|
Re: Is there a way to block chaincode access for SDK?
#fabric-chaincode
No, we need the data to exist in all the nodes in network. No hiding required. Can you elaborate a little on how do you suggest to use private data here? Id you're thinking about some special exploitation of it?
On Tue, 3 Dec 2019, 8:18 am Mayank Tiwari, <sidharth.mayank@...> wrote:
|
||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
|
Re: problem creating channel: 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies
Adhav Pavan
Hello Siddharth, Thank you for the detailed log. I had faced same issue. As mentioned in the log, "DEBU 521 0xc0005f9180 identity 0 does not satisfy principal: The identity is not an admin under this MSP [OrdOrgMSP]: The identity does not contain OU [ADMIN], MSP: [OrdOrgMSP]", Default cryptogen tool create admin user certificate with OU as client(expected as admin). Please refer Stackoverflow Q&A: "https://stackoverflow.com/questions/58967511/error-while-migrating-form-kafka-to-raft-in-hyperledger-fabirc" while creating the Orderer Organization admin certificate add the following part crypto-config.yaml in the orderer section. Once you added above part, recreate certificate and check orderer organization admin user certificate OU as admin by the following command In case if you are still facing any issue, let me know. Thank you. Heartfelt Regards, Blockchain Developer
On Mon, Dec 2, 2019 at 11:47 PM Siddharth Jain <siddjain@...> wrote:
|
||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
|
Re: Is there a way to block chaincode access for SDK?
#fabric-chaincode
Mayank Tiwari
Prasanth, did you check for private data collection implementation in the chaincodes? Regards, Mayank Tiwari.
On Tue, 3 Dec 2019 at 3:26 AM, Prasanth Sundaravelu <prasanths96@...> wrote:
|
||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
|
Re: Is there a way to block chaincode access for SDK?
#fabric-chaincode
Thanks for quick reply! I will try those suggestions. I had thought separating these chaincodes could help manageability more and might increase development pace. Although you make a valid point, I believe chaincode separation might be a good idea with our use case. We actually have different categories of business logics that our customers can choose from. Later they can add more as per their needs. Multiple of these services commonly depend on some set of services. For this pay per service like flexibility, we chose this idea.
On Tue, 3 Dec 2019, 2:55 am Yacov Manevich, <YACOVM@...> wrote: Each chaincode corresponds to a different namespace, and has a different endorsement policy.
|
||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
|
Re: Is there a way to block chaincode access for SDK?
#fabric-chaincode
Yacov
Each chaincode corresponds to a different
namespace, and has a different endorsement policy.
Software engineering idioms such as "separation of business logic from tech logic" should never be a reason to separate one chaincode into several chaincodes. That being said, you can actually prevent users from invoking certain chaincodes by writing and deploying your own authentication filter in the peer. Take a look at https://github.com/hyperledger/fabric/blob/release-1.4/sampleconfig/core.yaml#L360-L374and at a built in filter we have for blocking expired client certificates in https://github.com/hyperledger/fabric/blob/release-1.4/core/handlers/auth/filter/expiration.go. Basically you need to extract the target chaincode name from the signed proposal and return an error if it doesn't fit your whitelist. From: "Prasanth Sundaravelu" <prasanths96@...> To: fabric@... Date: 12/02/2019 11:11 PM Subject: [EXTERNAL] [Hyperledger Fabric] Is there a way to block chaincode access for SDK? #fabric-chaincode Sent by: fabric@... Hi Guys, I've been trying to separate one big chaincode into multiple chaincodes and also for separating business logic from tech logic. Here, the tech logic service (eg: EncryptAndSaveState) needs to be accessed by multiple other chaincodes. I have separated code into different chaincodes and instantiated in same single channel. The problem is, if I want to use one chaincode's service from another, I have to expose the functions in chaincode from Invoke / Query functions, so that I can use stub.InvokeChaincode() to call these services. But, if I expose these functions (eg: EncryptAndSaveState), it will be accessible by SDK aswell. I don't want the tech services chaincode to be accessed via SDK. Is there a way to identify if request is coming from chaincode
(stub.InvokeChaincode()) or from SDK? I've tried to do workaround for this by generating and storing a map of TxID and Random-Number at calling chaincode and attached this random number with the Invocation. When the called chaincode receives the Invoke, it again queries back to the calling chaincode (using stub.InvokeChaincode() again) to verify if this random number is infact generated by that chaincode. But, the last Invoke (verification) did not work, it threw: GRPC client failed to get a proper response from the peer \"grpcs://localhost:8051\"." I would also like to know why this does not work. Would really appreciate any clue.
