Re: User & Endorsement issues


Michael Steiner
 

Never mind: Belatedly, I realized that the cryptogen config has a `EnableNodeOUs` field and setting that to true does exactly solve my issue (in fact, it even generates automatically the `NodeOUs` entries in the various msp/config.yaml files .....)

 

-michael-

 

From: Steiner, Michael
Sent: Monday, June 15, 2020 10:22
To: Jason Yellick <jyellick@...>; antonimassomola@...
Cc: fabric@...
Subject: RE: [Hyperledger Fabric] User & Endorsement issues

 

Hi,

 

Incidentally, I’ve just run in the same issue recently. While I did figure out the NodeOU config in msp/config.yaml but then run into a subsequent problem: The certs defined by cryptogen do not seem to contain properties allowing mapping to roles using NodeOU and I couldn’t figure out how to do it with cryptogen.  Is it at all possible to associate roles in cryptogen-generated credentials or is that possible only by going to a proper CA (e.g., via the fabric-ca)?

 

-michael-

 

PS: Maybe related to that, I didn’t find anywhere a reference to cryptogen’s config.yaml, the closest being what `cryptogen showtemplate` shows you. Is there any doc (other than the code itself :-) which describes the syntax and semantics of that yaml?

 

From: fabric@... <fabric@...> On Behalf Of Jason Yellick
Sent: Monday, June 15, 2020 07:32
To: antonimassomola@...
Cc: fabric@...
Subject: Re: [Hyperledger Fabric] User & Endorsement issues

 

Does your MSP configuration enable NodeOUs?  See https://hyperledger-fabric.readthedocs.io/en/latest/msp.html#identity-classification for more details.

If your MSP definition does not enable node OUs, then the '.client' and '.peer' roles can never be satisfied, as the types cannot be distinguished and you must instead compose policies using the '.member' role.

Thanks,
~Jason

 

----- Original message -----
From: "Antoni Massó Mola" <antonimassomola@...>
Sent by: fabric@...
To: fabric@...
Cc:
Subject: [EXTERNAL] [Hyperledger Fabric] User & Endorsement issues
Date: Sat, Jun 13, 2020 2:17 PM
 
Hello,

I'm having a hard time making the user type registered work with the org policies.

I register & enroll an admin user used by the peers at org1.
 

- &org1

    Name: org1

    ID: org1

    MSPDir: crypto-config/peerOrganizations/org1/msp

    Policies:

      Readers:

        Type: Signature

        Rule: "OR('org1.admin', 'org1.peer', 'org1.client')"

I get the following error from the peer0 log:

2020-06-13 18:11:12.290 UTC [gossip.channel] func5 -> WARN 022 Peer {"CN":"org1-peer1.default.svc.cluster.local","Issuer-CN":"fabric-ca-server","Issuer-L-ST-C":"[]-[]-[US]","Issuer-OU":["Fabric"],"L-ST-C":"[]-[]-[US]","MSP":"org1","OU":["admin","org1"]} isn't eligible for channel mainchannel : implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied

Peer1 from org1 seems to have issues with the policy set.

If I add org1.member to the Readers policy rule & recreate the HF network it works well.

Why does it fail if I don't specify the user type to member?

Thanks

 

 

Join fabric@lists.hyperledger.org to automatically receive all group messages.