Date   

Documentation Workgroup: Agenda for Friday, 25 October

Anthony O'Dowd <a_o-dowd@...>
 

Hello All,

We hold our regular documentation workgroup call this week, both Eastern and Western hemispheres.

We moved to the Fabric wiki last week for agenda building and minutes.  You can see the new Wiki page : https://wiki.hyperledger.org/display/fabric/Documentation+Working+Group

You can read the summary minutes for last week's call below and see this week's agenda :https://wiki.hyperledger.org/display/fabric/2019+10+25+DWG+Agenda I've also added an outline agenda for next week's meeting : https://wiki.hyperledger.org/display/fabric/2019+11+01+DWG+Agenda Feel free to add items to this as required.

Best regards,

Anthony, Pam, Joe, Nik

P.S We will include meeting details below for continuity for the next few weeks.

Meeting Details
-------------
Please use the following link to attend the meeting:  https://zoom.us/j/6223336701

Zoom should work in the browser.  I will open the call 5 minutes early so that folks can test it out. I'll also monitor the RocketChat at https://chat.hyperledger.org/channel/fabric-release so that if anyone has issues, ping me there!

More Zoom connection options at the bottom of this note.

The meeting times are as follows:


Meeting 102A: Friday 25 Oct
                   1130 India Standard Time
                   1400 China Standard Time
                   1500 Japan Standard Time
                   1700 Australia Eastern Time
                   1400 Singapore Time
                   1000 Gulf Standard Time
                   1000 Moscow Standard Time
                   0700 Greenwich Mean Time
                   0800 Central European Time    

Meeting 102B: Friday 25 Oct
              1000 Central Daylight Time
                   1100 Eastern Daylight Time
                   0800 Pacific Daylight Time
                   1200 Brasil Standard Time
                   1600 Greenwich Mean Time
                   1700 Central European Time
                   1800 Moscow Standard Time

Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU


回复: [Hyperledger Fabric] #fabric #configtxgen Configtxgen alternative #fabric #configtxgen

david liu <david-khala@...>
 

FYI, I have discussed with one of fabric-sdk-node maintainer, in concept-wise it is possible to implement a nodejs version of configtxgen: "see it as an inverse operation of BlockDecoder“

发件人: fabric@... <fabric@...> 代表 Ross Tang <tangross@...>
发送时间: 2019年10月24日 16:16
收件人: Jean-Gaël Dominé <jgdomine@...>
抄送: fabric@... <fabric@...>
主题: Re: [Hyperledger Fabric] #fabric #configtxgen Configtxgen alternative
 
Sorry, I misunderstood the question, giving wrong response.


On 24 Oct 2019, at 2:41 PM, Jean-Gaël Dominé <jgdomine@...> wrote:

That is what I was also thinking but did not know for sure as well.
But when I read your previous post stating:
The creation of genesis block can be done by SDK, along with the use of Fabric CA
I admit I had hope ;)


Re: Major security hole in Hyperledger Fabric - Private Data is not private #fabric-chaincode #ssl #fabric #fabric-questions #fabric-dstorage

David Enyeart
 

You are essentially suggesting to add a warning that private data content can't be known by non-members of the collection. That is the whole point of private data and anybody considering an implementation will already know this. The non-members only validate against a hash of the data. The members can later share the private data content with non-members if a need-to-know arises, and the non-member can then validate the pre-image content against the hash on chain, with an understanding that only the group of transactors may have come to agreement on the data. This is the fundamental design of private data. Like any feature, It will be fit for some use cases, and not fit for others. I believe these considerations were already obvious, but hopefully this thread has provided some clarification. I am glad the thread has at least helped to improve the documentation around the importance of including a salt in your private data if it is predictable, to keep it secure.


Dave Enyeart

"Ivan Ch" ---10/24/2019 06:02:26 AM---Dave, Yacov, and Alex Seems that the general response to this scenario is “this is an application de

From: "Ivan Ch" <acizlan@...>
To: fabric@...
Date: 10/24/2019 06:02 AM
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Major security hole in Hyperledger Fabric - Private Data is not private #fabric #fabric-questions #fabric-dstorage #database #dstorage #dstorage-fabric #fabric-chaincode #ssl
Sent by: fabric@...