|
||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
|
Re: Proposal : Hyperledger Fabric block archiving
Manish
Hi Atsushi, My response in blue in-lined text… Thanks, Manish
On Mon, Dec 2, 2019 at 4:10 PM Manish Sethi <manish.sethi@...> wrote:
|
||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
|
Is there a way to block chaincode access for SDK?
#fabric-chaincode
Hi Guys, I've been trying to separate one big chaincode into multiple chaincodes and also for separating business logic from tech logic. Here, the tech logic service (eg: EncryptAndSaveState) needs to be accessed by multiple other chaincodes. I have separated code into different chaincodes and instantiated in same single channel. The problem is, if I want to use one chaincode's service from another, I have to expose the functions in chaincode from Invoke / Query functions, so that I can use stub.InvokeChaincode() to call these services. But, if I expose these functions (eg: EncryptAndSaveState), it will be accessible by SDK aswell. I don't want the tech services chaincode to be accessed via SDK. Is there a way to identify if request is coming from chaincode (stub.InvokeChaincode()) or from SDK? I've tried to do workaround for this by generating and storing a map of TxID and Random-Number at calling chaincode and attached this random number with the Invocation. When the called chaincode receives the Invoke, it again queries back to the calling chaincode (using stub.InvokeChaincode() again) to verify if this random number is infact generated by that chaincode. But, the last Invoke (verification) did not work, it threw: GRPC client failed to get a proper response from the peer \"grpcs://localhost:8051\"." I would also like to know why this does not work. Would really appreciate any clue.
|
||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
|
Re: Proposal : Hyperledger Fabric block archiving
Manish
On Fri, Nov 29, 2019 at 12:44 AM nekia <atsushin@...> wrote:
All I wanted to say here is that, it would be good if someone wants one of the peers file to act as a repo as well…. in other words, it still has all what a repo offers and code will be outside core peer code anyways. But this is less important point as compared to others, I guess.
|
||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
|
Re: problem creating channel: 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies
Siddharth Jain
below is our truncated logs
2019-12-02 09:42:46.771 PST [policies] Evaluate -> DEBU 4d3 == Evaluating *policies.implicitMetaPolicy Policy /Channel/Application/ChannelCreationPolicy ==
2019-12-02 09:44:32.662 PST [policies] Evaluate -> DEBU 4ef Signature set satisfies policy /Channel/Application/Org1/Admins
2019-12-02 09:45:03.088 PST [policies] Evaluate -> DEBU 511 == Evaluating *policies.implicitMetaPolicy Policy /Channel/Writers ==
2019-12-02 09:45:34.699 PST [policies] Evaluate -> DEBU 513 == Evaluating *policies.implicitMetaPolicy Policy /Channel/Orderer/Writers ==
2019-12-02 09:46:26.038 PST [policies] Evaluate -> DEBU 515 == Evaluating *cauthdsl.policy Policy /Channel/Orderer/OrdOrg/Writers ==
2019-12-02 09:46:26.039 PST [msp] satisfiesPrincipalInternalV143 -> DEBU 51b Checking if identity has been named explicitly as an admin for OrdOrgMSP
2019-12-02 09:46:26.039 PST [msp] satisfiesPrincipalInternalV143 -> DEBU 51c Checking if identity carries the admin ou for OrdOrgMSP
2019-12-02 09:46:26.040 PST [msp] hasOURole -> DEBU 51f MSP OrdOrgMSP checking if the identity is a client
2019-12-02 09:46:26.040 PST [cauthdsl] func2 -> DEBU 521 0xc0005f9180 identity 0 does not satisfy principal: The identity is not an admin under this MSP [OrdOrgMSP]: The identity does not contain OU [ADMIN], MSP: [OrdOrgMSP]
2019-12-02 09:46:26.040 PST [cauthdsl] func2 -> DEBU 522 0xc0005f9180 principal evaluation fails
2019-12-02 09:46:26.040 PST [msp] satisfiesPrincipalInternalPreV13 -> DEBU 525 Checking if identity satisfies role [CLIENT] for OrdOrgMSP
2019-12-02 09:46:26.042 PST [cauthdsl] func2 -> DEBU 52a 0xc0005f9180 identity 0 does not satisfy principal: The identity is not a [CLIENT] under this MSP [OrdOrgMSP]: The identity does not contain OU [CLIENT], MSP: [OrdOrgMSP]
2019-12-02 09:46:26.042 PST [policies] Evaluate -> DEBU 52d Signature set did not satisfy policy /Channel/Orderer/OrdOrg/Writers
2019-12-02 09:48:07.333 PST [policies] func1 -> DEBU 52f Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ OrdOrg/Writers ]
