1

我试图了解策略(orgapplication& channel)与超级账本结构identities的完整流程流的相关性。我分享我的理解,如果我错了,请纠正我。MSPNodeOUs

  1. 目前,hf 支持 4 ,并且从示例中启用了NodeOUs身份分类。它还支持 5 个身份角色, ,和.registerEnroll.shtest-networkordererpeeradminclientmember

  2. 系统通道策略、组织策略、应用程序通道策略、联盟configxtx/configtx.yaml连同它们的功能一起被定义。

  3. 下面给出了组织策略、应用程序策略和渠道策略的示例:
        ##### Org Policy #####
        Name: Org1MSP

        # ID to load the MSP definition as
        ID: Org1MSP

        MSPDir: ../organizations/peerOrganizations/org1.example.com/msp

        # Policies defines the set of policies at this level of the config tree
        # For organization policies, their canonical path is usually
        #   /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
        Policies:
            Readers:
                Type: Signature
                Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client', 'Org1MSP.member')"
            Writers:
                Type: Signature
                Rule: "OR('Org1MSP.admin', 'Org1MSP.client', 'Org1MSP.member')"
            Admins:
                Type: Signature
                Rule: "OR('Org1MSP.admin')"
            Endorsement:
                Type: Signature
                Rule: "OR('Org1MSP.peer')"


        ##### Application Policy #####
        Policies:
            Readers:
                Type: ImplicitMeta
                Rule: "ANY Readers"
            Writers:
                Type: ImplicitMeta
                Rule: "ANY Writers"
            Admins:
                Type: ImplicitMeta
                Rule: "MAJORITY Admins"
            LifecycleEndorsement:
                Type: ImplicitMeta
                Rule: "MAJORITY Endorsement"
            Endorsement:
                Type: ImplicitMeta
                Rule: "MAJORITY Endorsement"


       ##### Channel Policy #####
           Policies:
            # Who may invoke the 'Deliver' API
            Readers:
                Type: ImplicitMeta
                Rule: "ANY Readers"
            # Who may invoke the 'Broadcast' API
            Writers:
                Type: ImplicitMeta
                Rule: "ANY Writers"
            # By default, who may modify elements at this config level
            Admins:
                Type: ImplicitMeta
                Rule: "MAJORITY Admins"

我的用例是,创建一个角色为memberusingsigningIdentity的身份,admin并且member应该能够评估或提交交易到链码,我尝试了以下操作来实现这一点:

  1. 加入和组织'Org1MSP.member'的政策在ReadersWritersconfigtx.yaml
  2. enrollAdmin.js,新的钱包被创建了。
  3. 接下来,在 中registerUser.js,我role从函数调用中更改client为创建 a而不是 a 的身份。memberca.registermemberclient
  4. 现在,当我运行时query.js,它会引发以下错误:
2020-05-22T09:28:40.219Z - error: [DiscoveryService]: send[mychannel] - Channel:mychannel received discovery error:access denied
Failed to evaluate transaction: Error: DiscoveryService: mychannel error: access denied  

验证身份时来自对等方的进一步调试日志。

peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [policies] SignatureSetToValidIdentities -> DEBU 4de3 signature for identity 0 validated
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func1 -> DEBU 4de4 0xc0034b0b50 gate 1590139720217279088 evaluation starts
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4de5 0xc0034b0b50 signed by 0 principal evaluation starts (used [false])
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4de6 0xc0034b0b50 processing identity 0 - &{Org1MSP 1635f57eaf46859c66528c1528475f51feac49aa83b3393c0bdc35e50e046f39}
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4de7 0xc0034b0b50 identity 0 does not satisfy principal: The identity is not valid under this MSP [Org1MSP]: could not validate identity's OUs: the identity must be a client, a peer, an orderer or an admin identity to be valid, not a combination of them. OUs: [member(BB4774A65B308471) org1(BB4774A65B308471) department1(BB4774A65B308471)], MSP: [Org1MSP]
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4de8 0xc0034b0b50 principal evaluation fails
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4de9 0xc0034b0b50 signed by 1 principal evaluation starts (used [false])
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4dea 0xc0034b0b50 processing identity 0 - &{Org1MSP 1635f57eaf46859c66528c1528475f51feac49aa83b3393c0bdc35e50e046f39}
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4deb 0xc0034b0b50 identity 0 does not satisfy principal: The identity is not valid under this MSP [Org1MSP]: could not validate identity's OUs: the identity must be a client, a peer, an orderer or an admin identity to be valid, not a combination of them. OUs: [member(BB4774A65B308471) org1(BB4774A65B308471) department1(BB4774A65B308471)], MSP: [Org1MSP]
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4dec 0xc0034b0b50 principal evaluation fails
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4ded 0xc0034b0b50 signed by 2 principal evaluation starts (used [false])
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4dee 0xc0034b0b50 processing identity 0 - &{Org1MSP 1635f57eaf46859c66528c1528475f51feac49aa83b3393c0bdc35e50e046f39}
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4def 0xc0034b0b50 identity 0 does not satisfy principal: could not validate identity's OUs: the identity must be a client, a peer, an orderer or an admin identity to be valid, not a combination of them. OUs: [member(BB4774A65B308471) org1(BB4774A65B308471) department1(BB4774A65B308471)], MSP: [Org1MSP]
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4df0 0xc0034b0b50 principal evaluation fails
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func1 -> DEBU 4df1 0xc0034b0b50 gate 1590139720217279088 evaluation fails
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [policies] EvaluateSignedData -> DEBU 4df2 Signature set did not satisfy policy /Channel/Application/Org1MSP/Writers
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [policies] EvaluateSignedData -> DEBU 4df3 == Done Evaluating *cauthdsl.policy Policy /Channel/Application/Org1MSP/Writers
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [discovery] processQuery -> WARN 4e0b got query for channel mychannel from 192.168.96.1:40612 but it isn't eligible: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [discovery] processQuery -> WARN 4e0c got query for channel mychannel from 192.168.96.1:40612 but it isn't eligible: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied

我是否缺少一些应该启用member身份来评估交易的配置,或者身份提交交易是不可能的member?因为client身份工作顺利。

任何澄清我的理解表示赞赏。

4

1 回答 1

0

在您组织的 msp 文件夹下的 config.yaml 文件中,您只有 client、peer、admin、orderer 作为 OrganizationalUnitIdentifier。如果您希望成员也成为您组织中的一个身份,那么您必须添加

MemberOUIdentifier:
    Certificate: path/to/ca-cert
    OrganizationalUnitIdentifier: member

在您的 config.yaml 文件中。

有关身份的更多信息:https ://hyperledger-fabric.readthedocs.io/en/latest/msp.html#identity-classification

于 2020-05-22T14:17:20.627 回答