1

I am trying to understand correlation of policies (org, application & channel) with identities, MSP and NodeOUs in complete process flow of hyperledger fabric. I am sharing my understanding, please correct me if I am wrong.

  1. Presently, hf support 4 NodeOUs, and identities classification is enabled from registerEnroll.sh in test-network example. Also it supports 5 roles of identities orderer, peer, admin, client and member.

  2. System channel policies, Org policies, application channel policies, consortium are defined in configxtx/configtx.yaml along with their capabilities.

  3. Example of a org policy, application policy, and channel policy is given below: 
        ##### Org Policy #####
        Name: Org1MSP

        # ID to load the MSP definition as
        ID: Org1MSP

        MSPDir: ../organizations/peerOrganizations/org1.example.com/msp

        # Policies defines the set of policies at this level of the config tree
        # For organization policies, their canonical path is usually
        #   /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
        Policies:
            Readers:
                Type: Signature
                Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client', 'Org1MSP.member')"
            Writers:
                Type: Signature
                Rule: "OR('Org1MSP.admin', 'Org1MSP.client', 'Org1MSP.member')"
            Admins:
                Type: Signature
                Rule: "OR('Org1MSP.admin')"
            Endorsement:
                Type: Signature
                Rule: "OR('Org1MSP.peer')"


        ##### Application Policy #####
        Policies:
            Readers:
                Type: ImplicitMeta
                Rule: "ANY Readers"
            Writers:
                Type: ImplicitMeta
                Rule: "ANY Writers"
            Admins:
                Type: ImplicitMeta
                Rule: "MAJORITY Admins"
            LifecycleEndorsement:
                Type: ImplicitMeta
                Rule: "MAJORITY Endorsement"
            Endorsement:
                Type: ImplicitMeta
                Rule: "MAJORITY Endorsement"


       ##### Channel Policy #####
           Policies:
            # Who may invoke the 'Deliver' API
            Readers:
                Type: ImplicitMeta
                Rule: "ANY Readers"
            # Who may invoke the 'Broadcast' API
            Writers:
                Type: ImplicitMeta
                Rule: "ANY Writers"
            # By default, who may modify elements at this config level
            Admins:
                Type: ImplicitMeta
                Rule: "MAJORITY Admins"

My usecase is, create a identity with role as member using signingIdentity of admin and that member should be able to evaluate or submit transaction to chaincode, I tried following things to achieve this:

  1. Added 'Org1MSP.member' in Readers and Writers policy of the organisation in configtx.yaml
  2. Ran enrollAdmin.js, fresh wallet got created.
  3. Next, in registerUser.js, I changed role from client to member in function call of ca.register to create identity of a member rather than a client.
  4. Now, when I ran query.js, it throws following error: 
2020-05-22T09:28:40.219Z - error: [DiscoveryService]: send[mychannel] - Channel:mychannel received discovery error:access denied
Failed to evaluate transaction: Error: DiscoveryService: mychannel error: access denied

Further debug logs from the peer when it's validating identity.

peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [policies] SignatureSetToValidIdentities -> DEBU 4de3 signature for identity 0 validated
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func1 -> DEBU 4de4 0xc0034b0b50 gate 1590139720217279088 evaluation starts
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4de5 0xc0034b0b50 signed by 0 principal evaluation starts (used [false])
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4de6 0xc0034b0b50 processing identity 0 - &{Org1MSP 1635f57eaf46859c66528c1528475f51feac49aa83b3393c0bdc35e50e046f39}
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4de7 0xc0034b0b50 identity 0 does not satisfy principal: The identity is not valid under this MSP [Org1MSP]: could not validate identity's OUs: the identity must be a client, a peer, an orderer or an admin identity to be valid, not a combination of them. OUs: [member(BB4774A65B308471) org1(BB4774A65B308471) department1(BB4774A65B308471)], MSP: [Org1MSP]
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4de8 0xc0034b0b50 principal evaluation fails
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4de9 0xc0034b0b50 signed by 1 principal evaluation starts (used [false])
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4dea 0xc0034b0b50 processing identity 0 - &{Org1MSP 1635f57eaf46859c66528c1528475f51feac49aa83b3393c0bdc35e50e046f39}
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4deb 0xc0034b0b50 identity 0 does not satisfy principal: The identity is not valid under this MSP [Org1MSP]: could not validate identity's OUs: the identity must be a client, a peer, an orderer or an admin identity to be valid, not a combination of them. OUs: [member(BB4774A65B308471) org1(BB4774A65B308471) department1(BB4774A65B308471)], MSP: [Org1MSP]
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4dec 0xc0034b0b50 principal evaluation fails
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4ded 0xc0034b0b50 signed by 2 principal evaluation starts (used [false])
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4dee 0xc0034b0b50 processing identity 0 - &{Org1MSP 1635f57eaf46859c66528c1528475f51feac49aa83b3393c0bdc35e50e046f39}
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4def 0xc0034b0b50 identity 0 does not satisfy principal: could not validate identity's OUs: the identity must be a client, a peer, an orderer or an admin identity to be valid, not a combination of them. OUs: [member(BB4774A65B308471) org1(BB4774A65B308471) department1(BB4774A65B308471)], MSP: [Org1MSP]
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func2 -> DEBU 4df0 0xc0034b0b50 principal evaluation fails
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [cauthdsl] func1 -> DEBU 4df1 0xc0034b0b50 gate 1590139720217279088 evaluation fails
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [policies] EvaluateSignedData -> DEBU 4df2 Signature set did not satisfy policy /Channel/Application/Org1MSP/Writers
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [policies] EvaluateSignedData -> DEBU 4df3 == Done Evaluating *cauthdsl.policy Policy /Channel/Application/Org1MSP/Writers

peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [discovery] processQuery -> WARN 4e0b got query for channel mychannel from 192.168.96.1:40612 but it isn't eligible: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied
peer0.org1.example.com|2020-05-22 09:28:40.217 UTC [discovery] processQuery -> WARN 4e0c got query for channel mychannel from 192.168.96.1:40612 but it isn't eligible: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied

Am I missing some configuration which should be enabled for member identity to evaluate transactions or is it not possible for member identity submitting transaction ? Because client identity works smoothly.

Any clarification to my understanding is appreciated.

Avoid
  • 343
  • 2
  • 9
  • 20

1 Answers1

0

In config.yaml file under msp folder of your org you have only client , peer , admin , orderer as OrganizationalUnitIdentifier. If you want member also to be an identity in your organisation then for that you have to add

MemberOUIdentifier:
    Certificate: path/to/ca-cert
    OrganizationalUnitIdentifier: member

in your config.yaml file.

for more information about identity : https://hyperledger-fabric.readthedocs.io/en/latest/msp.html#identity-classification

Pritam Singh
  • 24
  • 1
  • 6