创建频道时出现 "this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied" 错误
Got "this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied" error when creating a channel
当我尝试创建频道时,出现如下错误:
implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied
正如错误信息所说,似乎我使用了错误的身份来签署交易以创建通道。但是,我没有发现任何有关频道配置或身份注册和注册的错误。
我的组织频道配置是:
Organizations:
- &BPLOrg
Name: BPLMSP
ID: BPLMSP
MSPDir: artifacts/crypto/org-msp
Policies:
Readers:
Type: Signature
Rule: "OR('BPLMSP.admin', 'BPLMSP.peer', 'BPLMSP.client')"
Writers:
Type: Signature
Rule: "OR('BPLMSP.admin', 'BPLMSP.client')"
Admins:
Type: Signature
Rule: "OR('BPLMSP.admin')"
因此,根据配置,admin类型身份可以签署交易以创建通道。
我的 admin 类型身份已经注册并注册如下:
fabric-ca-client register -d --id.name $ADMIN_ID --id.secret $ADMIN_PW --id.type admin -u https://$CA_ADMIN_ID:$CA_ADMIN_PW@$CA_NODE:7054
fabric-ca-client enroll -d --csr.names $CSR -u https://$ADMIN_ID:$ADMIN_PW@$CA_NODE:7054
使用参数 --id.type admin 对注册和注册进行了很好的处理,并且为了签署交易以创建频道,我使用了从该注册中获得的密钥。
这个错误从哪里开始投资?任何一种想法都会非常有帮助。谢谢!
--
- Fabric 1.4.4 版本
- 我使用的是 node-SDK,而不是 CLI。
--
[编辑]
我添加了订购者的日志。
2019-12-28 05:56:55.689 UTC [localconfig] completeInitialization -> INFO 001 Kafka.Version unset, setting to 0.10.2.0
2019-12-28 05:56:55.718 UTC [orderer.common.server] prettyPrintStruct -> INFO 002 Orderer config values:
General.LedgerType = "file"
General.ListenAddress = "0.0.0.0"
General.ListenPort = 7050
General.TLS.Enabled = true
General.TLS.PrivateKey = "/artifacts/tls/keystore/key.pem"
General.TLS.Certificate = "/artifacts/tls/signcerts/cert.pem"
General.TLS.RootCAs = [/artifacts/tls/tlscacerts/ca-cert.pem]
General.TLS.ClientAuthRequired = false
General.TLS.ClientRootCAs = []
General.Cluster.ListenAddress = ""
General.Cluster.ListenPort = 0
General.Cluster.ServerCertificate = ""
General.Cluster.ServerPrivateKey = ""
General.Cluster.ClientCertificate = "/artifacts/tls/signcerts/cert.pem"
General.Cluster.ClientPrivateKey = "/artifacts/tls/keystore/key.pem"
General.Cluster.RootCAs = [/artifacts/tls/tlscacerts/ca-cert.pem]
General.Cluster.DialTimeout = 5s
General.Cluster.RPCTimeout = 7s
General.Cluster.ReplicationBufferSize = 20971520
General.Cluster.ReplicationPullTimeout = 5s
General.Cluster.ReplicationRetryTimeout = 5s
General.Cluster.ReplicationBackgroundRefreshInterval = 5m0s
General.Cluster.ReplicationMaxRetries = 12
General.Cluster.SendBufferSize = 10
General.Cluster.CertExpirationWarningThreshold = 168h0m0s
General.Cluster.TLSHandshakeTimeShift = 0s
General.Keepalive.ServerMinInterval = 1m0s
General.Keepalive.ServerInterval = 2h0m0s
General.Keepalive.ServerTimeout = 20s
General.ConnectionTimeout = 0s
General.GenesisMethod = "file"
General.GenesisProfile = "SampleInsecureSolo"
General.SystemChannel = "test-system-channel-name"
General.GenesisFile = "/artifacts/genesis.block"
General.Profile.Enabled = false
General.Profile.Address = "0.0.0.0:6060"
General.LocalMSPDir = "/artifacts/msp"
General.LocalMSPID = "BPLMSP"
General.BCCSP.ProviderName = "SW"
General.BCCSP.SwOpts.SecLevel = 256
General.BCCSP.SwOpts.HashFamily = "SHA2"
General.BCCSP.SwOpts.Ephemeral = false
General.BCCSP.SwOpts.FileKeystore.KeyStorePath = "/artifacts/msp/keystore"
General.BCCSP.SwOpts.DummyKeystore =
General.BCCSP.SwOpts.InmemKeystore =
General.BCCSP.PluginOpts =
General.Authentication.TimeWindow = 15m0s
General.Authentication.NoExpirationChecks = false
FileLedger.Location = "/var/hyperledger/production/orderer"
FileLedger.Prefix = "hyperledger-fabric-ordererledger"
RAMLedger.HistorySize = 1000
Kafka.Retry.ShortInterval = 5s
Kafka.Retry.ShortTotal = 10m0s
Kafka.Retry.LongInterval = 5m0s
Kafka.Retry.LongTotal = 12h0m0s
Kafka.Retry.NetworkTimeouts.DialTimeout = 10s
Kafka.Retry.NetworkTimeouts.ReadTimeout = 10s
Kafka.Retry.NetworkTimeouts.WriteTimeout = 10s
Kafka.Retry.Metadata.RetryMax = 3
Kafka.Retry.Metadata.RetryBackoff = 250ms
Kafka.Retry.Producer.RetryMax = 3
Kafka.Retry.Producer.RetryBackoff = 100ms
Kafka.Retry.Consumer.RetryBackoff = 2s
Kafka.Verbose = true
Kafka.Version = 0.10.2.0
Kafka.TLS.Enabled = false
Kafka.TLS.PrivateKey = ""
Kafka.TLS.Certificate = ""
Kafka.TLS.RootCAs = []
Kafka.TLS.ClientAuthRequired = false
Kafka.TLS.ClientRootCAs = []
Kafka.SASLPlain.Enabled = false
Kafka.SASLPlain.User = ""
Kafka.SASLPlain.Password = ""
Kafka.Topic.ReplicationFactor = 1
Debug.BroadcastTraceDir = ""
