2

I am reaching out to you, because of an exception with hyperledger fabric endorsement policy belonging lifecycle.

What I have done:

Packaged, Installed, approved, and committed my chaincode on Three Peers out of 9, all in the same Organisational MSP.

Since I have the test case, that I should enforce an endorsement policy that looks like this:

OutOf(2, Org1MSP.member) which is in my eyes similar to: AND(Org1MSP.member, Org1MSP.member). Am I wrong?

Never the less, when I issue my chaincode I am getting back a message:

server returned: failed constructing descriptor for chaincodesname:"mycc": no peer combination can satisfy the endorsement policy

Confusing enough, when I using the Policy: AND(Org1MSP.member) everything is crystal clear and my chaincode is invoked. And using the discovery command in this case returns every single peer on a server, great. But it is not the case I want to achieve! I want to enforce an endorsement by 2 of 3 Endorsers.

I appreciate your help!

Here is my connection profile. Only containing the three endorsement-peers:

---
certificateAuthorities:
  Org1CA:
    caName: ca
    url: http://<IP is correct links to the right server>:7054
client:
  connection:
    timeout:
      orderer: '300'
      peer:
        endorser: '300'
  organization: Org1MSP
name: example.com
organizations:
  Org1MSP:
    certificateAuthorities:
      - Org1CA
    mspid: Org1MSP
    peers:
      - peer0.org1.example.com
      - peer1.org1.example.com
      - peer9.org1.example.com
peers:
  peer0.org1.example.com:
    url: grpc://peer0.org1.example.com:7051
  peer9.org1.example.com:
    url: grpc://peer9.org1.example.com16051
  peer1.org1.example.com:
    url: grpc://peer1.org1.example.com:8051
version: 1.0.0

Every peer is on a different machine. Here is an sample on how I am doing the Transaction invoke:

Gateway.Builder builder = Gateway.createBuilder();
Wallet wallet = Wallets.newInMemoryWallet();
X509Identity ident;

try {
    ident = Identities.newX509Identity("Org1MSP",
            Identities.readX509Certificate("removed key due to security porpuse"),
            Identities.readPrivateKey("removed key due to security porpuse"));
    String userName = "admin";
    Contract contract = null;

    InputStream input = classLoader.getResourceAsStream("connection-org1.yaml");
    wallet.put("admin", ident);
    builder.identity(wallet, userName).networkConfig(input).discovery(true);
    Gateway gateway = builder.connect();
    Network network = gateway.getNetwork("crm-field-1");
    contract = network.getContract(contractName);

