1

I was checking a use-case if it is possible to share the peers, invoke chaincode functions & perform transactions with different MSPs. This is a use-case where a shared environment will be required for some organizations that are not willing to spend on infrastructure but may want to use the blockchain network running by the network operator.

For example, a network operator with MSP org1 creates a Hyperledger Fabric network. org4 wants to join the network but without any peers. The CA container will be there for this org4. Is it possible for org4 identity to invoke transactions on org1 peers? I tried this actually. Check the logs of the rest client below:

[Service Discovery Turned On]
2021-04-02T04:19:27.643Z - debug: [Channel]: _getServiceEndpoints - start - org4
2021-04-02T04:19:27.643Z - debug: [Channel]: _getServiceEndpoints - Endorser mspid not matched, not added peer0.org1.com:7051 - org1
2021-04-02T04:19:27.643Z - debug: [Channel]: _getServiceEndpoints - Endorser mspid not matched, not added peer1.org1.com:7051 - org1
2021-04-02T04:19:27.643Z - debug: [Channel]: _getServiceEndpoints - Endorser mspid not matched, not added peer1.networkoperator.com:7051 - networkoperator
2021-04-02T04:19:27.643Z - debug: [Channel]: _getServiceEndpoints - Endorser mspid not matched, not added peer0.networkoperator.com:7051 - networkoperator
2021-04-02T04:19:27.643Z - debug: [Channel]: _getServiceEndpoints - Endorser mspid not matched, not added peer0.org2.com:7051 - org2
2021-04-02T04:19:27.643Z - debug: [Channel]: _getServiceEndpoints - Endorser mspid not matched, not added peer1.org2.com:7051 - org2
2021-04-02T04:19:27.643Z - debug: [Channel]: _getServiceEndpoints - Endorser mspid not matched, not added peer0.org3.com:7051 - org3
2021-04-02T04:19:27.643Z - debug: [Channel]: _getServiceEndpoints - Endorser mspid not matched, not added peer1.org3.com:7051 - org3
2021-04-02T04:19:27.643Z - debug: [RoundRobinQueryHandler]: constructor: peers=[]

The above logs show that rest-client tries to match the MSP id with peers

The logs without service discovery:

[Service Discovery Turned Off]
2021-04-02T04:39:11.091Z - debug: [Channel]: _getServiceEndpoints - start - org4
2021-04-02T04:39:11.091Z - debug: [Channel]: _getServiceEndpoints - Endorser mspid not matched, not added peer0.org1.com - org1
2021-04-02T04:39:11.091Z - debug: [Channel]: _getServiceEndpoints - Endorser mspid not matched, not added peer1.org1.com - org1
2021-04-02T04:39:11.091Z - debug: [RoundRobinQueryHandler]: constructor: peers=[]

In general, these organizations will join the shared infrastructure and when they are ready to use their own infrastructure, they will be migrated to it. In the meantime, they will be invoking chaincode functions through their identities

Akshay Sood
  • 6,366
  • 10
  • 36
  • 59
  • Orgs that do not have peers can definitely invoke transactions as long as they have been added to the appropriate channels. Did you add `org4` to all of the relevant channels? – Gari Singh Apr 02 '21 at 09:37
  • Yes, @GariSingh. I have added that organization to the channel. I am using HLF 2.3.1 – Akshay Sood Apr 02 '21 at 09:55
  • Can you post more of your client code? Not sure exactly which functions you are calling – Gari Singh Apr 03 '21 at 08:41
  • @GariSingh I checked the peer logs `2021-04-04 15:24:10.447 UTC [policies] SignatureSetToValidIdentities -> WARN 65875 invalid identity: certificate subject=CN=admin,OU=client serialnumber=529341260981649280325273063095564239165763549342 error="the supplied identity is not valid: x509: certificate signed by unknown authority"` – Akshay Sood Apr 04 '21 at 15:24
  • org4 identity is sending a transaction to org1's peers and those peers are throwing the above warning – Akshay Sood Apr 04 '21 at 15:26
  • The code is still trying to use service discovery which only supports clients which are in the same org as the peer (admins by default but optionally members as well). So if you try to use an org4 client with service discovery, it will fail. You will need a connection profile which does not use discovery and contains the list of endorsing peers. – Gari Singh Apr 04 '21 at 20:26
  • I got it. I turned off the service discovery, added the org1's peers into the target peer list, removed the query strategy and it started working. Thank you – Akshay Sood Apr 05 '21 at 08:39

2 Answers2

1

The fabric-sdk was trying to match the invoker's MSP ID with the available endorser's MSP ID which was failing the whole transaction because there's no peer that matches with the invoker's MSP ID. I had to disable the service discovery, add specific peers into the target peer list to make this working.

Some code:

const endorsingPeers = channel.getEndorsers('org1');

if (endorsingPeers.length > 0) transaction = transaction.setEndorsingPeers(endorsingPeers);
    
const response_payloads = await  transaction.evaluate(JSON.stringify(args))
Akshay Sood
  • 6,366
  • 10
  • 36
  • 59
0

In such a case, org4 will only user crypto material given to it by the network operator to connect to the network and invoke chaincode. Following does not make sense to me.

Is it possible for org4 identity to invoke transactions on org1 peers?

From my understanding, as long as you have cyrpto material to connect to HLF, and you have the right connection profile in place, the HLF client that org4 runs, would end up posting transaction to all peers, check the simulation result on the HLF client side, and then send the transaction to orderer for it to be comitted onto the peers.

So, in your case we'll have a new user created for org4 to use, and then org4 would use that crypto material to invoke the chaincodes. A transaction submitted by any org will end up getting executed by all participating org's infrastructure, so someone does not want to contribute infra, they'll just use crypto material to connect to HLF network by not addition and reuse existing chaincodes put up on peers.

Siva
  • 598
  • 3
  • 11