I'm preparing a deployment scenario for some software solution based on Hyperledger Fabric blockchain ver. 2.0. I've reviewed the official docs and examples, but some points regarding the deployment/support on real-world production environment are still unclear for me.
Let's suppose that the designed blockchain network includes the following participants:
- the Software Provider organization, which prepares and supports the basic blockchain infrastructure;
- the consortium of N organizations (Org1, Org2, ..., OrgN) participating in business transactions over blockchain network
- each organization in consortium has a system administrator, which is more or less familiar with blockchain technology and Hyperledger Fabric
The approximate deployment scenario I've expected is:
- All participants (Software Provider, Org1, Org2, ... OrgN) prepare required identities: choose their certificate authorities (CAs), get X.509 certificates, generate private and public keys for secured connection etc.
- The Software Provider deploys the ordering node, creates the system channel and defines the consortium of N organizations. Therefore the Software Provider must obtain public identities (MSPs) of ALL participating organizations.
- All organizations in consortium (Org1, Org2, ... OrgN) start at least one peer in their local environment.
- The consortium agrees the business rules to be used on production. Based on this, some organization (for example, Org1) should create a business channel with the corresponding chaincode installed on. To do this, Org1 must have MSPs of ALL organizations to configure the business channel for the whole consortium.
- All organizations join this business channel and only use their own MSPs (with private data) to be identified in the network.
- After that, Org1 installs the agreed chaincode on business channel. The required number of other organizations approves this chaincode.
- When approval is done, Org1 commits the chaincode definition.
- Now all organizations can use their own MSPs to interact with the committed chaincode (query ledger data and invoke smart contracts).
Following this scenario I considered, that only 2 organizations (Software Provider and Org1) should somehow obtain public identities (MSPs) of ALL other consortium members. And for other organizations it is enough to use their own private MSPs to be properly authorized in the network.
But in fact at least on step#5 each organization technically must explicitly operate with MSPs of all consortium members. Here is a command to be executed on step#5 by every organization to register an anchor peer:
configtxgen -profile TwoOrgsChannel -outputAnchorPeersUpdate ./output/channel-artifacts/organchors.tx -channelID mychannel -asOrg OrgX
The above-mentioned TwoOrgsChannel profile is defined in channel configuration (configtx.yaml), which in turn contains links to MSPs of all organizations. This means, that during joining the channel every organization must use a local copy of channel configuration (configtx.yaml) and somehow receive local copies of all MSPs in consortium. It raises several questions at once:
a) For production scenario is it really required for every participating organization to have the MSPs of all other consortium members? Looks like it is very uncomfortable for organization administrator to manage this complex configuration manually...
b) Why it is required to initiate anchor peers update explicitly by every organization, although the information about all anchor peers is already specified in initial channel configuration (configtx.yaml) used to prepare the genesis block for channel (by Org1)?
c) What happens, if I skip the anchor peer update step?
d) And, additionally, is there some way in Hyperledger Fabric to add some organization (or even unauthorized participants) having the read-only permission to access the ledger in some channel? For example, what should we do, if the customers someday ask us (as Software Provider) to give the access to ledger to audit companies?
Could you please clarify these points?
Thanks & Regards
Igor Egorov