Dave, Yacov, and Alex

Seems that the general response to this scenario is “this is an application design problem and should be solved by chaincode”
       
      here is an example:
       my national ID is "1234567", but I am a bad guy and want others to believe that my national ID number is "7654321". so I put the false hash(salt, "7654321") on chain, and then send pre-images (salt, "7654321")  to whoever I want to convince. Since nobody can verify the hash(salt, "7654321")  when the hash was put on chain without prior knowledge of the data, an adversary can use the claims about private data functionality to trick people to believe forged data.
But my argument here is that chaincode design can’t solve this problem, and I can assure you that there is a large number of DLT deployments are at risk because of this.
 
As I stated earlier, hashes cannot be verified by third parties like digital signature or ZKP algorithm.  There is almost no way to guard against adversaries from putting fake data and then trick others to believe the fake data is real.
 
Since chaincode can’t decode hashes so the only thing a chaincode can perform is to limit on number of updates. In most financial use cases (e.g. trade transactions) this is irrelevant since pre-image data are not constants in the first place. Even for constant data such as “national ID” in the aforementioned scenario, chaincode most likely will still allow at least a few updates to cover typos.
 
Leaving it to applications is easier said than done since there are so few ways to get it right and this functionality simply opens door for attackers and yet offers almost nothing.
 
This bug is neither an application design issue nor fabric implementation issue, but a methodology problem that private data feature promotes. My humble recommendation is to depreciate this functionality or at least put warning signs to people still plan to use it





Re: Major security hole in Hyperledger Fabric - Private Data is not private #fabric-chaincode #ssl #fabric #fabric-questions #fabric-dstorage

Senthil Nathan
 

Hi Ivan,

  

    As far as I know, Blockchain/DLT platform itself does not claim to find fake data. However, one may build an application using blockchain to find fake data. An example from real-world  -- https://www.coindesk.com/new-york-times-confirms-its-using-blockchain-to-combat-fake-news


    Detecting fake data is a hard problem to solve. Some overview of ongoing research can be found here -- https://www.dropbox.com/s/pwoqrlfcyhw13pc/CombatingFakeNews.pdf?dl=0


Regards,

Senthil


On Thu, Oct 24, 2019 at 3:32 PM Ivan Ch <acizlan@...> wrote:

Dave, Yacov, and Alex

Seems that the general response to this scenario is “this is an application design problem and should be solved by chaincode”

 
here is an example: my national ID is "1234567", but I am a bad guy and want others to believe that my national ID number is "7654321". so I put the false hash(salt, "7654321") on chain, and then send pre-images (salt, "7654321")  to whoever I want to convince. Since nobody can verify the hash(salt, "7654321")  when the hash was put on chain without prior knowledge of the data, an adversary can use the claims about private data functionality to trick people to believe forged data.

But my argument here is that chaincode design can’t solve this problem, and I can assure you that there is a large number of DLT deployments are at risk because of this.

 

As I stated earlier, hashes cannot be verified by third parties like digital signature or ZKP algorithm.  There is almost no way to guard against adversaries from putting fake data and then trick others to believe the fake data is real.

 

Since chaincode can’t decode hashes so the only thing a chaincode can perform is to limit on number of updates. In most financial use cases (e.g. trade transactions) this is irrelevant since pre-image data are not constants in the first place. Even for constant data such as “national ID” in the aforementioned scenario, chaincode most likely will still allow at least a few updates to cover typos.

 

Leaving it to applications is easier said than done since there are so few ways to get it right and this functionality simply opens door for attackers and yet offers almost nothing.