2019-12-02 09:48:07.333 PST [policies] Evaluate -> DEBU 533 Signature set did not satisfy policy /Channel/Orderer/Writers
it is true that in configtx.yaml we have defined
and we are calling channel create as admin of Org1 but we used the same pattern as in https://github.com/hyperledger/fabric-samples/blob/release-1.4/first-network/configtx.yaml
so what gives?
From: Nikhil E Gupta <negupta@...>
Sent: Monday, December 2, 2019 6:00 AM To: Siddharth Jain <siddjain@...> Cc: fabric@... <fabric@...> Subject: Re: [Hyperledger Fabric] problem creating channel: 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies Hi Siddharth,
This error is caused by a certificate problem. You can investigate further by checking your orderer logs.
This stack overflow post:
https://stackoverflow.com/questions/57662562/when-i-try-to-create-a-channel-using-hyperledger-fabric-the-request-fails/57662645#57662645 has a good overview of what to look for when you check your orderer logs.
Nik
-----fabric@... wrote: ----- To: "fabric@..." <fabric@...>
From: "Siddharth Jain" Sent by: fabric@... Date: 11/30/2019 06:32PM Subject: [EXTERNAL] [Hyperledger Fabric] problem creating channel: 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies we get the error below when trying to create a channel using the peer CLI
2019-11-30 20:53:15.482 UTC [orderer.common.broadcast] ProcessMessage -> WARN 00c [channel: mychannel] Rejecting broadcast of config message from 172.18.0.1:51816 because of error: implicit policy evaluation
failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied
how can we fix this? what is the cause?
fwiw, in case it helps, if we try to create the channel using credentials of admin of the orderer org we get a different error
2019-11-30 20:30:53.025 UTC [orderer.common.broadcast] ProcessMessage -> WARN 008 [channel: mychannel] Rejecting broadcast of config message from 172.18.0.1:51808 because of error: error validating channel
creation transaction for new channel 'tracktrace', could not succesfully apply update to template configuration: error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed
- 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
|
||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
|
Re: problem creating channel: 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies
Nikhil Gupta
Hi Siddharth, This error is caused by a certificate problem. You can investigate further by checking your orderer logs. This stack overflow post: https://stackoverflow.com/questions/57662562/when-i-try-to-create-a-channel-using-hyperledger-fabric-the-request-fails/57662645#57662645 has a good overview of what to look for when you check your orderer logs. Nik -----fabric@... wrote: ----- To: "fabric@..." <fabric@...> From: "Siddharth Jain" Sent by: fabric@... Date: 11/30/2019 06:32PM Subject: [EXTERNAL] [Hyperledger Fabric] problem creating channel: 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies we get the error below when trying to create a channel using the peer CLI 2019-11-30 20:53:15.482 UTC [orderer.common.broadcast] ProcessMessage -> WARN 00c [channel: mychannel] Rejecting broadcast of config message from 172.18.0.1:51816 because of error: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied
how can we fix this? what is the cause? fwiw, in case it helps, if we try to create the channel using credentials of admin of the orderer org we get a different error 2019-11-30 20:30:53.025 UTC [orderer.common.broadcast] ProcessMessage -> WARN 008 [channel: mychannel] Rejecting broadcast of config message from 172.18.0.1:51808 because of error: error validating channel creation transaction for new channel 'tracktrace', could not succesfully apply update to template configuration: error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
|
||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
|
Re: fabric node sdk vs java sdk
Ross Tang <tangross@...>
I don’t have definite answer, like side by side comparison. But I am working very fine with node sdk, especially when my middle tier application, and front end app are (everything in Typescript). I create a single Typescript monrepo, for every stack/components, including chaincode. It is end-to-end typing, and I am using Jest for unit and integration for web, api gateway, middleware, and chaincode. Also easy with DevOps.
