0

I am building a network where I need that nodes will join throuhgout the lifetime of the application and as first implementation I want to change the channel configuration in order to change the policies regarding who needs to sign a configuration change. Therefore I have followed correctly the procedure where I fetch the latest configuration block, I am decoding it and I am able to edit it in a JSON format.

{
  "channel_group": {
    "groups": {
      "Application": {
      },
      "Orderer": {
      }
    },
    "mod_policy": "Admins",
    "policies": {
      "Admins": {
        "mod_policy": "Admins",
        "policy": {
          "type": 3,
          "value": {
            "rule": "ANY",
            "sub_policy": "Admins"
          }
        },
        "version": "0"
      },
      "Readers": {
        "mod_policy": "Admins",
        "policy": {
          "type": 3,
          "value": {
            "rule": "ANY",
            "sub_policy": "Readers"
          }
        },
        "version": "0"
      },
      "Writers": {
        "mod_policy": "Admins",
        "policy": {
          "type": 3,
          "value": {
            "rule": "ANY",
            "sub_policy": "Writers"
          }
        },
        "version": "0"
      }
    },
    "values": {
    },
    "version": "0"
  },
  "sequence": "8"
}

So I have the above output and I change the rule of Admins policy to ANY (as it is changed).

And after that I encode it back to envelope and start signing.

I have 4 organizations currently and since the default rule is to sign the Majority of Admins I sign one by one with all organizations.

If I sign with only one or two organization Admins and submit the update I get the following error:

Error: got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'channel': error authorizing update: error validating DeltaSet: policy for [Policy] /Channel/Admins not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 2 of the 'Admins' sub-policies to be satisfied

Which is very reasonable.

After 3 signatures out of 4, as Majority rule exists I get the following change in update and submit:

Error: got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'channel': error authorizing update: error validating DeltaSet: policy for [Policy] /Channel/Admins not satisfied: implicit policy evaluation failed - 1 sub-policies were satisfied, but this policy requires 2 of the 'Admins' sub-policies to be satisfied

So as we can see 1 of the sub-policies were satisfied but at this point it needs 2. And here is the point where I am not understanding. What is the second sub-policy? And since I have signed with all the Admins of each organization, who else needs to sign this configuration channel update?

Thank you

Rafail K.
  • 365
  • 3
  • 14

1 Answers1

0

After continuous research I found out that for this kind of update, by default the policy says that a MAJORITY of peer admins need to sign, but also a MAJORITY of orderer admins. Therefore the 2 'Admins' sub-policies!

Since I have one orderer organization, I exported the following environment variables, and used the same command for signing as before. You should not get confused by using the 'peer' command as an orderer. The peer is the node that sends to the orderer node and the orderer is who creates the block and distributes it. It is just as using another user with the peer command.

export ORDERER_GENERAL_TLS_ENABLED=true
export CORE_PEER_TLS_ROOTCERT_FILE=${PWD}/network/organizations/ordererOrganizations/authorizer/orderers/orderer.authorizer/msp/tlscacerts/tlsca.authorizer-cert.pem
export CORE_PEER_MSPCONFIGPATH=${PWD}/network/organizations/ordererOrganizations/authorizer/users/Admin@authorizer/msp

This is what I have exported and used as an orderer user to sign. After that signature is passed to the envelope, the policy is fulfilled!

Rafail K.
  • 365
  • 3
  • 14