Debug.DeliverTraceDir = ""
Consensus = map[SnapDir:/var/hyperledger/production/orderer/etcdraft/snapshot WALDir:/var/hyperledger/production/orderer/etcdraft/wal]
Operations.ListenAddress = "orderer0.bpl:8443"
Operations.TLS.Enabled = false
Operations.TLS.PrivateKey = ""
Operations.TLS.Certificate = ""
Operations.TLS.RootCAs = []
Operations.TLS.ClientAuthRequired = false
Operations.TLS.ClientRootCAs = []
Metrics.Provider = "disabled"
Metrics.Statsd.Network = "udp"
Metrics.Statsd.Address = "127.0.0.1:8125"
Metrics.Statsd.WriteInterval = 30s
Metrics.Statsd.Prefix = ""
2019-12-28 05:56:55.790 UTC [orderer.common.server] extractSysChanLastConfig -> INFO 003 Bootstrapping because no existing channels
2019-12-28 05:56:55.813 UTC [orderer.common.server] initializeServerConfig -> INFO 004 Starting orderer with TLS enabled
2019-12-28 05:56:55.813 UTC [orderer.common.server] configureClusterListener -> INFO 005 Cluster listener is not configured, defaulting to use the general listener on port 7050
2019-12-28 05:56:55.820 UTC [fsblkstorage] newBlockfileMgr -> INFO 006 Getting block information from block storage
2019-12-28 05:56:55.836 UTC [orderer.consensus.etcdraft] HandleChain -> INFO 007 EvictionSuspicion not set, defaulting to 10m0s
2019-12-28 05:56:55.842 UTC [orderer.consensus.etcdraft] createOrReadWAL -> INFO 008 No WAL data found, creating new WAL at path '/var/hyperledger/production/orderer/etcdraft/wal/trust-chain-system-channel' channel=trust-chain-system-channel node=1
2019-12-28 05:56:55.866 UTC [orderer.commmon.multichannel] Initialize -> INFO 009 Starting system channel 'trust-chain-system-channel' with genesis block hash 43e31dcb085730c17b70777c05983ade72df5b137da3ffeaa4e1f5c187b9c3d9 and orderer type etcdraft
2019-12-28 05:56:55.866 UTC [orderer.consensus.etcdraft] Start -> INFO 00a Starting Raft node channel=trust-chain-system-channel node=1
2019-12-28 05:56:55.866 UTC [orderer.common.cluster] Configure -> INFO 00b Entering, channel: trust-chain-system-channel, nodes: [ID: 2,
Endpoint: orderer1.bpl:7050,
ServerTLSCert:-----BEGIN CERTIFICATE-----
MIIC2zCCAoKgAwIBAgIUOerWLLNwC5CYnqRuSFx3jDehZFEwCgYIKoZIzj0EAwIw
VjELMAkGA1UEBhMCS1IxEDAOBgNVBAgTB0RhZWplb24xFzAVBgNVBAoTDmJpZ3Bp
Y3R1cmVsYWJzMQswCQYDVQQLEwJjYTEPMA0GA1UEAxMGY2EtYnBsMB4XDTE5MTIy
ODA1MzgwMFoXDTIwMTIyNzA1NDMwMFowfDELMAkGA1UEBhMCS1IxEDAOBgNVBAgT
B0RhZWplb24xFzAVBgNVBAoTDmJpZ3BpY3R1cmVsYWJzMSswDgYDVQQLEwdvcmRl
cmVyMAoGA1UECxMDYnBsMA0GA1UECxMGZmFicmljMRUwEwYDVQQDEwxvcmRlcmVy
MS5icGwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASkTScK+zOyx1DuzACYmUKD
ttq/NUORM1+aPm8Bp43hFrKhqeS5aZ9eA9+HWBO7B95W3YqPxkw68HAKYcpPIsIs
o4IBBjCCAQIwDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSHs7V8NpqyYzHpjAQr1euf
p9LJ6TAfBgNVHSMEGDAWgBQUQCH0Jo1n+EwtZOMd6qwL4gDAZjAXBgNVHREEEDAO
ggxvcmRlcmVyMS5icGwwagYIKgMEBQYHCAEEXnsiYXR0cnMiOnsiaGYuQWZmaWxp
YXRpb24iOiJicGwuZmFicmljIiwiaGYuRW5yb2xsbWVudElEIjoib3JkZXJlcjEu
YnBsIiwiaGYuVHlwZSI6Im9yZGVyZXIifX0wCgYIKoZIzj0EAwIDRwAwRAIgJzms
QawGjZDPH6kIIYrmB58eKZvCEB+csUD0BB/PfNUCIBuKfw8XhYS8WBih/ddU8NyV
9OuM5QWsOp2/nr5i76lh
-----END CERTIFICATE-----
, ClientTLSCert:-----BEGIN CERTIFICATE-----
MIIC2zCCAoKgAwIBAgIUOerWLLNwC5CYnqRuSFx3jDehZFEwCgYIKoZIzj0EAwIw
VjELMAkGA1UEBhMCS1IxEDAOBgNVBAgTB0RhZWplb24xFzAVBgNVBAoTDmJpZ3Bp
Y3R1cmVsYWJzMQswCQYDVQQLEwJjYTEPMA0GA1UEAxMGY2EtYnBsMB4XDTE5MTIy
ODA1MzgwMFoXDTIwMTIyNzA1NDMwMFowfDELMAkGA1UEBhMCS1IxEDAOBgNVBAgT
B0RhZWplb24xFzAVBgNVBAoTDmJpZ3BpY3R1cmVsYWJzMSswDgYDVQQLEwdvcmRl
cmVyMAoGA1UECxMDYnBsMA0GA1UECxMGZmFicmljMRUwEwYDVQQDEwxvcmRlcmVy
MS5icGwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASkTScK+zOyx1DuzACYmUKD
ttq/NUORM1+aPm8Bp43hFrKhqeS5aZ9eA9+HWBO7B95W3YqPxkw68HAKYcpPIsIs
o4IBBjCCAQIwDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSHs7V8NpqyYzHpjAQr1euf
p9LJ6TAfBgNVHSMEGDAWgBQUQCH0Jo1n+EwtZOMd6qwL4gDAZjAXBgNVHREEEDAO
ggxvcmRlcmVyMS5icGwwagYIKgMEBQYHCAEEXnsiYXR0cnMiOnsiaGYuQWZmaWxp
YXRpb24iOiJicGwuZmFicmljIiwiaGYuRW5yb2xsbWVudElEIjoib3JkZXJlcjEu
YnBsIiwiaGYuVHlwZSI6Im9yZGVyZXIifX0wCgYIKoZIzj0EAwIDRwAwRAIgJzms
QawGjZDPH6kIIYrmB58eKZvCEB+csUD0BB/PfNUCIBuKfw8XhYS8WBih/ddU8NyV
9OuM5QWsOp2/nr5i76lh
-----END CERTIFICATE-----
ID: 3,
Endpoint: orderer2.bpl:7050,
ServerTLSCert:-----BEGIN CERTIFICATE-----
MIIC3DCCAoKgAwIBAgIUTIRaoY38ylFYlyo5UPJaHO8UyL4wCgYIKoZIzj0EAwIw