 

This bug is neither an application design issue nor fabric implementation issue, but a methodology problem that private data feature promotes. My humble recommendation is to depreciate this functionality or at least put warning signs to people still plan to use it


Re: Starting Fabric-CA without providing any root certificate #fabric-ca

Gari Singh <garis@...>
 

To be clear, the root certificate is actually not the same although the CN will always be the same unless you actually change it in the config.
You can run `fabric-ca-server init` to generate a default config and then edit the "csr" section of the config.

-----------------------------------------
Gari Singh
Distinguished Engineer, CTO - IBM Blockchain
IBM Middleware
550 King St
Littleton, MA 01460
Cell: 978-846-7499
garis@...
-----------------------------------------

-----fabric@... wrote: -----
To: fabric@...
From: "shrugupt via Lists.Hyperledger.Org"
Sent by: fabric@...
Date: 10/24/2019 02:30AM
Cc: fabric@...
Subject: [EXTERNAL] [Hyperledger Fabric] Starting Fabric-CA without providing any root certificate

Hi All,

I am using Fabric-CA to generate enrollment and TLS certificates. I am using below command to start the Fabric-CA:

fabric-ca-server start -b admin:adminpw --port 7054

I am not providing any root certificate keypair to Fabric-CA.

Fabric-CA is getting started successfully but I am seeing that Root Certificate is always the same. So, if I have started 2 instances of Fabric-CA- 1 for orderer org and 1 for peer org- root certificate is same for both the organizations. This behavior is consistently same.

Is it mandatory to supply a root certificate to Fabric-CA while starting it? Does it not generate a different root certificate on its own? Am I missing any step?

Thanks & Regards,
Shruti Gupta


Re: Major security hole in Hyperledger Fabric - Private Data is not private #fabric-chaincode #ssl #fabric #fabric-questions #fabric-dstorage

Ivan Ch <acizlan@...>
 

Dave, Yacov, and Alex

Seems that the general response to this scenario is “this is an application design problem and should be solved by chaincode”

 
here is an example: my national ID is "1234567", but I am a bad guy and want others to believe that my national ID number is "7654321". so I put the false hash(salt, "7654321") on chain, and then send pre-images (salt, "7654321")  to whoever I want to convince. Since nobody can verify the hash(salt, "7654321")  when the hash was put on chain without prior knowledge of the data, an adversary can use the claims about private data functionality to trick people to believe forged data.

But my argument here is that chaincode design can’t solve this problem, and I can assure you that there is a large number of DLT deployments are at risk because of this.

 

As I stated earlier, hashes cannot be verified by third parties like digital signature or ZKP algorithm.  There is almost no way to guard against adversaries from putting fake data and then trick others to believe the fake data is real.

 

Since chaincode can’t decode hashes so the only thing a chaincode can perform is to limit on number of updates. In most financial use cases (e.g. trade transactions) this is irrelevant since pre-image data are not constants in the first place. Even for constant data such as “national ID” in the aforementioned scenario, chaincode most likely will still allow at least a few updates to cover typos.

 

Leaving it to applications is easier said than done since there are so few ways to get it right and this functionality simply opens door for attackers and yet offers almost nothing.

 

This bug is neither an application design issue nor fabric implementation issue, but a methodology problem that private data feature promotes. My humble recommendation is to depreciate this functionality or at least put warning signs to people still plan to use it


Re: #fabric #configtxgen Configtxgen alternative #configtxgen #fabric

Ross Tang <tangross@...>
 

Sorry, I misunderstood the question, giving wrong response.


On 24 Oct 2019, at 2:41 PM, Jean-Gaël Dominé <jgdomine@...> wrote:

That is what I was also thinking but did not know for sure as well.
But when I read your previous post stating:
The creation of genesis block can be done by SDK, along with the use of Fabric CA
I admit I had hope ;)


Re: Starting Fabric-CA without providing any root certificate #fabric-ca

Jean-Gaël Dominé <jgdomine@...>
 

Hi,

This is a tricky thing. I had the same issue and it took me a while to figure out the issue.

This is definitely not mandatory to provide the root certificate and the private key to the CA because it will generate them if needed.
BUT (and that's where your issue lies) the provided fabric-ca image was packaged with already a root certificate and a private key... I suppose you always see that example.com issued everything right?