toggle quoted messageShow quoted text
|
||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
|
Re: fabric node sdk vs java sdk
Matthew White
Hello - both SDKs have the updated programming model. Both have the same features, and able to support the same Fabric use-cases.
It's possibly more important to consider the development environment, skills, and other libraries you want to use - let that be a guide to the choice of development language and pick the SDK to match
Regards, Matthew.
Matthew B White IBM Blockchain Solutions Architect
Email me at WHITEMAT@...
Find me on StackOverflow, and generally at calanais.me.uk
Note: restricted availability for meetings 14:30 to 17:00 UK Tuesday
IBM United Kingdom Limited, Hursley Park, Winchester, Hampshire, SO21 2JN
"The wrong answers are the ones you go looking for when the right answers stare you in the face" ----- Original message ----- IBM United Kingdom Limited - Registered in England and Wales with number 741598. Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
|
||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
|
fabric node sdk vs java sdk
Medha Kamalakar <medha_Kamalakar@...>
Hello,
Are there any recommendations around which fabric sdk should be used(node sdk vs java sdk) for various hyperledger fabric blockchain use cases. Are there any guidelines for choice of SDK and has any comparative analysis been done for this?(Criteria could be performance, feature list, support available etc..)
Thanks and Regards, Medha. ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails.
|
||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
|
Query on fabric NodeJS versioning
#fabric-sdk-node
shrugupt@...
Hi All,
Is there any recommendation for fabric Node JS SDK version to be used for a specific fabric version running on the network peer/orderer/ca nodes. For example, if my fabric network is running on vesion 1.4.1 then which version of fabric Node JS SDK is recommended to use? How can get this information on nodeJS SDK compatible version for each fabric version? Thanks in advance! Regards, Shruti Gupta
|
||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
|
problem creating channel: 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies
Siddharth Jain
we get the error below when trying to create a channel using the peer CLI 2019-11-30 20:53:15.482 UTC [orderer.common.broadcast] ProcessMessage -> WARN 00c [channel: mychannel] Rejecting broadcast of config message from 172.18.0.1:51816 because of error: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied
how can we fix this? what is the cause?
fwiw, in case it helps, if we try to create the channel using credentials of admin of the orderer org we get a different error
2019-11-30 20:30:53.025 UTC [orderer.common.broadcast] ProcessMessage -> WARN 008 [channel: mychannel] Rejecting broadcast of config message from 172.18.0.1:51808 because of error: error validating channel creation transaction for new channel 'tracktrace', could not succesfully apply update to template configuration: error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
|
||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
|
Re: Hyperledger Fabric GitHub Migration
binh nguyen <binh1010010110@...>
After 4 years, we're back home where we started. Thanks!
On Mon, Nov 25, 2019 at 9:00 PM David Enyeart <enyeart@...> wrote:
|
||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
|
Migration from Gerrit: Help with JQ and Git needed
All, I have exported all of the git data from Gerrit (except for the fabric-test repo, which is still undergoing development). I have also exported the comments and the like as JSON. I've set up a new org here: And this is a temporary home of the JSON: What I need is help gluing the two together, if that's even needed. Take a look here: Ry --
|
||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
|
Re: Proposal : Hyperledger Fabric block archiving
nekia <atsushin@...>
Thanks, Manish, Yacov, and Gari.