VjELMAkGA1UEBhMCS1IxEDAOBgNVBAgTB0RhZWplb24xFzAVBgNVBAoTDmJpZ3Bp
Y3R1cmVsYWJzMQswCQYDVQQLEwJjYTEPMA0GA1UEAxMGY2EtYnBsMB4XDTE5MTIy
ODA1MzgwMFoXDTIwMTIyNzA1NDMwMFowfDELMAkGA1UEBhMCS1IxEDAOBgNVBAgT
B0RhZWplb24xFzAVBgNVBAoTDmJpZ3BpY3R1cmVsYWJzMSswDgYDVQQLEwdvcmRl
cmVyMAoGA1UECxMDYnBsMA0GA1UECxMGZmFicmljMRUwEwYDVQQDEwxvcmRlcmVy
Mi5icGwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATD3raCU1OC0dmGpiFKixuZ
cYV/ikGwxNBdVGkdOU01ROZWHUpSzlYFq0i5Mq4JGLtcJuIdjCYIZ+MkEsTNbnpL
o4IBBjCCAQIwDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRVXLrZSEK8x4DPkawYGaNM
SO3DCTAfBgNVHSMEGDAWgBQUQCH0Jo1n+EwtZOMd6qwL4gDAZjAXBgNVHREEEDAO
ggxvcmRlcmVyMi5icGwwagYIKgMEBQYHCAEEXnsiYXR0cnMiOnsiaGYuQWZmaWxp
YXRpb24iOiJicGwuZmFicmljIiwiaGYuRW5yb2xsbWVudElEIjoib3JkZXJlcjIu
YnBsIiwiaGYuVHlwZSI6Im9yZGVyZXIifX0wCgYIKoZIzj0EAwIDSAAwRQIhALqM
SUA0+Aewypl30NF/C2Y0DdFQTw9/LF2XnWZZ/rCmAiAxNf2eoimI49XyL0DrAM0k
+HahGiLAK/F4GhTBv8Ct+A==
-----END CERTIFICATE-----
, ClientTLSCert:-----BEGIN CERTIFICATE-----
MIIC3DCCAoKgAwIBAgIUTIRaoY38ylFYlyo5UPJaHO8UyL4wCgYIKoZIzj0EAwIw
VjELMAkGA1UEBhMCS1IxEDAOBgNVBAgTB0RhZWplb24xFzAVBgNVBAoTDmJpZ3Bp
Y3R1cmVsYWJzMQswCQYDVQQLEwJjYTEPMA0GA1UEAxMGY2EtYnBsMB4XDTE5MTIy
ODA1MzgwMFoXDTIwMTIyNzA1NDMwMFowfDELMAkGA1UEBhMCS1IxEDAOBgNVBAgT
B0RhZWplb24xFzAVBgNVBAoTDmJpZ3BpY3R1cmVsYWJzMSswDgYDVQQLEwdvcmRl
cmVyMAoGA1UECxMDYnBsMA0GA1UECxMGZmFicmljMRUwEwYDVQQDEwxvcmRlcmVy
Mi5icGwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATD3raCU1OC0dmGpiFKixuZ
cYV/ikGwxNBdVGkdOU01ROZWHUpSzlYFq0i5Mq4JGLtcJuIdjCYIZ+MkEsTNbnpL
o4IBBjCCAQIwDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRVXLrZSEK8x4DPkawYGaNM
SO3DCTAfBgNVHSMEGDAWgBQUQCH0Jo1n+EwtZOMd6qwL4gDAZjAXBgNVHREEEDAO
ggxvcmRlcmVyMi5icGwwagYIKgMEBQYHCAEEXnsiYXR0cnMiOnsiaGYuQWZmaWxp
YXRpb24iOiJicGwuZmFicmljIiwiaGYuRW5yb2xsbWVudElEIjoib3JkZXJlcjIu
YnBsIiwiaGYuVHlwZSI6Im9yZGVyZXIifX0wCgYIKoZIzj0EAwIDSAAwRQIhALqM
SUA0+Aewypl30NF/C2Y0DdFQTw9/LF2XnWZZ/rCmAiAxNf2eoimI49XyL0DrAM0k
+HahGiLAK/F4GhTBv8Ct+A==
-----END CERTIFICATE-----
]
2019-12-28 05:56:55.867 UTC [orderer.common.cluster] updateStubInMapping -> INFO 00c Allocating a new stub for node 2 with endpoint of orderer1.bpl:7050 for channel trust-chain-system-channel
2019-12-28 05:56:55.867 UTC [orderer.common.cluster] updateStubInMapping -> INFO 00d Deactivating node 2 in channel trust-chain-system-channel with endpoint of orderer1.bpl:7050 due to TLS certificate change
2019-12-28 05:56:55.867 UTC [orderer.common.cluster] updateStubInMapping -> INFO 00e Allocating a new stub for node 3 with endpoint of orderer2.bpl:7050 for channel trust-chain-system-channel
2019-12-28 05:56:55.867 UTC [orderer.common.cluster] updateStubInMapping -> INFO 00f Deactivating node 3 in channel trust-chain-system-channel with endpoint of orderer2.bpl:7050 due to TLS certificate change
2019-12-28 05:56:55.868 UTC [orderer.common.cluster] applyMembershipConfig -> INFO 010 2 exists in both old and new membership for channel trust-chain-system-channel , skipping its deactivation
2019-12-28 05:56:55.868 UTC [orderer.common.cluster] applyMembershipConfig -> INFO 011 3 exists in both old and new membership for channel trust-chain-system-channel , skipping its deactivation
2019-12-28 05:56:55.868 UTC [orderer.common.cluster] Configure -> INFO 012 Exiting
2019-12-28 05:56:55.868 UTC [orderer.consensus.etcdraft] start -> INFO 013 Starting raft node as part of a new channel channel=trust-chain-system-channel node=1
2019-12-28 05:56:55.868 UTC [orderer.consensus.etcdraft] becomeFollower -> INFO 014 1 became follower at term 0 channel=trust-chain-system-channel node=1
2019-12-28 05:56:55.868 UTC [orderer.consensus.etcdraft] newRaft -> INFO 015 newRaft 1 [peers: [], term: 0, commit: 0, applied: 0, lastindex: 0, lastterm: 0] channel=trust-chain-system-channel node=1
2019-12-28 05:56:55.868 UTC [orderer.consensus.etcdraft] becomeFollower -> INFO 016 1 became follower at term 1 channel=trust-chain-system-channel node=1
2019-12-28 05:56:55.869 UTC [orderer.common.server] Start -> INFO 017 Starting orderer:
Version: 1.4.4
Commit SHA: 7917a40
Go version: go1.12.12
OS/Arch: linux/amd64
2019-12-28 05:56:55.869 UTC [orderer.common.server] Start -> INFO 018 Beginning to serve requests
2019-12-28 05:56:55.869 UTC [orderer.consensus.etcdraft] apply -> INFO 019 Applied config change to add node 1, current nodes in channel: [1 2 3] channel=trust-chain-system-channel node=1