The workaround I found was to delete these two files before starting the CA so that it creates them.
I did it like this:
rm -Rf /etc/hyperledger/fabric-ca-server

Pretty ugly but at least all my CAs use the CN I was defining :)

Hope this helps

JG


Re: #fabric #configtxgen Configtxgen alternative #configtxgen #fabric

Jean-Gaël Dominé <jgdomine@...>
 

That is what I was also thinking but did not know for sure as well.
But when I read your previous post stating:
The creation of genesis block can be done by SDK, along with the use of Fabric CA
I admit I had hope ;)


Starting Fabric-CA without providing any root certificate #fabric-ca

shrugupt@...
 

Hi All,

I am using Fabric-CA to generate enrollment and TLS certificates. I am using below command to start the Fabric-CA:

fabric-ca-server start -b admin:adminpw --port 7054

I am not providing any root certificate keypair to Fabric-CA.

Fabric-CA is getting started successfully but I am seeing that Root Certificate is always the same. So, if I have started 2 instances of Fabric-CA- 1 for orderer org and 1 for peer org- root certificate is same for both the organizations. This behavior is consistently same.

Is it mandatory to supply a root certificate to Fabric-CA while starting it? Does it not generate a different root certificate on its own? Am I missing any step?

Thanks & Regards,
Shruti Gupta


Re: #fabric #configtxgen Configtxgen alternative #configtxgen #fabric

Ross Tang <tangross@...>
 

I am not 100% sure. But I think configtxgen cannot be replaced, with sdk.


On 23 Oct 2019, at 8:16 PM, Jean-Gaël Dominé <jgdomine@...> wrote:

I know the cryptogen tool is not needed. I was just making a comparison between the two of them because I found the way to get rid of cryptogen but not configtxgen.

Do you have an example or a link showing how to create the genesis block through the SDK without configtxgen?

Thank you


Re: What channel capabilities should be turned on when using v1.4 of Fabric?

David Enyeart
 

Setting V1_4_3 capability to true implicitly sets the prior capabilities to true as well. You can leave as-is.

I've pushed a clarification to the file as well: https://gerrit.hyperledger.org/r/#/c/fabric/+/34081/1/sampleconfig/configtx.yaml


Dave Enyeart

"Siddharth Jain" ---10/23/2019 04:22:03 PM---according to this link: INVALID URI REMOVED

From: "Siddharth Jain" <siddjain@...>
To: "fabric@..." <fabric@...>
Date: 10/23/2019 04:22 PM
Subject: [EXTERNAL] [Hyperledger Fabric] What channel capabilities should be turned on when using v1.4 of Fabric?
Sent by: fabric@...





according to this link: https://hyperledger-fabric.readthedocs.io/en/release-1.4/msp.html
    The 1.1 channel capability needs to be enabled before identities can be classified as clients or peers. The 1.4.3 channel capability needs to be enabled for identities to be classified as an admin or orderer.
but when i look at https://github.com/hyperledger/fabric-samples/blob/release-1.4/first-network/configtx.yaml it has
Channel: &ChannelCapabilities
        # V1.4.3 for Channel is a catchall flag for behavior which has been
        # determined to be desired for all orderers and peers running at the v1.4.3
        # level, but which would be incompatible with orderers and peers from
        # prior releases.
        # Prior to enabling V1.4.3 channel capabilities, ensure that all
        # orderers and peers on a channel are at v1.4.3 or later.
        V1_4_3: true
        # V1.3 for Channel enables the new non-backwards compatible
        # features and fixes of fabric v1.3
        V1_3: false
        # V1.1 for Channel enables the new non-backwards compatible
        # features and fixes of fabric v1.1
        V1_1: false

shouldn't V1_1 be set to true?





What channel capabilities should be turned on when using v1.4 of Fabric?

