Hello Jason,

Thank you so much for your reply. 

I set the following env variables on CLI.

1) CORE_PEER_LOCALMSPID=OrdererMSP

2) CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/users/Admin@.../msp/

I am sure that I am signing a configuration update with admin identity, I checked the final envelope, it's having admin user identity of orderer organization.

As per your suggestion, I set the logging level to debug, Getting the orderer container logs as follows.

In log as I mentioned in bold, it seems something wrong here: "2019-11-25 07:58:51.538 UTC [cauthdsl] func2 -> DEBU e16 0xc00027ebc0 identity 0 does not satisfy principal: The identity is not an admin under this MSP [OrdererMSP]: The identity does not contain OU [ADMIN], MSP: [OrdererMSP]"

What does it mean that "The identity does not contain OU".

Please let me know for more information.

Added orderer logs as follow:

2019-11-25 07:58:51.532 UTC [orderer.common.server] Deliver -> DEBU de9 Starting new Deliver handler
2019-11-25 07:58:51.532 UTC [common.deliver] Handle -> DEBU dea Starting new deliver loop for 172.23.0.13:42140
2019-11-25 07:58:51.532 UTC [common.deliver] Handle -> DEBU deb Attempting to read seek info message from 172.23.0.13:42140
2019-11-25 07:58:51.536 UTC [orderer.common.server] Broadcast -> DEBU dec Starting new Broadcast handler
2019-11-25 07:58:51.536 UTC [orderer.common.broadcast] Handle -> DEBU ded Starting new broadcast loop for 172.23.0.13:42142
2019-11-25 07:58:51.536 UTC [orderer.common.broadcast] ProcessMessage -> DEBU dee [channel: mychannel] Broadcast is processing config update message from 172.23.0.13:42142
2019-11-25 07:58:51.536 UTC [orderer.common.msgprocessor] ProcessConfigUpdateMsg -> DEBU def Processing config update message for channel mychannel
2019-11-25 07:58:51.536 UTC [policies] Evaluate -> DEBU df0 == Evaluating *policies.implicitMetaPolicy Policy /Channel/Writers ==
2019-11-25 07:58:51.536 UTC [policies] Evaluate -> DEBU df1 This is an implicit meta policy, it will trigger other policy evaluations, whose failures may be benign
2019-11-25 07:58:51.536 UTC [policies] Evaluate -> DEBU df2 == Evaluating *policies.implicitMetaPolicy Policy /Channel/Orderer/Writers ==
2019-11-25 07:58:51.536 UTC [policies] Evaluate -> DEBU df3 This is an implicit meta policy, it will trigger other policy evaluations, whose failures may be benign
2019-11-25 07:58:51.536 UTC [policies] Evaluate -> DEBU df4 == Evaluating *cauthdsl.policy Policy /Channel/Orderer/OrdererOrg/Writers ==
2019-11-25 07:58:51.536 UTC [cauthdsl] func1 -> DEBU df5 0xc000551ab0 gate 1574668731536839047 evaluation starts
2019-11-25 07:58:51.536 UTC [cauthdsl] func2 -> DEBU df6 0xc000551ab0 signed by 0 principal evaluation starts (used [false])
2019-11-25 07:58:51.536 UTC [cauthdsl] func2 -> DEBU df7 0xc000551ab0 processing identity 0 with bytes of a1f390
2019-11-25 07:58:51.536 UTC [cauthdsl] func2 -> DEBU df8 0xc000551ab0 principal matched by identity 0
2019-11-25 07:58:51.536 UTC [msp.identity] Verify -> DEBU df9 Verify: digest = 00000000  71 64 9c ef 57 44 8f a2  2a 1f cd 9f 8d a3 42 47  |qd..WD..*.....BG|
00000010  40 06 8c 3e 9d 0b 61 7b  c9 dc 76 65 5d a9 7e cd  |@..>..a{..ve].~.|
2019-11-25 07:58:51.536 UTC [msp.identity] Verify -> DEBU dfa Verify: sig = 00000000  30 44 02 20 2d e7 d4 18  43 95 3e cd dd b3 31 a8  |0D. -...C.>...1.|
00000010  48 dd a6 61 51 6e a8 35  79 4a ac 8e c3 be a5 88  |H..aQn.5yJ......|
00000020  43 6d e5 57 02 20 46 de  34 30 b6 75 1b 94 32 04  |Cm.W. F.40.u..2.|
00000030  11 7c 14 09 3c af f1 c0  6a cf 69 e0 3a 2c 67 cd  |.|..<...j.i.:,g.|
00000040  c1 44 e1 40 70 14                                 |.D.@p.|
2019-11-25 07:58:51.537 UTC [cauthdsl] func2 -> DEBU dfb 0xc000551ab0 principal evaluation succeeds for identity 0
2019-11-25 07:58:51.537 UTC [cauthdsl] func1 -> DEBU dfc 0xc000551ab0 gate 1574668731536839047 evaluation succeeds
2019-11-25 07:58:51.537 UTC [policies] Evaluate -> DEBU dfd Signature set satisfies policy /Channel/Orderer/OrdererOrg/Writers
2019-11-25 07:58:51.537 UTC [policies] Evaluate -> DEBU dfe == Done Evaluating *cauthdsl.policy Policy /Channel/Orderer/OrdererOrg/Writers
2019-11-25 07:58:51.537 UTC [policies] Evaluate -> DEBU dff Signature set satisfies policy /Channel/Orderer/Writers