2019-12-28 05:56:55.869 UTC [orderer.consensus.etcdraft] apply -> INFO 01a Applied config change to add node 2, current nodes in channel: [1 2 3] channel=trust-chain-system-channel node=1
2019-12-28 05:56:55.869 UTC [orderer.consensus.etcdraft] apply -> INFO 01b Applied config change to add node 3, current nodes in channel: [1 2 3] channel=trust-chain-system-channel node=1
2019-12-28 05:56:57.686 UTC [orderer.consensus.etcdraft] Step -> INFO 01c 1 [logterm: 1, index: 3, vote: 0] cast MsgPreVote for 2 [logterm: 1, index: 3] at term 1 channel=trust-chain-system-channel node=1
2019-12-28 05:56:57.688 UTC [orderer.consensus.etcdraft] Step -> INFO 01d 1 [term: 1] received a MsgVote message with higher term from 2 [term: 2] channel=trust-chain-system-channel node=1
2019-12-28 05:56:57.688 UTC [orderer.consensus.etcdraft] becomeFollower -> INFO 01e 1 became follower at term 2 channel=trust-chain-system-channel node=1
2019-12-28 05:56:57.688 UTC [orderer.consensus.etcdraft] Step -> INFO 01f 1 [logterm: 1, index: 3, vote: 0] cast MsgVote for 2 [logterm: 1, index: 3] at term 2 channel=trust-chain-system-channel node=1
2019-12-28 05:56:57.691 UTC [orderer.consensus.etcdraft] run -> INFO 020 raft.node: 1 elected leader 2 at term 2 channel=trust-chain-system-channel node=1
2019-12-28 05:56:57.692 UTC [orderer.consensus.etcdraft] serveRequest -> INFO 021 Raft leader changed: 0 -> 2 channel=trust-chain-system-channel node=1
2019-12-28 05:57:31.382 UTC [orderer.common.broadcast] ProcessMessage -> WARN 022 [channel: activitych] Rejecting broadcast of config message from 172.22.0.1:52856 because of error: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied
2019-12-28 05:57:31.384 UTC [comm.grpc.server] 1 -> INFO 023 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Broadcast grpc.peer_address=172.22.0.1:52856 grpc.code=OK grpc.call_duration=8.4914ms
2019-12-28 05:57:31.430 UTC [comm.grpc.server] 1 -> INFO 024 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=172.22.0.1:52858 grpc.code=OK grpc.call_duration=480.4µs
此时,我很好奇如何获得管理员身份。我的策略是 'MSP.admin' 并且我使用的身份是使用参数 --id.type admin.
注册的
满足Writers政策
管理员实际上设置正确,否则订购者会抱怨 Admins 政策不满意。发生的事情是排序者接受了请求并为通道创建了创世块。然后它继续设置一个处理程序来广播该通道的未来块,并在这样做时验证其证书是否满足 /Channel/Writers 策略,这是调用 Broadcast API.[=51 所必需的=]
提到的策略默认是 ImplicitMeta 类型的,这意味着它应该通过 /Channel/Orderer/<ORG NAME>/Writers 来满足。因为错误消息指出只需要满足 1 个子策略(即 ANY Writers),这意味着您的订购者的证书不符合其自己组织的 Writers 策略。您需要将排序者的 OU 类型添加到规则中,或将其设置为 member 以允许组织中的任何证书充当编写器:
Writers:
Type: Signature
Rule: "OR('<ORG NAME>.admin', '<ORG NAME>.client', '<ORG NAME>.orderer')"
正在以管理员身份注册证书
肮脏的快速修复
Admins:
Type: Signature
Rule: "OR('BPLMSP.member')"
这将允许您随时随地在 BPLMSP 组织内创建任何类型的证书,并将其用于管理目的,例如创建频道。 Fabric 将跳过检查证书类型(组织单位,OU),只检查它是否由组织的 CA 签名。请注意,这会降低您组织内的安全性,因为任何(丢失的)证书都将具有管理权限。
正确的方法
- 向 Fabric CA
注册类型为 client、peer 或 orderer 的身份
- 为注册身份注册证书
- 将证书放在 BPLMSP 组织的 MSP
的 admincerts/ 中
- 确保 BPLOrg 的
MSPDir 指向 BPLMSP 组织的 MSP
- 将 BPLOrg 的
Admins 政策保留为规则 "OR('BPLMSP.admin')"
- 为 OSN 创建创世区块。 这会将证书包含到块中
- 启动网络
- 使用证书签署通道创建请求,并将其发送到 OSN
如果您想将对等点加入频道并使用创建的证书签署请求,则必须将证书添加到该对等点本地 MSP 的 admincerts/ 文件夹中。对等点在启动时读取此目录,因此如果您在目录 运行.
时更改了目录,则必须重新启动它
如果您想在网络已配置的情况下添加额外的管理员证书,则必须执行创世块更新,其中应包括新证书。
正确的方法v1.4.3
此选项允许您将证书注册为管理员,而无需将其添加到创世块,并且不会通过将所有类型的证书作为管理员来降低安全性。
这仅在以下情况下有效:
- 网络至少运行 Hyperledger Fabric v1.4.3(2019 年 8 月 26 日)
- v1.4.3 通道功能已启用
- 已为组织启用 NodeOU
- 组织
AdminOUIdentifier 的 OrganizationalUnitIdentifier 已设置
然后您可以注册一个新身份并设置类型 (OU) 以匹配 OrganizationalUnitIdentifier。该证书不需要添加到 OSN 的创世块中,因为它将根据类型 (OU) 被识别为管理员。请参阅 Hyperledger Fabric 的文档以获得 Identity Classification。
备注
要创建频道,必须满足 ChannelCreationPolicy。这默认为 ANY /Channel/Application/Admins。不能使用 configtxgen 设置策略,修改它的唯一方法是对创世块进行更改。参见 FAB-13192。
规则类型<MSP ID>.admin与identity/certificate类型不同(OU)admin.规则类型指的是具有管理权限的签名,但是这些签名可以来自任何类型 (OU) 的证书。
您不通过以下方式创建管理员:
- 将身份注册为
admin 类型 (OU) pre v1.4.3
- 将属性
hf.Admin=true 设置为 Amazon Managed Blockchain doc 声明(这将失败,因为它不是有效属性)
- 设置
admin=true:ecert 与 Fabric CA docs 相同(Fabric 仅查看以 hf. 开头的属性,因此除了增加混淆外没有任何效果)。
您可以注册任何类型的 CA 身份,但有效的管理员证书必须是 (OU) 类型 peer、orderer、client 或 OrganizationalUnitIdentifier 设置为 AdminOUIdentifier。不要使用 fabric-ca-client identity add 命令,因为它会注册类型为 user 的身份。我不能说我知道这种类型的目的是什么。
您的情况:
0 sub-policies were satisfied
"zero"表示没有证书用于签署交易,所以你只需要将你的管理证书复制到正确的目录!