Siddharth Jain
 

The 1.1 channel capability needs to be enabled before identities can be classified as clients or peers. The 1.4.3 channel capability needs to be enabled for identities to be classified as an admin or orderer.
Channel: &ChannelCapabilities
        # V1.4.3 for Channel is a catchall flag for behavior which has been
        # determined to be desired for all orderers and peers running at the v1.4.3
        # level, but which would be incompatible with orderers and peers from
        # prior releases.
        # Prior to enabling V1.4.3 channel capabilities, ensure that all
        # orderers and peers on a channel are at v1.4.3 or later.
        V1_4_3: true
        # V1.3 for Channel enables the new non-backwards compatible
        # features and fixes of fabric v1.3
        V1_3: false
        # V1.1 for Channel enables the new non-backwards compatible
        # features and fixes of fabric v1.1
        V1_1: false

shouldn't V1_1 be set to true?


Re: Major security hole in Hyperledger Fabric - Private Data is not private #fabric-chaincode #ssl #fabric #fabric-questions #fabric-dstorage

David Enyeart
 

Your second point is not specific to private data. Agreement on input data needs to be part of the application design, regardless of whether it is a private data scenario or not. For example the smart contract may require that each of the transactors submit their approval of a proposed data change on chain, before a final transaction verifies the approvals are in place and makes the change on chain.


Dave Enyeart

"Ivan Ch" ---10/23/2019 12:10:40 PM---Hi Alexandre, Yacov Thanks for your reply and I appreciate the discussion. my hands are tight now so

From: "Ivan Ch" <acizlan@...>
To: fabric@...
Date: 10/23/2019 12:10 PM
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Major security hole in Hyperledger Fabric - Private Data is not private #fabric #fabric-questions #fabric-dstorage #database #dstorage #dstorage-fabric #fabric-chaincode #ssl
Sent by: fabric@...





Hi Alexandre, Yacov

Thanks for your reply and I appreciate the discussion. my hands are tight now so I will give my full response later today:

Yes, my point is private data design maybe flawed in two ways: one is fixable by adding salt and then use point2point connection to send pre-image data to intended recipient .

However, the second issue is more fundamental and may be difficult to solve. In short, private data design would only work if all participants are honest parties. maybe I should use something that's not always fixed like national ID such as "trade ID" in my earlier example. (I am still trying to avoid real life examples here as it may give bad guys a chance to look).

cheers

Ivan




Re: Major security hole in Hyperledger Fabric - Private Data is not private #fabric-chaincode #ssl #fabric #fabric-questions #fabric-dstorage

Ivan Ch <acizlan@...>
 

Hi Alexandre, Yacov

Thanks for your reply and I appreciate the discussion. my hands are tight now so I will give my full response later today:

Yes, my point is private data design maybe flawed in two ways: one is fixable by adding salt and then use point2point connection to send pre-image data to intended recipient .

However, the second issue is more fundamental and may be difficult to solve. In short, private data design would only work if all participants are honest parties. maybe I should use something that's not always fixed like national ID such as "trade ID" in my earlier example. (I am still trying to avoid real life examples here as it may give bad guys a chance to look). 

cheers

Ivan


Re: Major security hole in Hyperledger Fabric - Private Data is not private #fabric-chaincode #ssl #fabric #fabric-questions #fabric-dstorage

Alexandre Pauwels
 

Hey Ivan,
Correct me if I'm wrong, but it seems you are thinking that the private data as implemented is flawed, and that the requirement to salt the data to secure it defeats the purpose of having the blockchain in the middle; again, let me know if this is a bad assumption of your thinking. However, the private-data store (which I'll call the pre-image store) and the chain of hashes (which I'll call the block store) exist for parallel but complementary reasons.

The block store cannot exist on its own as it stores no useful data which can be acted upon, this is obvious. It is simply a list of updates to salted hashes.

The pre-image store cannot exist on its own as, when you receive new information, you have no idea if the person giving you the information is giving you the same information that everyone else has. The purpose of the chain of hashes is to ensure that the plain-text information you have is the same copy of the plain-text information that everybody else has.

