我在建立光纤网络时遇到了问题。
Error: got unexpected status: FORBIDDEN -- implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied
我看不出如何解决。 配置非常简单,但是问题似乎与策略有关。
我已经尝试关闭网络并启动,尝试移除卷和其他线程下所说的所有内容,但无法解决。 我建立了一个网络很多次,但从未遇到过这样的问题。
此外,已经从头重新生成了证书,将sk文件修改为yml文件,并且配置文件包含网络的伪像。 本质上,我可以关闭所有泊坞窗,但是一旦脚本运行此命令
docker exec -e $CORE_PEER_LOCALMSPID -e $CORE_MSP_CONFIG_PATH $CLI peer channel create -o $ORDERER1:7050 -c $CHANNEL_NAME -f /etc/hyperledger/configtx/channel.tx
因此它尝试创建通道,但失败。
我还共享了该问题应涉及的configtx文件>
configtx.yaml
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
################################################################################
#
# Section: Organizations
#
# - This section defines the different organizational identities which will
# be referenced later in the configuration.
#
################################################################################
Organizations:
# SampleOrg defines an MSP using the sampleconfig. It should never be used
# in production but may be used as a template for other definitions
- &OrdererOrg
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: OrdererOrg
# ID to load the MSP definition as
ID: OrdererMSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: crypto-config/ordererOrganizations/example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Writers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Admins:
Type: Signature
Rule: "OR('OrdererMSP.admin')"
- &Org1
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Org1MSP
# ID to load the MSP definition as
ID: Org1MSP
MSPDir: crypto-config/peerOrganizations/org1.example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org1MSP.admin')"
AnchorPeers:
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer0.org1.example.com
Port: 7051
- Host: peer1.org1.example.com
Port: 8051
################################################################################
#
# SECTION: Application
#
# - This section defines the values to encode into a config transaction or
# genesis block for application related parameters
#
################################################################################
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
Organizations:
Policies:
# Readers:
# Type: ImplicitMeta
# Rule: "ANY Readers"
# Writers:
# Type: ImplicitMeta
# Rule: "ANY Writers"
# Admins:
# Type: ImplicitMeta
# Rule: "MAJORITY Admins"
################################################################################
#
# SECTION: Orderer
#
# - This section defines the values to encode into a config transaction or
# genesis block for orderer related parameters
#
################################################################################
Orderer: &OrdererDefaults
# Orderer Type: The orderer implementation to start
# Available types are "solo" and "kafka"
OrdererType: solo
Addresses:
- orderer.example.com:7050
# Batch Timeout: The amount of time to wait before creating a batch
BatchTimeout: 500ms
# Batch Size: Controls the number of messages batched into a block
BatchSize:
# Max Message Count: The maximum number of messages to permit in a batch
MaxMessageCount: 15
# Absolute Max Bytes: The absolute maximum number of bytes allowed for
# the serialized messages in a batch.
AbsoluteMaxBytes: 99 MB
# Preferred Max Bytes: The preferred maximum number of bytes allowed for
# the serialized messages in a batch. A message larger than the preferred
# max bytes will result in a batch larger than preferred max bytes.
PreferredMaxBytes: 512 kb
Kafka:
# Brokers: A list of Kafka brokers to which the orderer connects
# NOTE: Use IP:port notation
Brokers:
# - 127.0.0.1:9092
# Organizations is the list of orgs which are defined as participants on
# the orderer side of the network
Organizations:
Policies:
# Readers:
# Type: ImplicitMeta
# Rule: "ANY Readers"
# Writers:
# Type: ImplicitMeta
# Rule: "ANY Writers"
# Admins:
# Type: ImplicitMeta
# Rule: "MAJORITY Admins"
# # BlockValidation specifies what signatures must be included in the block
# # from the orderer for the peer to validate it.
# BlockValidation:
# Type: ImplicitMeta
# Rule: "ANY Writers"
################################################################################
#
# CHANNEL
#
# This section defines the values to encode into a config transaction or
# genesis block for channel related parameters.
#
################################################################################
Channel: &ChannelDefaults
# Policies defines the set of policies at this level of the config tree
# For Channel policies, their canonical path is
# /Channel/<PolicyName>
Policies:
# # Who may invoke the 'Deliver' API
# Readers:
# Type: ImplicitMeta
# Rule: "ANY Readers"
# # Who may invoke the 'Broadcast' API
# Writers:
# Type: ImplicitMeta
# Rule: "ANY Writers"
# # By default, who may modify elements at this config level
# Admins:
# Type: ImplicitMeta
# Rule: "MAJORITY Admins"
################################################################################
#
# Profile
#
# - Different configuration profiles may be encoded here to be specified
# as parameters to the configtxgen tool
#
################################################################################
Profiles:
OneOrgOrdererGenesis:
Orderer:
<<: *OrdererDefaults
Organizations:
- *OrdererOrg
Consortiums:
SampleConsortium:
Organizations:
- *Org1
OneOrgChannel:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1
编辑: 发表评论后更新了confixtx:
