOUs
的相关性。我分享我的理解,如果我做错了,请纠正我。
当前,hf支持4 NodeOUs
,并且在registerEnroll.sh
示例中从test-network
启用身份分类。它还支持身份orderer
,peer
,admin
,client
和member
的5个角色。
configxtx/configtx.yaml
中定义了系统通道策略,组织策略,应用程序通道策略,联盟及其功能。
##### Org Policy #####
Name: Org1MSP
# ID to load the MSP definition as
ID: Org1MSP
MSPDir: ../organizations/peerOrganizations/org1.example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client', 'Org1MSP.member')"
Writers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.client', 'Org1MSP.member')"
Admins:
Type: Signature
Rule: "OR('Org1MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('Org1MSP.peer')"
##### Application Policy #####
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
LifecycleEndorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Endorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
##### Channel Policy #####
Policies:
# Who may invoke the 'Deliver' API
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
# Who may invoke the 'Broadcast' API
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
# By default, who may modify elements at this config level
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
我的用例是,使用member
的signingIdentity
创建一个角色为admin
的身份,并且member
应该能够评估交易或将交易提交给chaincode,我尝试通过以下方法来实现这一目标:
'Org1MSP.member'
中将组织的Readers
和Writers
策略中添加了configtx.yaml
enrollAdmin.js
,创建了新的钱包。registerUser.js
中,我在role
的函数调用中将client
从member
更改为ca.register
以创建member
而不是client
的标识。query.js
时,它引发以下错误:2020-05-22T09:28:40.219Z - error: [DiscoveryService]: send[mychannel] - Channel:mychannel received discovery error:access denied
Failed to evaluate transaction: Error: DiscoveryService: mychannel error: access denied
在验证身份时,来自对等方的其他调试日志。
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [policies] SignatureSetToValidIdentities -> DEBU 4de3 signature for identity 0 validated
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func1 -> DEBU 4de4 0xc0034b0b50 gate 1590139720217279088 evaluation starts
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4de5 0xc0034b0b50 signed by 0 principal evaluation starts (used [false])
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4de6 0xc0034b0b50 processing identity 0 - &{Org1MSP 1635f57eaf46859c66528c1528475f51feac49aa83b3393c0bdc35e50e046f39}
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4de7 0xc0034b0b50 identity 0 does not satisfy principal: The identity is not valid under this MSP [Org1MSP]: could not validate identity's OUs: the identity must be a client, a peer, an orderer or an admin identity to be valid, not a combination of them. OUs: [member(BB4774A65B308471) org1(BB4774A65B308471) department1(BB4774A65B308471)], MSP: [Org1MSP]
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4de8 0xc0034b0b50 principal evaluation fails
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4de9 0xc0034b0b50 signed by 1 principal evaluation starts (used [false])
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4dea 0xc0034b0b50 processing identity 0 - &{Org1MSP 1635f57eaf46859c66528c1528475f51feac49aa83b3393c0bdc35e50e046f39}
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4deb 0xc0034b0b50 identity 0 does not satisfy principal: The identity is not valid under this MSP [Org1MSP]: could not validate identity's OUs: the identity must be a client, a peer, an orderer or an admin identity to be valid, not a combination of them. OUs: [member(BB4774A65B308471) org1(BB4774A65B308471) department1(BB4774A65B308471)], MSP: [Org1MSP]
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4dec 0xc0034b0b50 principal evaluation fails
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4ded 0xc0034b0b50 signed by 2 principal evaluation starts (used [false])
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4dee 0xc0034b0b50 processing identity 0 - &{Org1MSP 1635f57eaf46859c66528c1528475f51feac49aa83b3393c0bdc35e50e046f39}
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4def 0xc0034b0b50 identity 0 does not satisfy principal: could not validate identity's OUs: the identity must be a client, a peer, an orderer or an admin identity to be valid, not a combination of them. OUs: [member(BB4774A65B308471) org1(BB4774A65B308471) department1(BB4774A65B308471)], MSP: [Org1MSP]
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4df0 0xc0034b0b50 principal evaluation fails
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func1 -> DEBU 4df1 0xc0034b0b50 gate 1590139720217279088 evaluation fails
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [policies] EvaluateSignedData -> DEBU 4df2 Signature set did not satisfy policy /Channel/Application/Org1MSP/Writers
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [policies] EvaluateSignedData -> DEBU 4df3 == Done Evaluating *cauthdsl.policy Policy /Channel/Application/Org1MSP/Writers
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [discovery] processQuery -> WARN 4e0b got query for channel mychannel from 192.168.96.1:40612 but it isn't eligible: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [discovery] processQuery -> WARN 4e0c got query for channel mychannel from 192.168.96.1:40612 but it isn't eligible: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied
我是否缺少一些应启用member
身份来评估交易的配置,或者member
身份提交交易不可能吗?因为client
身份工作正常。
对我的理解作出的任何澄清均表示赞赏。
我正在尝试了解策略(组织,应用程序和渠道)与身份,MSP和NodeOU在超级账本结构的完整处理流程中的相关性。我正在分享我的理解,...
在您单位的msp文件夹下的config.yaml文件中,只有client,peer,admin,orderer作为OrganizationalUnitIdentifier。如果您希望member