The role of ensuring that the data initially placed on the chain is accurate is NOT something that is determined by either data storage methods, it's something that's determined by the logic in your chaincode, e.g. in your example, you would be unable to send an update claiming your national ID is "7654321" in the first place, as the government which wrote the chaincode that you are calling would not allow you to do so. A better example would be to say that you are a bad actor and you would like to fool someone into thinking you are individual with ID "7654321". You would give them your public cert and your claimed ID along with a salt, and they would be unable to verify it as when they query for the national ID by the cert and then hashed it with the salt you gave, the hashes would not match.

Hope that makes sense,
Alex


On Tue, Oct 22, 2019 at 10:59 PM Ivan Ch <acizlan@...> wrote:
Hi Yacov, 

thanks for your reply, let me clarify the jargon here so more people can understand

pre-image: data itself and its salt
"Private data is disseminated in a point to point manner among peers even now.The peers that posses the private data, send the peers that don't (but are eligible of receiving it) the hash pre-images, and the receiving peers validate the hash pre-images indeed correspond to the hashes on the public block.

I don't see any technical obstacle that prevents you to add a salt per collection name for a given transaction, that will be concatenated to the computation of the hash of the key and the value for the said collection.
The salt can be part of the data element that is generated at the time of chaincode invocation, and will be passed along with the private data itself."
first of all, I appreciate you agree that another point 2 point connection must be established between orgs to pass the salt and the image itself, anything on chain can be used to launch pre-image/dictionary attack

of course there is no technical obstacle to create salt, but the issue here is that it creates a false sense that data is private and can be validated. let me explain:

you try to argue that the salted hash on the public chain is a proof that some data is "valid". this itself is a terrible argument because hashes (unlike digital signature, homomorphic encryption) is not something that others can verify when the data (hash) it put on public chain.

here is an example: my national ID is "1234567", but I am a bad guy and want others to believe that my national ID number is "7654321". so I put the false hash(salt, "7654321") on chain, and then send pre-images (salt, "7654321")  to whoever I want to convince. Since nobody can verify the hash(salt, "7654321")  when the hash was put on chain without prior knowledge of the data, an adversary can use the claims about private data functionality to trick people to believe forged data.

my point is that the claims about private data mislead people to believe this feature will either help to orgs to protect data or validate a pre-existing data, but neither is true and can be easily used by an adversary to decode data (if there is no salt or salt is known) or to trick people believe in wrong data like the sample above.












回复: 回复: [Hyperledger Fabric] Node SDK Invoke - Isn't Elligble

david liu <david-khala@...>
 

Without setting NodeOU, fabric only support classification of admin and member role. Please correct me if anyone think I am wrong.

 

 

Best Regards,

David Liu

 


发件人: Nicholas Zanutim <nlzanutim@...>
发送时间: Wednesday, October 23, 2019 9:10:44 PM
收件人: Hyperledger-fabric <hyperledger-fabric@...>; david liu <david-khala@...>
主题: Re: 回复: [Hyperledger Fabric] Node SDK Invoke - Isn't Elligble
 
Thanks man,
I got it to work. 
What I changed was the orgs policies rule from admin, peer and client to member "OR('ExampleMSP.member')"

            Writers:
                Type: Signature
                Rule: "OR(' ExampleMSP.admin', ' ExampleMSP.peer', ' ExampleMSP.client')"

Although I'm not sure why it worked because the user I registered is a "client". Could this be a bug in version 1.4.3? 
I've been working with fabric for 2 years so I'm very familiar with it that's why I'm raising whether it could be a bug.



Em quarta-feira, 23 de outubro de 2019 09:56:12 BRT, david liu <david-khala@...> escreveu:


I guess you could carefully compare your entire configtx.yaml with https://github.com/hyperledger/fabric/blob/release-1.4/sampleconfig/configtx.yaml

Another possibility is there is legacy crypto material before head, making your signing identity mismatch with current fabric network.