# Copyright IBM Corp. All Rights Reserved.
#
# SPDX-License-Identifier: Apache-2.0
#
---
################################################################################
#
# Section: Organizations
#
# - This section defines the different organizational identities which will
# be referenced later in the configuration.
#
################################################################################
Organizations:
# SampleOrg defines an MSP using the sampleconfig. It should never be used
# in production but may be used as a template for other definitions
- &OrdererOrg
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: OrdererOrg
# ID to load the MSP definition as
ID: OrdererMSP
# MSPDir is the filesystem path which contains the MSP configuration
MSPDir: crypto-config/ordererOrganizations/example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Writers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Admins:
Type: Signature
Rule: "OR('OrdererMSP.admin')"
- &Org1
# DefaultOrg defines the organization which is used in the sampleconfig
# of the fabric.git development environment
Name: Org1MSP
# ID to load the MSP definition as
ID: Org1MSP
MSPDir: crypto-config/peerOrganizations/org1.example.com/msp
# Policies defines the set of policies at this level of the config tree
# For organization policies, their canonical path is usually
# /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
Policies:
Readers:
Type: Signature
Rule: "OR('Org1MSP.member')"
Writers:
Type: Signature
Rule: "OR('Org1MSP.member')"
Admins:
Type: Signature
Rule: "OR('Org1MSP.member')"
AnchorPeers:
# AnchorPeers defines the location of peers which can be used
# for cross org gossip communication. Note, this value is only
# encoded in the genesis block in the Application section context
- Host: peer0.org1.example.com
Port: 7051
- Host: peer1.org1.example.com
Port: 8051
################################################################################
#
# SECTION: Application
#
# - This section defines the values to encode into a config transaction or
# genesis block for application related parameters
#
################################################################################
Application: &ApplicationDefaults
# Organizations is the list of orgs which are defined as participants on
# the application side of the network
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
################################################################################
#
# SECTION: Orderer
#
# - This section defines the values to encode into a config transaction or
# genesis block for orderer related parameters
#
################################################################################
Orderer: &OrdererDefaults
# Orderer Type: The orderer implementation to start
# Available types are "solo" and "kafka"
OrdererType: solo
Addresses:
- orderer.example.com:7050
# Batch Timeout: The amount of time to wait before creating a batch
BatchTimeout: 500ms
# Batch Size: Controls the number of messages batched into a block
BatchSize:
# Max Message Count: The maximum number of messages to permit in a batch
MaxMessageCount: 15
# Absolute Max Bytes: The absolute maximum number of bytes allowed for
# the serialized messages in a batch.
AbsoluteMaxBytes: 99 MB
# Preferred Max Bytes: The preferred maximum number of bytes allowed for
# the serialized messages in a batch. A message larger than the preferred
# max bytes will result in a batch larger than preferred max bytes.
PreferredMaxBytes: 512 kb
# Kafka:
# Brokers: A list of Kafka brokers to which the orderer connects
# NOTE: Use IP:port notation
# Brokers:
# - 127.0.0.1:9092
# Organizations is the list of orgs which are defined as participants on
# the orderer side of the network
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
# BlockValidation specifies what signatures must be included in the block
# from the orderer for the peer to validate it.
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
################################################################################
#
# CHANNEL
#
# This section defines the values to encode into a config transaction or
# genesis block for channel related parameters.
#
################################################################################
Channel: &ChannelDefaults
# Policies defines the set of policies at this level of the config tree
# For Channel policies, their canonical path is
# /Channel/<PolicyName>
Policies:
# Who may invoke the 'Deliver' API
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
# Who may invoke the 'Broadcast' API
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
# By default, who may modify elements at this config level
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
################################################################################
#
# Profile
#
# - Different configuration profiles may be encoded here to be specified
# as parameters to the configtxgen tool
#
################################################################################
Profiles:
OneOrgOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *OrdererOrg
Consortiums:
SampleConsortium:
Organizations:
- *Org1
OneOrgChannel:
<<: *ChannelDefaults
Consortium: SampleConsortium
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1
答案 0 :(得分:1)
您的客户是Org1的管理员吗?
您是否配置了NodeOU(https://hyperledger-fabric.readthedocs.io/en/release-1.4/msp.html#identity-classification)?