当我尝试创建频道时,出现如下错误:
implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied
正如错误信息所说,似乎我使用了错误的身份来签署交易以创建通道。但是,我没有发现任何有关频道配置或身份注册和注册的错误。
我的组织频道配置是:
Organizations:
- &BPLOrg
Name: BPLMSP
ID: BPLMSP
MSPDir: artifacts/crypto/org-msp
Policies:
Readers:
Type: Signature
Rule: "OR('BPLMSP.admin', 'BPLMSP.peer', 'BPLMSP.client')"
Writers:
Type: Signature
Rule: "OR('BPLMSP.admin', 'BPLMSP.client')"
Admins:
Type: Signature
Rule: "OR('BPLMSP.admin')"
因此,根据配置,admin类型身份可以签署交易以创建通道。
我的 admin 类型身份已经注册并注册如下:
fabric-ca-client register -d --id.name $ADMIN_ID --id.secret $ADMIN_PW --id.type admin -u https://$CA_ADMIN_ID:$CA_ADMIN_PW@$CA_NODE:7054
fabric-ca-client enroll -d --csr.names $CSR -u https://$ADMIN_ID:$ADMIN_PW@$CA_NODE:7054
使用参数 --id.type admin 对注册和注册进行了很好的处理,并且为了签署交易以创建频道,我使用了从该注册中获得的密钥。
这个错误从哪里开始投资?任何一种想法都会非常有帮助。谢谢!
--
- Fabric 1.4.4 版本
- 我使用的是 node-SDK,而不是 CLI。
--
[编辑] 我添加了订购者的日志。
2019-12-28 05:56:55.689 UTC [localconfig] completeInitialization -> INFO 001 Kafka.Version unset, setting to 0.10.2.0
2019-12-28 05:56:55.718 UTC [orderer.common.server] prettyPrintStruct -> INFO 002 Orderer config values:
General.LedgerType = "file"
General.ListenAddress = "0.0.0.0"
General.ListenPort = 7050
General.TLS.Enabled = true
General.TLS.PrivateKey = "/artifacts/tls/keystore/key.pem"
General.TLS.Certificate = "/artifacts/tls/signcerts/cert.pem"
General.TLS.RootCAs = [/artifacts/tls/tlscacerts/ca-cert.pem]
General.TLS.ClientAuthRequired = false
General.TLS.ClientRootCAs = []
General.Cluster.ListenAddress = ""
General.Cluster.ListenPort = 0
General.Cluster.ServerCertificate = ""
General.Cluster.ServerPrivateKey = ""
General.Cluster.ClientCertificate = "/artifacts/tls/signcerts/cert.pem"
General.Cluster.ClientPrivateKey = "/artifacts/tls/keystore/key.pem"
General.Cluster.RootCAs = [/artifacts/tls/tlscacerts/ca-cert.pem]
General.Cluster.DialTimeout = 5s
General.Cluster.RPCTimeout = 7s
General.Cluster.ReplicationBufferSize = 20971520
General.Cluster.ReplicationPullTimeout = 5s
General.Cluster.ReplicationRetryTimeout = 5s
General.Cluster.ReplicationBackgroundRefreshInterval = 5m0s
General.Cluster.ReplicationMaxRetries = 12
General.Cluster.SendBufferSize = 10
General.Cluster.CertExpirationWarningThreshold = 168h0m0s
General.Cluster.TLSHandshakeTimeShift = 0s
General.Keepalive.ServerMinInterval = 1m0s
General.Keepalive.ServerInterval = 2h0m0s
General.Keepalive.ServerTimeout = 20s
General.ConnectionTimeout = 0s
General.GenesisMethod = "file"
General.GenesisProfile = "SampleInsecureSolo"
General.SystemChannel = "test-system-channel-name"
General.GenesisFile = "/artifacts/genesis.block"
General.Profile.Enabled = false
General.Profile.Address = "0.0.0.0:6060"
General.LocalMSPDir = "/artifacts/msp"
General.LocalMSPID = "BPLMSP"
General.BCCSP.ProviderName = "SW"
General.BCCSP.SwOpts.SecLevel = 256
General.BCCSP.SwOpts.HashFamily = "SHA2"
General.BCCSP.SwOpts.Ephemeral = false
General.BCCSP.SwOpts.FileKeystore.KeyStorePath = "/artifacts/msp/keystore"
General.BCCSP.SwOpts.DummyKeystore =
General.BCCSP.SwOpts.InmemKeystore =
General.BCCSP.PluginOpts =
General.Authentication.TimeWindow = 15m0s
General.Authentication.NoExpirationChecks = false
FileLedger.Location = "/var/hyperledger/production/orderer"
FileLedger.Prefix = "hyperledger-fabric-ordererledger"
RAMLedger.HistorySize = 1000
Kafka.Retry.ShortInterval = 5s
Kafka.Retry.ShortTotal = 10m0s
Kafka.Retry.LongInterval = 5m0s
Kafka.Retry.LongTotal = 12h0m0s
Kafka.Retry.NetworkTimeouts.DialTimeout = 10s
Kafka.Retry.NetworkTimeouts.ReadTimeout = 10s
Kafka.Retry.NetworkTimeouts.WriteTimeout = 10s
Kafka.Retry.Metadata.RetryMax = 3
Kafka.Retry.Metadata.RetryBackoff = 250ms
Kafka.Retry.Producer.RetryMax = 3
Kafka.Retry.Producer.RetryBackoff = 100ms
Kafka.Retry.Consumer.RetryBackoff = 2s
Kafka.Verbose = true
Kafka.Version = 0.10.2.0
Kafka.TLS.Enabled = false
Kafka.TLS.PrivateKey = ""
Kafka.TLS.Certificate = ""
Kafka.TLS.RootCAs = []
Kafka.TLS.ClientAuthRequired = false
Kafka.TLS.ClientRootCAs = []
Kafka.SASLPlain.Enabled = false
Kafka.SASLPlain.User = ""
Kafka.SASLPlain.Password = ""
Kafka.Topic.ReplicationFactor = 1
Debug.BroadcastTraceDir = ""
Debug.DeliverTraceDir = ""
Consensus = map[SnapDir:/var/hyperledger/production/orderer/etcdraft/snapshot WALDir:/var/hyperledger/production/orderer/etcdraft/wal]
