从同行加入频道时出错:此身份不是管理员
Error joining channel from peer: This identity is not an admin
我知道问题 "This identity is not an admin" 被广泛报道,但这是一个特定案例。我在这里和 Jira 阅读了很多问题,我发现没有接近我的问题。
我想做的是在我没有使用 cryptogen 的完全自定义 Hyperledger 1.4 网络中加入来自对等方的频道。我遇到的问题正是这个问题:
2019-09-25 14:02:43.340 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: proposal failed (err: bad proposal response 500: access denied for [JoinChain][global]: [Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin]])
我知道我必须使用管理员身份来提出频道连接建议,这是我通过注册为组织管理员来完成的。一旦完成,我就加入同行(下面的代码)。当然,CORE_PEER_变量设置正确,ADMIN_NAME和ADMIN_PASSWORD存在。
# Get admin identity
ORG_ADMIN_HOME=/data/orgs/${ORG}/admin
ORG_ADMIN_CERT=/data/orgs/${ORG}/msp/admincerts/cert.pem
if [[ ! -d ${ORG_ADMIN_HOME} ]]; then
echo "[INFO] Enrolling admin '${ADMIN_NAME}' with ${CA_NAME} ..."
export FABRIC_CA_CLIENT_HOME=${ORG_ADMIN_HOME}
fabric-ca-client enroll -d -u https://${ADMIN_NAME}:${ADMIN_PASSWORD}@${CA_URL}
mkdir -p $(dirname "${ORG_ADMIN_CERT}")
cp ${ORG_ADMIN_HOME}/msp/signcerts/* ${ORG_ADMIN_CERT}
mkdir ${ORG_ADMIN_HOME}/msp/admincerts
cp ${ORG_ADMIN_HOME}/msp/signcerts/* ${ORG_ADMIN_HOME}/msp/admincerts
fi
export CORE_PEER_MSPCONFIGPATH=${ORG_ADMIN_HOME}/msp
# Join channel
peer channel join -b ${GENESIS_FILE}
我通过在此之前使用另一个执行以下操作的脚本注册获得了管理员身份:
# Enroll CA Admin
export FABRIC_CA_CLIENT_HOME=$HOME/cas/${CA_NAME}
fabric-ca-client enroll -d -u ${ENROLLMENT_URL}
# Register ORG Admin
fabric-ca-client register -d --id.name ${ADMIN_NAME} --id.secret ${ADMIN_PASSWORD} --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert"
我的问题是,如果我注册了 Org Admin 并且我能够注册,为什么我会收到 This identity is not an admin 错误?有什么意义吗?
谢谢
编辑:我现在正在做的事情(它是缩减的,不是直接复制代码,所以有一些变化主要与路径和文件夹有关)。
我 运行 一个名为 register-org 的容器,它执行以下操作:
# Enroll as CA Admin
fabric-ca-client enroll -d -u ${ENROLLMENT_URL}
# Get CA Certs
fabric-ca-client getcacert -d -u https://${CA_URL} -M ${ORG_MSP_DIR}
# Register Org Admin
fabric-ca-client register -d --id.name ${ADMIN_NAME} --id.secret ${ADMIN_PASSWORD} --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert"
# Enroll as Org Admin
fabric-ca-client enroll -d -u https://${ADMIN_NAME}:${ADMIN_PASSWORD}@${CA_URL}
# I download then ${ORG_ADMIN_HOME}/msp/admincerts/cert.pem and save it
下一个容器是对等点本身,我在这里做:
# I upload the CERT.PEM file to ${CORE_PEER_MSPCONFIGPATH}/admincerts/cert.pem
# Generate Server TLS Key and Certs
fabric-ca-client enroll -d --enrollment.profile tls -u ${ENROLLMENT_URL} -M /tmp/tls --csr.hosts ${PEER_HOST}
# Generate Client TLS Key and Certificate
fabric-ca-client enroll -d --enrollment.profile tls -u ${ENROLLMENT_URL} -M /tmp/tls --csr.hosts ${PEER_HOST}
# Enroll peer
fabric-ca-client enroll -d -u ${ENROLLMENT_URL} -M ${CORE_PEER_MSPCONFIGPATH}
# Start peer
peer node start
最后,我 运行 join-peer-channel 容器,我在那里做:
# I upload the CERT.PEM file to ${CORE_PEER_MSPCONFIGPATH}/admincerts/cert.pem
# Enroll as Org Admin
fabric-ca-client enroll -d -u https://${ADMIN_NAME}:${ADMIN_PASS}@${CA_URL}
# Join the channel
peer channel join -b ${GENESIS_FILE}
# AND IT FAILS AGAIN.
您确定管理员的证书真的在对等方的 admin 文件夹中吗?
cp ${ORG_ADMIN_HOME}/msp/signcerts/* ${ORG_ADMIN_HOME}/msp/admincerts
您是在同行 container/VM 内部这样做吗?
