如何解决HyperLedger Fabric - configtx.yaml 策略 - 加入频道收到拒绝访问
我正在处理 HyperLedger Fabric CA Operations Guide [Create and Join Channel]。
使用 cli-org1 远程访问 docker exec -it cli-org1 sh 后,我可以使用以下命令创建频道:
peer channel create -c mychannel -f /tmp/hyperledger/org1/peer1/assets/channel.tx -o orderer1-org0:7050 --outputBlock /tmp/hyperledger/org1/peer1/assets/mychannel.block --tls --cafile /tmp/hyperledger/org1/peer1/tls-msp/tlscacerts/tls-0-0-0-0-7052.pem
但是当我加入频道时:
export CORE_PEER_ADDRESS=peer1-org1:7051
peer channel join -b /tmp/hyperledger/org1/peer1/assets/mychannel.block
我收到以下错误:
Error: proposal failed (err: bad proposal response 500: access denied for [JoinChain][mychannel]: [Failed verifying that proposal's creator satisfies local MSP principal during channelless check policy with policy [Admins]: [This identity is not an admin]])
我认为这是因为 configtx.yaml 中的权限/政策,但我不确定。 Create Genesis Block and Channel Transaction
部分提供了不完整或过时的 configtx.yaml,因此我不得不在此处即兴发挥:
---
################################################################################
#
# Section: Organizations
#
# - This section defines the different organizational identities which will
# be referenced later in the configuration.
#
################################################################################
Organizations:
- &org0
Name: org0
# ID to load the MSP definition as
ID: org0MSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: /Users/me/projects/fabric-xx/org0/msp
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
- &org1
Name: org1
# ID to load the MSP definition as
ID: org1MSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: /Users/me/projects/fabric-xx/org1/msp
AnchorPeers:
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note,this value is only
# encoded in the genesis block in the Application section context
- Host: peer1-org1
Port: 7051
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
- &org2
Name: org2
# ID to load the MSP definition as
ID: org2MSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: /Users/me/projects/fabric-xx/org2/msp
AnchorPeers:
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note,this value is only
# encoded in the genesis block in the Application section context
- Host: peer1-org2
Port: 7051
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
################################################################################
#
# SECTION: Capabilities
#
# - This section defines the capabilities of fabric network. This is a new
# concept as of v1.1.0 and should not be utilized in mixed networks with
# v1.0.x peers and orderers. Capabilities define features which must be
# present in a fabric binary for that binary to safely participate in the
# fabric network. For instance,if a new MSP type is added,newer binaries
# might recognize and validate the signatures from this type,while older
# binaries without this support would be unable to validate those
# transactions. This could lead to different versions of the fabric binaries
# having different world states. Instead,defining a capability for a channel
# informs those binaries without this capability that they must cease
# processing transactions until they have been upgraded. For v1.0.x if any
# capabilities are defined (including a map with all capabilities turned off)
# then the v1.0.x peer will deliberately crash.
#
################################################################################
Capabilities:
# Channel capabilities apply to both the orderers and the peers and must be
# supported by both.
# Set the value of the capability to true to require it.
Channel: &ChannelCapabilities
# V1.3 for Channel is a catchall flag for behavior which has been
# determined to be desired for all orderers and peers running at the v1.3.x
# level,but which would be incompatible with orderers and peers from
# prior releases.
# Prior to enabling V1.3 channel capabilities,ensure that all
# orderers and peers on a channel are at v1.3.0 or later.
V1_3: true
# Orderer capabilities apply only to the orderers,and may be safely
# used with prior release peers.
# Set the value of the capability to true to require it.
Orderer: &OrdererCapabilities
# V1.1 for Orderer is a catchall flag for behavior which has been
# determined to be desired for all orderers running at the v1.1.x
# level,but which would be incompatible with orderers from prior releases.
# Prior to enabling V1.1 orderer capabilities,ensure that all
# orderers on a channel are at v1.1.0 or later.
V1_1: true
# Application capabilities apply only to the peer network,and may be safely
# used with prior release orderers.
# Set the value of the capability to true to require it.
Application: &ApplicationCapabilities
# V1.3 for Application enables the new non-backwards compatible
# features and fixes of fabric v1.3.
V1_3: true
# V1.2 for Application enables the new non-backwards compatible
# features and fixes of fabric v1.2 (note,this need not be set if
# later version capabilities are set)
V1_2: false
# V1.1 for Application enables the new non-backwards compatible
# features and fixes of fabric v1.1 (note,this need not be set if
# later version capabilities are set).
V1_1: false
################################################################################
#
# SECTION: Application
#
# - This section defines the values to encode into a config transaction or
# genesis block for application related parameters
#
################################################################################
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
Organizations:
# Policies defines the set of policies at this level of the config tree
# For Application policies,their canonical path is
# /Channel/Application/<PolicyName>
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ApplicationCapabilities
################################################################################
#
# SECTION: Orderer
#
# - This section defines the values to encode into a config transaction or
# genesis block for orderer related parameters
#
################################################################################
Orderer: &OrdererDefaults
# Orderer Type: The orderer implementation to start
# Available types are "solo" and "kafka"
OrdererType: solo
Addresses:
- orderer1-org0:7050
# Batch Timeout: The amount of time to wait before creating a batch
BatchTimeout: 2s
# Batch Size: Controls the number of messages batched into a block
BatchSize:
# Max Message Count: The maximum number of messages to permit in a batch
MaxMessageCount: 10
# Absolute Max Bytes: The absolute maximum number of bytes allowed for
# the serialized messages in a batch.
AbsoluteMaxBytes: 99 MB
# Preferred Max Bytes: The preferred maximum number of bytes allowed for
# the serialized messages in a batch. A message larger than the preferred
# max bytes will result in a batch larger than preferred max bytes.
PreferredMaxBytes: 512 KB
# Organizations is the list of orgs which are defined as participants on
# the orderer side of the network
Organizations:
- *org0
# Policies defines the set of policies at this level of the config tree
# For Orderer policies,their canonical path is
# /Channel/Orderer/<PolicyName>
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# BlockValidation specifies what signatures must be included in the block
# from the orderer for the peer to validate it.
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
################################################################################
#
# CHANNEL
#
# This section defines the values to encode into a config transaction or
# genesis block for channel related parameters.
#
################################################################################
Channel: &ChannelDefaults
# Policies defines the set of policies at this level of the config tree
# For Channel policies,their canonical path is
# /Channel/<PolicyName>
Policies:
# Who may invoke the 'Deliver' API
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
# Who may invoke the 'Broadcast' API
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
# By default,who may modify elements at this config level
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# Capabilities describes the channel level capabilities,see the
# dedicated Capabilities section elsewhere in this file for a full
# description
Capabilities:
<<: *ChannelCapabilities
################################################################################
#
# Profile
#
# - Different configuration profiles may be encoded here to be specified
# as parameters to the configtxgen tool
#
################################################################################
Profiles:
OrgsChannel:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *org1
- *org2
OrgsOrdererGenesis:
<<: *ChannelDefaults
Capabilities:
<<: *ChannelCapabilities
Orderer:
<<: *OrdererDefaults
OrdererType: solo
Addresses:
- orderer1-org0:7050
Organizations:
- *org0
Capabilities:
<<: *OrdererCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *org1
- *org2
是否是此 configtx.yaml 中的权限阻止了对等方加入?
此外,在我的 configtx.yaml 中,我将 MSPDir 设置为主机文件系统上的 MSP 目录。这是否应该设置为 MSP 将在容器中的目录?例如
MSPDir: /tmp/hyperledger/org1/msp
解决方法
一周前我也遇到了同样的问题,是的,configtx.yaml 已过时,请确保您已将管理员证书正确复制到对等方。 如果您怀疑这些政策,请将多数更改为任意。
那个 MSPDir 只需要用于 genesis.block 的生成 如果您构建的是 Fabric 2.x 网络,那么此 configtx.yaml 会很有帮助。
,configtx 中与 peer join 相关的权限是 Channel - Polices - Admins
Channel:
Polices:
Admins:
但是,看看你的命令,我可以看到 peer channel create 正常工作。
这已经用管理员权限执行了命令,验证有效。
也就是说,权限似乎不是问题。
一种可疑的情况是 CORE_PEER_ADDRESS 设置为 org1。
如果您在 org1 步骤中与 peer channel create 以外的组织一起执行命令,则您的命令存在问题。
检查 CORE_PEER_LOCALMSPID 中的 CORE_PEER_MSPCONFIGPATH 和 peer channel join step 环境变量。
echo $CORE_PEER_LOCALMSPID
echo $CORE_PEER_MSPCONFIGPATH
如果没有设置,可能设置为core.yaml中的FABRIC_CFG_PATH设置值或者peer的dafault值,MSP可能不匹配。
将此设置为 org1 并重试。像这样
export CORE_PEER_ADDRESS=peer1-org1:7051
export CORE_PEER_LOCALMSPID=org1MSP
export CORE_PEER_MSPCONFIGPATH=/tmp/hyperledger/org1/peer1/<your_admin_msp_path>
peer channel join -b /tmp/hyperledger/org1/peer1/assets/mychannel.block
[P.S] 这是怀疑 peer channel create 与 peer channel join 时组织的管理员权限不同的建议。所以..它可能不是你的正确答案。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。