Operations.ListenAddress = "orderer0.bpl:8443"
Operations.TLS.Enabled = false
Operations.TLS.PrivateKey = ""
Operations.TLS.Certificate = ""
Operations.TLS.RootCAs = []
Operations.TLS.ClientAuthRequired = false
Operations.TLS.ClientRootCAs = []
Metrics.Provider = "disabled"
Metrics.Statsd.Network = "udp"
Metrics.Statsd.Address = "127.0.0.1:8125"
Metrics.Statsd.WriteInterval = 30s
Metrics.Statsd.Prefix = ""
2019-12-28 05:56:55.790 UTC [orderer.common.server] extractSysChanLastConfig -> INFO 003 Bootstrapping because no existing channels
2019-12-28 05:56:55.813 UTC [orderer.common.server] initializeServerConfig -> INFO 004 Starting orderer with TLS enabled
2019-12-28 05:56:55.813 UTC [orderer.common.server] configureClusterListener -> INFO 005 Cluster listener is not configured, defaulting to use the general listener on port 7050
2019-12-28 05:56:55.820 UTC [fsblkstorage] newBlockfileMgr -> INFO 006 Getting block information from block storage
2019-12-28 05:56:55.836 UTC [orderer.consensus.etcdraft] HandleChain -> INFO 007 EvictionSuspicion not set, defaulting to 10m0s
2019-12-28 05:56:55.842 UTC [orderer.consensus.etcdraft] createOrReadWAL -> INFO 008 No WAL data found, creating new WAL at path '/var/hyperledger/production/orderer/etcdraft/wal/trust-chain-system-channel' channel=trust-chain-system-channel node=1
2019-12-28 05:56:55.866 UTC [orderer.commmon.multichannel] Initialize -> INFO 009 Starting system channel 'trust-chain-system-channel' with genesis block hash 43e31dcb085730c17b70777c05983ade72df5b137da3ffeaa4e1f5c187b9c3d9 and orderer type etcdraft
2019-12-28 05:56:55.866 UTC [orderer.consensus.etcdraft] Start -> INFO 00a Starting Raft node channel=trust-chain-system-channel node=1
2019-12-28 05:56:55.866 UTC [orderer.common.cluster] Configure -> INFO 00b Entering, channel: trust-chain-system-channel, nodes: [ID: 2,
Endpoint: orderer1.bpl:7050,
ServerTLSCert:-----BEGIN CERTIFICATE-----
MIIC2zCCAoKgAwIBAgIUOerWLLNwC5CYnqRuSFx3jDehZFEwCgYIKoZIzj0EAwIw
VjELMAkGA1UEBhMCS1IxEDAOBgNVBAgTB0RhZWplb24xFzAVBgNVBAoTDmJpZ3Bp
Y3R1cmVsYWJzMQswCQYDVQQLEwJjYTEPMA0GA1UEAxMGY2EtYnBsMB4XDTE5MTIy
ODA1MzgwMFoXDTIwMTIyNzA1NDMwMFowfDELMAkGA1UEBhMCS1IxEDAOBgNVBAgT
B0RhZWplb24xFzAVBgNVBAoTDmJpZ3BpY3R1cmVsYWJzMSswDgYDVQQLEwdvcmRl
cmVyMAoGA1UECxMDYnBsMA0GA1UECxMGZmFicmljMRUwEwYDVQQDEwxvcmRlcmVy
MS5icGwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASkTScK+zOyx1DuzACYmUKD
ttq/NUORM1+aPm8Bp43hFrKhqeS5aZ9eA9+HWBO7B95W3YqPxkw68HAKYcpPIsIs
o4IBBjCCAQIwDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSHs7V8NpqyYzHpjAQr1euf
p9LJ6TAfBgNVHSMEGDAWgBQUQCH0Jo1n+EwtZOMd6qwL4gDAZjAXBgNVHREEEDAO
ggxvcmRlcmVyMS5icGwwagYIKgMEBQYHCAEEXnsiYXR0cnMiOnsiaGYuQWZmaWxp
YXRpb24iOiJicGwuZmFicmljIiwiaGYuRW5yb2xsbWVudElEIjoib3JkZXJlcjEu
YnBsIiwiaGYuVHlwZSI6Im9yZGVyZXIifX0wCgYIKoZIzj0EAwIDRwAwRAIgJzms
QawGjZDPH6kIIYrmB58eKZvCEB+csUD0BB/PfNUCIBuKfw8XhYS8WBih/ddU8NyV
9OuM5QWsOp2/nr5i76lh
-----END CERTIFICATE-----
, ClientTLSCert:-----BEGIN CERTIFICATE-----
MIIC2zCCAoKgAwIBAgIUOerWLLNwC5CYnqRuSFx3jDehZFEwCgYIKoZIzj0EAwIw
VjELMAkGA1UEBhMCS1IxEDAOBgNVBAgTB0RhZWplb24xFzAVBgNVBAoTDmJpZ3Bp
Y3R1cmVsYWJzMQswCQYDVQQLEwJjYTEPMA0GA1UEAxMGY2EtYnBsMB4XDTE5MTIy
ODA1MzgwMFoXDTIwMTIyNzA1NDMwMFowfDELMAkGA1UEBhMCS1IxEDAOBgNVBAgT
B0RhZWplb24xFzAVBgNVBAoTDmJpZ3BpY3R1cmVsYWJzMSswDgYDVQQLEwdvcmRl
cmVyMAoGA1UECxMDYnBsMA0GA1UECxMGZmFicmljMRUwEwYDVQQDEwxvcmRlcmVy
MS5icGwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASkTScK+zOyx1DuzACYmUKD
ttq/NUORM1+aPm8Bp43hFrKhqeS5aZ9eA9+HWBO7B95W3YqPxkw68HAKYcpPIsIs
o4IBBjCCAQIwDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSHs7V8NpqyYzHpjAQr1euf
p9LJ6TAfBgNVHSMEGDAWgBQUQCH0Jo1n+EwtZOMd6qwL4gDAZjAXBgNVHREEEDAO
ggxvcmRlcmVyMS5icGwwagYIKgMEBQYHCAEEXnsiYXR0cnMiOnsiaGYuQWZmaWxp
YXRpb24iOiJicGwuZmFicmljIiwiaGYuRW5yb2xsbWVudElEIjoib3JkZXJlcjEu
YnBsIiwiaGYuVHlwZSI6Im9yZGVyZXIifX0wCgYIKoZIzj0EAwIDRwAwRAIgJzms
QawGjZDPH6kIIYrmB58eKZvCEB+csUD0BB/PfNUCIBuKfw8XhYS8WBih/ddU8NyV
9OuM5QWsOp2/nr5i76lh
-----END CERTIFICATE-----
ID: 3,
Endpoint: orderer2.bpl:7050,
ServerTLSCert:-----BEGIN CERTIFICATE-----
MIIC3DCCAoKgAwIBAgIUTIRaoY38ylFYlyo5UPJaHO8UyL4wCgYIKoZIzj0EAwIw
VjELMAkGA1UEBhMCS1IxEDAOBgNVBAgTB0RhZWplb24xFzAVBgNVBAoTDmJpZ3Bp
Y3R1cmVsYWJzMQswCQYDVQQLEwJjYTEPMA0GA1UEAxMGY2EtYnBsMB4XDTE5MTIy