 

Best Regards,

David Liu

 

发件人: Nicholas Leonardi via Lists.Hyperledger.Org
发送时间: 20191023 20:37
收件人: Hyperledger-fabric
抄送: fabric@...
主题: [Hyperledger Fabric] Node SDK Invoke - Isn't Elligble

 

Hey guys,

I'm having trouble invoking a transaction on a network and getting an error that I can't find anyone else having.

 

got query for channel channel from 192.168.6.33:33132 but it isn't eligible: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied

 

I understand it has to do with policies but they're all set for ANY in the configtx.yaml

 

Also, when I generate the channel genesis block, I'm still getting this warning

 

2019-10-23 09:11:57.649 -03 [common.tools.configtxgen.encoder] NewChannelGroup -> WARN 006 Default policy emission is deprecated, please include policy specifications for the channel group in configtx.yaml

2019-10-23 09:11:57.649 -03 [common.tools.configtxgen.encoder] NewChannelGroup -> WARN 007 Default policy emission is deprecated, please include policy specifications for the channel group in configtx.yaml

 

even though I have set the policies in the configtx like this:

 

Channel: &ChannelDefaults

    # Policies defines the set of policies at this level of the config tree

    # For Channel policies, their canonical path is

    #   /Channel/<PolicyName>

    Policies:

        # Who may invoke the 'Deliver' API

        Readers:

            Type: ImplicitMeta

            Rule: "ANY Readers"

        # Who may invoke the 'Broadcast' API

        Writers:

            Type: ImplicitMeta

            Rule: "ANY Writers"

        # By default, who may modify elements at this config level

        Admins:

            Type: ImplicitMeta

            Rule: "ANY Admins"

 

Any insight is greatly appreciated

 


Re: 回复: [Hyperledger Fabric] Node SDK Invoke - Isn't Elligble

Nicholas Leonardi
 

Thanks man,
I got it to work. 
What I changed was the orgs policies rule from admin, peer and client to member "OR('ExampleMSP.member')"

            Writers:
                Type: Signature
                Rule: "OR(' ExampleMSP.admin', ' ExampleMSP.peer', ' ExampleMSP.client')"

Although I'm not sure why it worked because the user I registered is a "client". Could this be a bug in version 1.4.3? 
I've been working with fabric for 2 years so I'm very familiar with it that's why I'm raising whether it could be a bug.



Em quarta-feira, 23 de outubro de 2019 09:56:12 BRT, david liu <david-khala@...> escreveu:


I guess you could carefully compare your entire configtx.yaml with https://github.com/hyperledger/fabric/blob/release-1.4/sampleconfig/configtx.yaml

Another possibility is there is legacy crypto material before head, making your signing identity mismatch with current fabric network.

 

Best Regards,

David Liu

 

发件人: Nicholas Leonardi via Lists.Hyperledger.Org
发送时间: 20191023 20:37
收件人: Hyperledger-fabric
抄送: fabric@...
主题: [Hyperledger Fabric] Node SDK Invoke - Isn't Elligble

 

Hey guys,

I'm having trouble invoking a transaction on a network and getting an error that I can't find anyone else having.

 

got query for channel channel from 192.168.6.33:33132 but it isn't eligible: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied

 

I understand it has to do with policies but they're all set for ANY in the configtx.yaml

 

Also, when I generate the channel genesis block, I'm still getting this warning

 

2019-10-23 09:11:57.649 -03 [common.tools.configtxgen.encoder] NewChannelGroup -> WARN 006 Default policy emission is deprecated, please include policy specifications for the channel group in configtx.yaml

2019-10-23 09:11:57.649 -03 [common.tools.configtxgen.encoder] NewChannelGroup -> WARN 007 Default policy emission is deprecated, please include policy specifications for the channel group in configtx.yaml

 

even though I have set the policies in the configtx like this:

 

Channel: &ChannelDefaults

    # Policies defines the set of policies at this level of the config tree

    # For Channel policies, their canonical path is

    #   /Channel/<PolicyName>

    Policies:

        # Who may invoke the 'Deliver' API

        Readers:

            Type: ImplicitMeta

            Rule: "ANY Readers"

        # Who may invoke the 'Broadcast' API

        Writers:

            Type: ImplicitMeta

            Rule: "ANY Writers"

        # By default, who may modify elements at this config level

        Admins:

            Type: ImplicitMeta

            Rule: "ANY Admins"

 

Any insight is greatly appreciated

 


回复: [Hyperledger Fabric] Node SDK Invoke - Isn't Elligble

david liu <david-khala@...>
 

I guess you could carefully compare your entire configtx.yaml with https://github.com/hyperledger/fabric/blob/release-1.4/sampleconfig/configtx.yaml

Another possibility is there is legacy crypto material before head, making your signing identity mismatch with current fabric network.

 

Best Regards,

David Liu

 

发件人: Nicholas Leonardi via Lists.Hyperledger.Org
发送时间: 20191023 20:37
收件人: Hyperledger-fabric
抄送: fabric@...
主题: [Hyperledger Fabric] Node SDK Invoke - Isn't Elligble

 

Hey guys,

I'm having trouble invoking a transaction on a network and getting an error that I can't find anyone else having.

 

got query for channel channel from 192.168.6.33:33132 but it isn't eligible: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied

 

I understand it has to do with policies but they're all set for ANY in the configtx.yaml

 

Also, when I generate the channel genesis block, I'm still getting this warning

 

2019-10-23 09:11:57.649 -03 [common.tools.configtxgen.encoder] NewChannelGroup -> WARN 006 Default policy emission is deprecated, please include policy specifications for the channel group in configtx.yaml

2019-10-23 09:11:57.649 -03 [common.tools.configtxgen.encoder] NewChannelGroup -> WARN 007 Default policy emission is deprecated, please include policy specifications for the channel group in configtx.yaml

 

even though I have set the policies in the configtx like this:

 

Channel: &ChannelDefaults

    # Policies defines the set of policies at this level of the config tree

    # For Channel policies, their canonical path is

    #   /Channel/<PolicyName>

    Policies:

        # Who may invoke the 'Deliver' API

        Readers:

            Type: ImplicitMeta

            Rule: "ANY Readers"

        # Who may invoke the 'Broadcast' API

        Writers:

            Type: ImplicitMeta

            Rule: "ANY Writers"

        # By default, who may modify elements at this config level

        Admins:

            Type: ImplicitMeta

            Rule: "ANY Admins"

 

Any insight is greatly appreciated

 


Node SDK Invoke - Isn't Elligble

Nicholas Leonardi
 

Hey guys,
I'm having trouble invoking a transaction on a network and getting an error that I can't find anyone else having.

got query for channel channel from 192.168.6.33:33132 but it isn't eligible: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied

I understand it has to do with policies but they're all set for ANY in the configtx.yaml

Also, when I generate the channel genesis block, I'm still getting this warning

2019-10-23 09:11:57.649 -03 [common.tools.configtxgen.encoder] NewChannelGroup -> WARN 006 Default policy emission is deprecated, please include policy specifications for the channel group in configtx.yaml
2019-10-23 09:11:57.649 -03 [common.tools.configtxgen.encoder] NewChannelGroup -> WARN 007 Default policy emission is deprecated, please include policy specifications for the channel group in configtx.yaml

even though I have set the policies in the configtx like this:

Channel: &ChannelDefaults
    # Policies defines the set of policies at this level of the config tree
    # For Channel policies, their canonical path is
    #   /Channel/<PolicyName>
    Policies:
        # Who may invoke the 'Deliver' API
        Readers:
            Type: ImplicitMeta
            Rule: "ANY Readers"
        # Who may invoke the 'Broadcast' API
        Writers:
            Type: ImplicitMeta
            Rule: "ANY Writers"
        # By default, who may modify elements at this config level
        Admins:
            Type: ImplicitMeta
            Rule: "ANY Admins"

Any insight is greatly appreciated

4421 - 4440 of 11422