我知道问题 "This identity is not an admin" 被广泛报道,但这是一个特定案例。我在这里和 Jira 阅读了很多问题,我发现没有接近我的问题。
我想做的是在我没有使用 cryptogen 的完全自定义 Hyperledger 1.4 网络中加入来自对等方的频道。我遇到的问题正是这个问题:
2019-09-25 14:02:43.340 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: proposal failed (err: bad proposal response 500: access denied for [JoinChain][global]: [Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin]])
我知道我必须使用管理员身份来提出频道连接建议,这是我通过注册为组织管理员来完成的。一旦完成,我就加入同行(下面的代码)。当然,CORE_PEER_变量设置正确,ADMIN_NAME和ADMIN_PASSWORD存在。
# Get admin identity
ORG_ADMIN_HOME=/data/orgs/${ORG}/admin
ORG_ADMIN_CERT=/data/orgs/${ORG}/msp/admincerts/cert.pem
if [[ ! -d ${ORG_ADMIN_HOME} ]]; then
echo "[INFO] Enrolling admin '${ADMIN_NAME}' with ${CA_NAME} ..."
export FABRIC_CA_CLIENT_HOME=${ORG_ADMIN_HOME}
fabric-ca-client enroll -d -u https://${ADMIN_NAME}:${ADMIN_PASSWORD}@${CA_URL}
mkdir -p $(dirname "${ORG_ADMIN_CERT}")
cp ${ORG_ADMIN_HOME}/msp/signcerts/* ${ORG_ADMIN_CERT}
mkdir ${ORG_ADMIN_HOME}/msp/admincerts
cp ${ORG_ADMIN_HOME}/msp/signcerts/* ${ORG_ADMIN_HOME}/msp/admincerts
fi
export CORE_PEER_MSPCONFIGPATH=${ORG_ADMIN_HOME}/msp
# Join channel
peer channel join -b ${GENESIS_FILE}
我通过在此之前使用另一个执行以下操作的脚本注册获得了管理员身份:
# Enroll CA Admin
export FABRIC_CA_CLIENT_HOME=$HOME/cas/${CA_NAME}
fabric-ca-client enroll -d -u ${ENROLLMENT_URL}
# Register ORG Admin
fabric-ca-client register -d --id.name ${ADMIN_NAME} --id.secret ${ADMIN_PASSWORD} --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert"
我的问题是,如果我注册了 Org Admin 并且我能够注册,为什么我会收到 This identity is not an admin 错误?有什么意义吗?
谢谢
编辑:我现在正在做的事情(它是缩减的,不是直接复制代码,所以有一些变化主要与路径和文件夹有关)。
我 运行 一个名为 register-org 的容器,它执行以下操作:
# Enroll as CA Admin
fabric-ca-client enroll -d -u ${ENROLLMENT_URL}
# Get CA Certs
fabric-ca-client getcacert -d -u https://${CA_URL} -M ${ORG_MSP_DIR}
# Register Org Admin
fabric-ca-client register -d --id.name ${ADMIN_NAME} --id.secret ${ADMIN_PASSWORD} --id.attrs "hf.Registrar.Roles=client,hf.Registrar.Attributes=*,hf.Revoker=true,hf.GenCRL=true,admin=true:ecert,abac.init=true:ecert"
# Enroll as Org Admin
fabric-ca-client enroll -d -u https://${ADMIN_NAME}:${ADMIN_PASSWORD}@${CA_URL}
# I download then ${ORG_ADMIN_HOME}/msp/admincerts/cert.pem and save it
下一个容器是对等点本身,我在这里做:
# I upload the CERT.PEM file to ${CORE_PEER_MSPCONFIGPATH}/admincerts/cert.pem
# Generate Server TLS Key and Certs
fabric-ca-client enroll -d --enrollment.profile tls -u ${ENROLLMENT_URL} -M /tmp/tls --csr.hosts ${PEER_HOST}
# Generate Client TLS Key and Certificate
fabric-ca-client enroll -d --enrollment.profile tls -u ${ENROLLMENT_URL} -M /tmp/tls --csr.hosts ${PEER_HOST}
# Enroll peer
fabric-ca-client enroll -d -u ${ENROLLMENT_URL} -M ${CORE_PEER_MSPCONFIGPATH}
# Start peer
peer node start
最后,我 运行 join-peer-channel 容器,我在那里做:
# I upload the CERT.PEM file to ${CORE_PEER_MSPCONFIGPATH}/admincerts/cert.pem
# Enroll as Org Admin
fabric-ca-client enroll -d -u https://${ADMIN_NAME}:${ADMIN_PASS}@${CA_URL}
# Join the channel
peer channel join -b ${GENESIS_FILE}
# AND IT FAILS AGAIN.
您确定管理员的证书真的在对等方的 admin 文件夹中吗?
cp ${ORG_ADMIN_HOME}/msp/signcerts/* ${ORG_ADMIN_HOME}/msp/admincerts
您是在同行 container/VM 内部这样做吗?