ODA1MzgwMFoXDTIwMTIyNzA1NDMwMFowfDELMAkGA1UEBhMCS1IxEDAOBgNVBAgT
B0RhZWplb24xFzAVBgNVBAoTDmJpZ3BpY3R1cmVsYWJzMSswDgYDVQQLEwdvcmRl
cmVyMAoGA1UECxMDYnBsMA0GA1UECxMGZmFicmljMRUwEwYDVQQDEwxvcmRlcmVy
Mi5icGwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATD3raCU1OC0dmGpiFKixuZ
cYV/ikGwxNBdVGkdOU01ROZWHUpSzlYFq0i5Mq4JGLtcJuIdjCYIZ+MkEsTNbnpL
o4IBBjCCAQIwDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRVXLrZSEK8x4DPkawYGaNM
SO3DCTAfBgNVHSMEGDAWgBQUQCH0Jo1n+EwtZOMd6qwL4gDAZjAXBgNVHREEEDAO
ggxvcmRlcmVyMi5icGwwagYIKgMEBQYHCAEEXnsiYXR0cnMiOnsiaGYuQWZmaWxp
YXRpb24iOiJicGwuZmFicmljIiwiaGYuRW5yb2xsbWVudElEIjoib3JkZXJlcjIu
YnBsIiwiaGYuVHlwZSI6Im9yZGVyZXIifX0wCgYIKoZIzj0EAwIDSAAwRQIhALqM
SUA0+Aewypl30NF/C2Y0DdFQTw9/LF2XnWZZ/rCmAiAxNf2eoimI49XyL0DrAM0k
+HahGiLAK/F4GhTBv8Ct+A==
-----END CERTIFICATE-----
, ClientTLSCert:-----BEGIN CERTIFICATE-----
MIIC3DCCAoKgAwIBAgIUTIRaoY38ylFYlyo5UPJaHO8UyL4wCgYIKoZIzj0EAwIw
VjELMAkGA1UEBhMCS1IxEDAOBgNVBAgTB0RhZWplb24xFzAVBgNVBAoTDmJpZ3Bp
Y3R1cmVsYWJzMQswCQYDVQQLEwJjYTEPMA0GA1UEAxMGY2EtYnBsMB4XDTE5MTIy
ODA1MzgwMFoXDTIwMTIyNzA1NDMwMFowfDELMAkGA1UEBhMCS1IxEDAOBgNVBAgT
B0RhZWplb24xFzAVBgNVBAoTDmJpZ3BpY3R1cmVsYWJzMSswDgYDVQQLEwdvcmRl
cmVyMAoGA1UECxMDYnBsMA0GA1UECxMGZmFicmljMRUwEwYDVQQDEwxvcmRlcmVy
Mi5icGwwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATD3raCU1OC0dmGpiFKixuZ
cYV/ikGwxNBdVGkdOU01ROZWHUpSzlYFq0i5Mq4JGLtcJuIdjCYIZ+MkEsTNbnpL
o4IBBjCCAQIwDgYDVR0PAQH/BAQDAgOoMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRVXLrZSEK8x4DPkawYGaNM
SO3DCTAfBgNVHSMEGDAWgBQUQCH0Jo1n+EwtZOMd6qwL4gDAZjAXBgNVHREEEDAO
ggxvcmRlcmVyMi5icGwwagYIKgMEBQYHCAEEXnsiYXR0cnMiOnsiaGYuQWZmaWxp
YXRpb24iOiJicGwuZmFicmljIiwiaGYuRW5yb2xsbWVudElEIjoib3JkZXJlcjIu
YnBsIiwiaGYuVHlwZSI6Im9yZGVyZXIifX0wCgYIKoZIzj0EAwIDSAAwRQIhALqM
SUA0+Aewypl30NF/C2Y0DdFQTw9/LF2XnWZZ/rCmAiAxNf2eoimI49XyL0DrAM0k
+HahGiLAK/F4GhTBv8Ct+A==
-----END CERTIFICATE-----
]
2019-12-28 05:56:55.867 UTC [orderer.common.cluster] updateStubInMapping -> INFO 00c Allocating a new stub for node 2 with endpoint of orderer1.bpl:7050 for channel trust-chain-system-channel
2019-12-28 05:56:55.867 UTC [orderer.common.cluster] updateStubInMapping -> INFO 00d Deactivating node 2 in channel trust-chain-system-channel with endpoint of orderer1.bpl:7050 due to TLS certificate change
2019-12-28 05:56:55.867 UTC [orderer.common.cluster] updateStubInMapping -> INFO 00e Allocating a new stub for node 3 with endpoint of orderer2.bpl:7050 for channel trust-chain-system-channel
2019-12-28 05:56:55.867 UTC [orderer.common.cluster] updateStubInMapping -> INFO 00f Deactivating node 3 in channel trust-chain-system-channel with endpoint of orderer2.bpl:7050 due to TLS certificate change
2019-12-28 05:56:55.868 UTC [orderer.common.cluster] applyMembershipConfig -> INFO 010 2 exists in both old and new membership for channel trust-chain-system-channel , skipping its deactivation
2019-12-28 05:56:55.868 UTC [orderer.common.cluster] applyMembershipConfig -> INFO 011 3 exists in both old and new membership for channel trust-chain-system-channel , skipping its deactivation
2019-12-28 05:56:55.868 UTC [orderer.common.cluster] Configure -> INFO 012 Exiting
2019-12-28 05:56:55.868 UTC [orderer.consensus.etcdraft] start -> INFO 013 Starting raft node as part of a new channel channel=trust-chain-system-channel node=1
2019-12-28 05:56:55.868 UTC [orderer.consensus.etcdraft] becomeFollower -> INFO 014 1 became follower at term 0 channel=trust-chain-system-channel node=1
2019-12-28 05:56:55.868 UTC [orderer.consensus.etcdraft] newRaft -> INFO 015 newRaft 1 [peers: [], term: 0, commit: 0, applied: 0, lastindex: 0, lastterm: 0] channel=trust-chain-system-channel node=1
2019-12-28 05:56:55.868 UTC [orderer.consensus.etcdraft] becomeFollower -> INFO 016 1 became follower at term 1 channel=trust-chain-system-channel node=1
2019-12-28 05:56:55.869 UTC [orderer.common.server] Start -> INFO 017 Starting orderer:
Version: 1.4.4
Commit SHA: 7917a40
Go version: go1.12.12
OS/Arch: linux/amd64
2019-12-28 05:56:55.869 UTC [orderer.common.server] Start -> INFO 018 Beginning to serve requests
2019-12-28 05:56:55.869 UTC [orderer.consensus.etcdraft] apply -> INFO 019 Applied config change to add node 1, current nodes in channel: [1 2 3] channel=trust-chain-system-channel node=1