    byte[] response = null;
    Transaction trans = contract.createTransaction("createCrmContact");
    Map<String, byte[]> data = new HashMap<String, byte[]>();
    data.put("value", value.getBytes());
    data.putAll(initialize());
    trans = trans.setTransient(data);
    response = trans.submit(pk, fieldName);
    // response = contract.submitTransaction("createCrmContact", pk, fieldName,
    // value);
    LOGGER.error("Logging: Response - " + response);
    if (response == null)
        return null;
    return decode(response);
} catch (Exception e) {
    LOGGER.error("Logging: Error" + e.getMessage());
    e.printStackTrace();
}
InTerestedOWL
  • 51
  • 8
  • 1
    How was your chaincode invoke command executed? If it is executed on the peer's cli, present a `command` and if it is operated with sdk code, present a `conneciton profile`. – myeongkil kim Dec 30 '20 at 08:54
  • It is executed via an java SDK: concret: java-fabric-gateway, which is called to invoke the Chaincode via an connection profile. Meanwhile I tried the discover command on my Policy and I got the same error message as mentioned above – InTerestedOWL Dec 30 '20 at 09:38
  • 1
    Can you tell me the contents of the connection profile file? Are all peers specified? – myeongkil kim Dec 30 '20 at 09:42
  • 1
    This error occurs when the endorsement policy is not satisfied because discovery does not operate normally on the peer. `fabric/discovery/endorsement/endorsement.go` `computeEndorsementResponse()` In order to debug correctly, you need the content of the connection profile and the code you used in the invoke command. Can you add more details to the question? What are the gateway settings in the fabric-sdk? – myeongkil kim Dec 30 '20 at 09:45
  • I have updated my question. – InTerestedOWL Dec 30 '20 at 09:57
  • `:` is missing, `url: grpc://peer9.org1.example.com16051` in your connection profile, is it typo? – myeongkil kim Dec 30 '20 at 11:16
  • and.. It seems that there is no `channels` key in the connection profile. It was written in your pc, but was it omitted in question? [connection-profile](https://hyperledger-fabric.readthedocs.io/en/release-2.2/developapps/connectionprofile.html) – myeongkil kim Dec 30 '20 at 11:18
  • Sure I don't have a channel key in the connection profile. Since I am doing that within my method in the fabric SDK. The missing `:` is just a result of a replace of IP to domain. But error will be the same. – InTerestedOWL Dec 31 '20 at 08:10
  • I tried a lot with Chaincode and my connection profile was working in this way before. But it can't invoke Chaincode with the new Endorsement policy. – InTerestedOWL Dec 31 '20 at 08:17
  • I don't understand that there is no channels key because doing that within my method in the fabric SDK. I remember that SDK analyzed internal peers by referring to information about channels in the configuration through the channel name you requested, and collecting and invoking peer information through the peers. Is it intentional that there is no channels value, and is it correct to work properly? – myeongkil kim Dec 31 '20 at 12:27
  • Let me point this out: When I am using the endorsement Policy `AND(Org1MSP.member)` and using my application method and connection profile seen above, I can invoke my chaincode normally and it is accepted and everything saftisfies the policy, with this Policy I can use the discover command within the cli and get back every peer on the corresponding machine (mentioned with --server). but this behaviour is not recoginized, when I use my Policy `AND(Org1MSP.member, Org1MSP.member`. So it cant lie on the connection profile since the discover command is returning the same error message! – InTerestedOWL Dec 31 '20 at 12:43
  • I confirmed that channels are optional. Is it possible to test the policy by writing -P `OutOf(2,'Org1MSP.member','Org1MSP.member')`? Currently, your code cannot be reproduced and is not being tested. Perhaps the same error may occur, but I had exactly this policy enabled. – myeongkil kim Dec 31 '20 at 13:10
  • Currently, the error occurs in `fabric/discovery/endorsement/endorsement.go`. It turns out that isLayoutSatisfied does not satisfy the policy because it does not work even once. In order to solve your problem, you have to verify more accurate I/O through debugging. When isLayoutSatisfied is running, all inputs and outputs should be checked, and if there is a part different from the expected input, check where the value was input and proceed. – myeongkil kim Dec 31 '20 at 13:13
  • Also, can you try to operate by entering channels in the connection profile? Although not analyzed correctly, the channels key specifies whether peers have endorsement policy. If the sdk transmits the context delivered at the api level, including the relevant authority information, and performs a process on the list of endorsement peers based on that information, the policy may not be satisfied. The assumption is that it can be done, and the easiest way to check is to add it to the connection profile, of course, to find out exactly, you have to go through the code.) – myeongkil kim Dec 31 '20 at 13:16
  • I will try this in the next days. – InTerestedOWL Jan 01 '21 at 14:02
  • If I am using Policy `OutOf(2, 'Org1MSP.member','Org1MSP.member')` the message is similar to the above mentioned: `server returned: failed constructing descriptor for chaincodes: – InTerestedOWL Jan 12 '21 at 08:15
  • The channel is mentioned in Code above. `"Crm-filed-1"` so in my opinion he should get the Channel. Anyways discovering if all endorsers didn't work either. So this is the problem and I don't understand why. – InTerestedOWL Jan 12 '21 at 08:17
  • Sorry for my late responses I was sticked to another project which has got more prio. – InTerestedOWL Jan 12 '21 at 08:18
  • So when the cli discovering command not works, the code can't work either. So, we have to search in Fabrics endorsement and discovery strategy. Is there a Channel config that says exactly, that discovery should be prevented? – InTerestedOWL Jan 12 '21 at 08:20
  • Just let me say, that when having anchor peers defined within the channel it is possible to see all endorsers of the Chaincode using the discover- command . So anchor peers are mandatory for searching and discovering peers within the network. So I will now give my policy another nice try. Hopefully it will work. – InTerestedOWL Jan 19 '21 at 09:52

1 Answers1

1

So, I figured out by my self:

If the network does not have any Anchor peers set, the discovery fails, because there is no endpoint, where he gets the information about every one in the network. So added them to the network solved my issue.

Thanks for all advice

InTerestedOWL
  • 51
  • 8