I really appreciate for your feedback and insights.
(Feedback from Manish)
Thank you so much for a quite important point. We're now reviewing and analyzing the implementation of fabric around metadata. Let me ask a question to clarify my understanding.
Say for example, block #100 is available on channel 'mychannel' within organization 'org1', does it mean that the metadata of block #100 on peer0.org1 can be different to the metadata of same block(#100) on a different peer(ex. peer1.org1)? If yes, you are right that our assumption is incorrect. That is, our feature will not be able to refer to a block data (from any peer node) which resides on the archive repository. Because locPointer (offset and length of each block within a blockfile) is not available for archived blockfiles on the repository.
We have catered for these situations. Each peer node is still able to access all the blockfiles (even if they're archived and discarded) seamlessly via as-is interface. Even after archiving blockfiles, blockchain characteristics are still maintained on the Blockchain network. So rebuilding statedb and accessing historydb are still available under this archiving feature.
Note: Hyperledger Fabric core has been modified to handle query failures when it attempts to access deleted blockfiles.
In early stage in our development, we used a polling mechanism to trigger archiving. But in terms of the efficiency (process and network traffic), we changed the implementation to be event driven.
Good point. We designed this archiving feature to be as simple as possible (that is, minimal code changes to Hyperledger Fabric core). With the repository concept, we're able to access all the blockfiles (even if they're archived and discarded) seamlessly via as-is interface.
(Feedbacks from Yacov)
You're right. This kind of logic is lacking from our current implementation. Actually it was in our radar, but we have difficulty to implement this aspect. Thank you for pointing to a reference code for pull-based gossip.
(Feedbacks from Gari)
Yes, that is one of the reasons we integrated archiving features into peer binary. But the most important reason is for handling query failures when it attempts to access deleted blockfiles. And each peer node is still able to access all the blockfiles (even if they're archived and discarded) seamlessly via as-is interface.
Thanks,
Atsushi
|
||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
|
Documentation Workgroup: No call Friday, 29 November, next call December 6
Anthony O'Dowd <a_o-dowd@...>
Hello All,
Due to our colleagues in the US celebrating Thanksgiving there will not be a call this week! Our next call will be Dec 6. You can read the summary minutes for last week's call: https://wiki.hyperledger.org/display/fabric/2019+11+22+DWG+Agenda and catch up via the recordings page: https://wiki.hyperledger.org/display/fabric/Recordings Particular highlights last week were Pam's walk through of the the new GitHub based contribution process and Joe's outline of the upgrade docs. The former is a must-see if you would like to contribute to Hyperledger Fabric documentation. The latter helps you understand how we've simplified the structure of the tasks required to of upgrade Fabric versions. It will particularly helpful as users start to move to Fabric 2.0 Thanks to Pam and Joe for these Please feel free to contribute to next week's agenda: https://wiki.hyperledger.org/display/fabric/2019+12+06+DWG+Agenda Look out for our next meetings on Dec 6! Best regards, Anthony, Pam, Joe, Nik Unless stated otherwise above: IBM United Kingdom Limited - Registered in England and Wales with number 741598. Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
|
||||||||||||||||||||||||||||||||||||||||||
|
|
||||||||||||||||||||||||||||||||||||||||||
|
Re: Error while migrating from kafka to RAFT
Adhav Pavan
Joson, As I already mentioned in below mail, I have changed crypto-config.yaml in the orderer section as below and its working as expected.
CA:OrganizationalUnit: admin
My concern is why croytogen tool is creating a certificate with client OU, only for orderer! Thank you so much. Regards, Pavan Adhav 8390114357
|
||||||||||||||||||||||||||||||||||||||||||
|
|
"Brett T Logan" ---11/21/2019 01:11:31 AM---Hello Contributors,