2019-12-28 05:56:55.869 UTC [orderer.consensus.etcdraft] apply -> INFO 01a Applied config change to add node 2, current nodes in channel: [1 2 3] channel=trust-chain-system-channel node=1
2019-12-28 05:56:55.869 UTC [orderer.consensus.etcdraft] apply -> INFO 01b Applied config change to add node 3, current nodes in channel: [1 2 3] channel=trust-chain-system-channel node=1
2019-12-28 05:56:57.686 UTC [orderer.consensus.etcdraft] Step -> INFO 01c 1 [logterm: 1, index: 3, vote: 0] cast MsgPreVote for 2 [logterm: 1, index: 3] at term 1 channel=trust-chain-system-channel node=1
2019-12-28 05:56:57.688 UTC [orderer.consensus.etcdraft] Step -> INFO 01d 1 [term: 1] received a MsgVote message with higher term from 2 [term: 2] channel=trust-chain-system-channel node=1
2019-12-28 05:56:57.688 UTC [orderer.consensus.etcdraft] becomeFollower -> INFO 01e 1 became follower at term 2 channel=trust-chain-system-channel node=1
2019-12-28 05:56:57.688 UTC [orderer.consensus.etcdraft] Step -> INFO 01f 1 [logterm: 1, index: 3, vote: 0] cast MsgVote for 2 [logterm: 1, index: 3] at term 2 channel=trust-chain-system-channel node=1
2019-12-28 05:56:57.691 UTC [orderer.consensus.etcdraft] run -> INFO 020 raft.node: 1 elected leader 2 at term 2 channel=trust-chain-system-channel node=1
2019-12-28 05:56:57.692 UTC [orderer.consensus.etcdraft] serveRequest -> INFO 021 Raft leader changed: 0 -> 2 channel=trust-chain-system-channel node=1
2019-12-28 05:57:31.382 UTC [orderer.common.broadcast] ProcessMessage -> WARN 022 [channel: activitych] Rejecting broadcast of config message from 172.22.0.1:52856 because of error: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied
2019-12-28 05:57:31.384 UTC [comm.grpc.server] 1 -> INFO 023 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Broadcast grpc.peer_address=172.22.0.1:52856 grpc.code=OK grpc.call_duration=8.4914ms
2019-12-28 05:57:31.430 UTC [comm.grpc.server] 1 -> INFO 024 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=172.22.0.1:52858 grpc.code=OK grpc.call_duration=480.4µs
此时,我很好奇如何获得管理员身份。我的策略是 'MSP.admin' 并且我使用的身份是使用参数 --id.type admin.
满足Writers政策
管理员实际上设置正确,否则订购者会抱怨 Admins 政策不满意。发生的事情是排序者接受了请求并为通道创建了创世块。然后它继续设置一个处理程序来广播该通道的未来块,并在这样做时验证其证书是否满足 /Channel/Writers 策略,这是调用 Broadcast API.[=51 所必需的=]
提到的策略默认是 ImplicitMeta 类型的,这意味着它应该通过 /Channel/Orderer/<ORG NAME>/Writers 来满足。因为错误消息指出只需要满足 1 个子策略(即 ANY Writers),这意味着您的订购者的证书不符合其自己组织的 Writers 策略。您需要将排序者的 OU 类型添加到规则中,或将其设置为 member 以允许组织中的任何证书充当编写器:
Writers:
Type: Signature
Rule: "OR('<ORG NAME>.admin', '<ORG NAME>.client', '<ORG NAME>.orderer')"
正在以管理员身份注册证书
肮脏的快速修复
Admins:
Type: Signature
Rule: "OR('BPLMSP.member')"
这将允许您随时随地在 BPLMSP 组织内创建任何类型的证书,并将其用于管理目的,例如创建频道。 Fabric 将跳过检查证书类型(组织单位,OU),只检查它是否由组织的 CA 签名。请注意,这会降低您组织内的安全性,因为任何(丢失的)证书都将具有管理权限。
正确的方法
- 向 Fabric CA 注册类型为
- 为注册身份注册证书
- 将证书放在 BPLMSP 组织的 MSP 的
- 确保 BPLOrg 的
MSPDir指向 BPLMSP 组织的 MSP - 将 BPLOrg 的
Admins政策保留为规则"OR('BPLMSP.admin')" - 为 OSN 创建创世区块。 这会将证书包含到块中
- 启动网络
- 使用证书签署通道创建请求,并将其发送到 OSN
client、peer 或 orderer 的身份
admincerts/ 中
如果您想将对等点加入频道并使用创建的证书签署请求,则必须将证书添加到该对等点本地 MSP 的 admincerts/ 文件夹中。对等点在启动时读取此目录,因此如果您在目录 运行.
如果您想在网络已配置的情况下添加额外的管理员证书,则必须执行创世块更新,其中应包括新证书。
正确的方法v1.4.3
此选项允许您将证书注册为管理员,而无需将其添加到创世块,并且不会通过将所有类型的证书作为管理员来降低安全性。
这仅在以下情况下有效:
- 网络至少运行 Hyperledger Fabric v1.4.3(2019 年 8 月 26 日)
- v1.4.3 通道功能已启用
- 已为组织启用 NodeOU
- 组织
AdminOUIdentifier的OrganizationalUnitIdentifier已设置
然后您可以注册一个新身份并设置类型 (OU) 以匹配 OrganizationalUnitIdentifier。该证书不需要添加到 OSN 的创世块中,因为它将根据类型 (OU) 被识别为管理员。请参阅 Hyperledger Fabric 的文档以获得 Identity Classification。
备注
要创建频道,必须满足 ChannelCreationPolicy。这默认为 ANY /Channel/Application/Admins。不能使用 configtxgen 设置策略,修改它的唯一方法是对创世块进行更改。参见 FAB-13192。
规则类型<MSP ID>.admin与identity/certificate类型不同(OU)admin.规则类型指的是具有管理权限的签名,但是这些签名可以来自任何类型 (OU) 的证书。
您不通过以下方式创建管理员:
- 将身份注册为
admin类型 (OU) pre v1.4.3 - 将属性
hf.Admin=true设置为 Amazon Managed Blockchain doc 声明(这将失败,因为它不是有效属性) - 设置
admin=true:ecert与 Fabric CA docs 相同(Fabric 仅查看以hf.开头的属性,因此除了增加混淆外没有任何效果)。
您可以注册任何类型的 CA 身份,但有效的管理员证书必须是 (OU) 类型 peer、orderer、client 或 OrganizationalUnitIdentifier 设置为 AdminOUIdentifier。不要使用 fabric-ca-client identity add 命令,因为它会注册类型为 user 的身份。我不能说我知道这种类型的目的是什么。
您的情况:
0 sub-policies were satisfied
"zero"表示没有证书用于签署交易,所以你只需要将你的管理证书复制到正确的目录!