通过将Org1策略更改为...,您可以尝试使用限制性较小的NodeOU。
Policies:
Readers:
Type: Signature
Rule: "OR('Org1MSP.member')"
Writers:
Type: Signature
Rule: "OR('Org1MSP.member')"
Admins:
Type: Signature
Rule: "OR('Org1MSP.admin')"
...并重新生成所需的内容(生成块,渠道交易等)。
您可以取消注释其余策略。
答案 1 :(得分:1)
好。从您的日志中(如果出现故障,请查看日志):
2019-11-20 15:45:04.331 UTC [policies] Evaluate -> DEBU 2e7 == Evaluating *cauthdsl.policy Policy /Channel/Orderer/OrdererOrg/Writers ==
正在评估/Channel/Orderer/OrdererOrg/Writers。
签署请求的证书是:
-----BEGIN CERTIFICATE-----
MIICGjCCAcCgAwIBAgIRAL5rkBNPLkccQRhP0PsuYQkwCgYIKoZIzj0EAwIwczEL
MAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBG
cmFuY2lzY28xGTAXBgNVBAoTEG9yZzEuZXhhbXBsZS5jb20xHDAaBgNVBAMTE2Nh
Lm9yZzEuZXhhbXBsZS5jb20wHhcNMTkxMTIwMTUzMzAwWhcNMjkxMTE3MTUzMzAw
WjBbMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMN
U2FuIEZyYW5jaXNjbzEfMB0GA1UEAwwWQWRtaW5Ab3JnMS5leGFtcGxlLmNvbTBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABCdeZJRflikeUUaTiuyrOn1i5NlzZ9j1
cYPH1iovIJDoaylK25is7nM63SMsaqPKK55AMlQ+2e1RqIYEVOPt39KjTTBLMA4G
A1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMCsGA1UdIwQkMCKAIGTlPvQ3UVky
iHPzs14mDVGhyhRXE+npJat3+DoIe6pMMAoGCCqGSM49BAMCA0gAMEUCIQDJ83J6
gX+Gls9mcGUyM/7unJTIip+iJnxu8cGjJPvHdQIgbJx4ATO0InT2nm1VKmjqOCtJ
tr5VMwvLX66mliBe87g=
-----END CERTIFICATE-----
因此,让我们对其进行解码:
openssl x509 -text -noout -in cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
be:6b:90:13:4f:2e:47:1c:41:18:4f:d0:fb:2e:61:09
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = California, L = San Francisco, O = org1.example.com, CN = ca.org1.example.com
Validity
Not Before: Nov 20 15:33:00 2019 GMT
Not After : Nov 17 15:33:00 2029 GMT
Subject: C = US, ST = California, L = San Francisco, CN = Admin@org1.example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:27:5e:64:94:5f:96:29:1e:51:46:93:8a:ec:ab:
3a:7d:62:e4:d9:73:67:d8:f5:71:83:c7:d6:2a:2f:
20:90:e8:6b:29:4a:db:98:ac:ee:73:3a:dd:23:2c:
6a:a3:ca:2b:9e:40:32:54:3e:d9:ed:51:a8:86:04:
54:e3:ed:df:d2
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:64:E5:3E:F4:37:51:59:32:88:73:F3:B3:5E:26:0D:51:A1:CA:14:57:13:E9:E9:25:AB:77:F8:3A:08:7B:AA:4C
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:c9:f3:72:7a:81:7f:86:96:cf:66:70:65:32:
33:fe:ee:9c:94:c8:8a:9f:a2:26:7c:6e:f1:c1:a3:24:fb:c7:
75:02:20:6c:9c:78:01:33:b4:22:74:f6:9e:6d:55:2a:68:ea:
38:2b:49:b6:be:55:33:0b:cb:5f:ae:a6:96:20:5e:f3:b8
看起来不错,但最重要的是消息:
2019-11-20 15:45:04.332 UTC [cauthdsl] deduplicate -> ERRO 2ea Principal deserialization failure (the supplied identity is not valid: x509: certificate signed by unknown authority) for identity 0
订购者无法识别签署您的请求的CA 。您是否完全确定在执行configtx.yaml命令以生成创世块之前,客户的证书(上面收到的证书)是由配置在crypto-config/peerOrganizations/org1.example.com/msp/cacerts/whateveritiscalled.pem(configtxgen)中的同一CA签名的(以及其他内容)并运行您的订购者。我敢打赌不是。有时,您再次运行cryptogen,并且在生成创世块时,您的客户的证书是由configtx.yaml中为Org1 MSP指定的证书以外的其他(较新或较旧的)CA签名的。由订购者使用。
答案 2 :(得分:0)
我必须将ChannelDefaults添加到创世块中,如下所示:
Profiles:
ThreeOrgsOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
...