2019-11-25 07:58:51.537 UTC [policies] Evaluate -> DEBU e00 == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Orderer/Writers
2019-11-25 07:58:51.537 UTC [policies] Evaluate -> DEBU e01 Signature set satisfies policy /Channel/Writers
2019-11-25 07:58:51.537 UTC [policies] Evaluate -> DEBU e02 == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Writers
2019-11-25 07:58:51.537 UTC [common.configtx] addToMap -> DEBU e03 Adding to config map: [Group]  /Channel
2019-11-25 07:58:51.537 UTC [common.configtx] addToMap -> DEBU e04 Adding to config map: [Group]  /Channel/Orderer
2019-11-25 07:58:51.537 UTC [common.configtx] addToMap -> DEBU e05 Adding to config map: [Group]  /Channel
2019-11-25 07:58:51.537 UTC [common.configtx] addToMap -> DEBU e06 Adding to config map: [Group]  /Channel/Orderer
2019-11-25 07:58:51.537 UTC [common.configtx] addToMap -> DEBU e07 Adding to config map: [Value]  /Channel/Orderer/ConsensusType
2019-11-25 07:58:51.537 UTC [common.configtx] verifyDeltaSet -> DEBU e08 Processing change to key: [Value]  /Channel/Orderer/ConsensusType
2019-11-25 07:58:51.538 UTC [common.configtx] policyForItem -> DEBU e09 Getting policy for item ConsensusType with mod_policy Admins
2019-11-25 07:58:51.538 UTC [policies] Manager -> DEBU e0a Manager Channel looking up path [Orderer]
2019-11-25 07:58:51.538 UTC [policies] Manager -> DEBU e0b Manager Channel has managers Orderer
2019-11-25 07:58:51.538 UTC [policies] Manager -> DEBU e0c Manager Channel has managers Application
2019-11-25 07:58:51.538 UTC [policies] Manager -> DEBU e0d Manager Channel/Orderer looking up path []
2019-11-25 07:58:51.538 UTC [policies] Manager -> DEBU e0e Manager Channel/Orderer has managers OrdererOrg
2019-11-25 07:58:51.538 UTC [policies] Evaluate -> DEBU e0f == Evaluating *policies.implicitMetaPolicy Policy /Channel/Orderer/Admins ==
2019-11-25 07:58:51.538 UTC [policies] Evaluate -> DEBU e10 This is an implicit meta policy, it will trigger other policy evaluations, whose failures may be benign
2019-11-25 07:58:51.538 UTC [policies] Evaluate -> DEBU e11 == Evaluating *cauthdsl.policy Policy /Channel/Orderer/OrdererOrg/Admins ==
2019-11-25 07:58:51.538 UTC [cauthdsl] deduplicate -> WARN e12 De-duplicating identity [OrdererMSPf9d56d03cda533fcbbf7cc1e9b21bea8e2643614c07c45bb8d69159dfb4d733e] at index 1 in signature set
2019-11-25 07:58:51.538 UTC [cauthdsl] func1 -> DEBU e13 0xc00027ebc0 gate 1574668731538228424 evaluation starts
2019-11-25 07:58:51.538 UTC [cauthdsl] func2 -> DEBU e14 0xc00027ebc0 signed by 0 principal evaluation starts (used [false false])
2019-11-25 07:58:51.538 UTC [cauthdsl] func2 -> DEBU e15 0xc00027ebc0 processing identity 0 with bytes of a1f390
2019-11-25 07:58:51.538 UTC [cauthdsl] func2 -> DEBU e16 0xc00027ebc0 identity 0 does not satisfy principal: The identity is not an admin under this MSP [OrdererMSP]: The identity does not contain OU [ADMIN], MSP: [OrdererMSP]
2019-11-25 07:58:51.538 UTC [cauthdsl] func2 -> DEBU e17 0xc00027ebc0 principal evaluation fails
2019-11-25 07:58:51.538 UTC [cauthdsl] func1 -> DEBU e18 0xc00027ebc0 gate 1574668731538228424 evaluation fails
2019-11-25 07:58:51.538 UTC [policies] Evaluate -> DEBU e19 Signature set did not satisfy policy /Channel/Orderer/OrdererOrg/Admins
2019-11-25 07:58:51.538 UTC [policies] Evaluate -> DEBU e1a == Done Evaluating *cauthdsl.policy Policy /Channel/Orderer/OrdererOrg/Admins
2019-11-25 07:58:51.538 UTC [policies] func1 -> DEBU e1b Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ OrdererOrg/Admins ]
2019-11-25 07:58:51.538 UTC [policies] Evaluate -> DEBU e1c Signature set did not satisfy policy /Channel/Orderer/Admins
2019-11-25 07:58:51.538 UTC [policies] Evaluate -> DEBU e1d == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Orderer/Admins
2019-11-25 07:58:51.538 UTC [orderer.common.broadcast] ProcessMessage -> WARN e1e [channel: mychannel] Rejecting broadcast of config message from 172.23.0.13:42142 because of error: error applying config update to existing channel 'mychannel': error authorizing update: error validating DeltaSet: policy for [Value]  /Channel/Orderer/ConsensusType not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied

Thank you so much for your help.

Heartfelt Regards,
Pavan Adhav

Blockchain Developer
Cell Phone:+91-8390114357  E-Mail: adhavpavan@...

On Thu, Nov 21, 2019 at 9:11 PM Jason K Yellick <jyellick@...> wrote:

Are you certain you're using the MSP of an admin user from your orderer org (not an orderer process MSP)?  That error is quite explicit, it says you tried to modify /Channel/Orderer/ConsensusType, but, your update did not satisfy the modification policy (/Channel/Orderer/Admins). The update failed because /Channel/Orderer/Admins requires that the /Channel/Orderer/OrdererOrg/Admins policy be satisfied, but it was not.

This is BYFN so all of these policies should be at their default values, so a single orderer admin signature should suffice.  You can always set `FABRIC_LOGGING_SPEC=info:msp=debug:cauthdsl=debug:policy=debug` for some more detail in the orderer logs about exactly why the evaluation failure is failing, but it is almost definitely one of:

1) You specified the wrong MSPID in your env for the sign/send
2) You specified the wrong MSP path in your env for te sign/send

~Jason

 

----- Original message -----
From: Adhav Pavan <adhavpavan@...>
To: Jason K Yellick <jyellick@...>
Cc:
Subject: [EXTERNAL] Re: [Hyperledger Fabric] Error while migrating from kafka to RAFT
Date: Thu, Nov 21, 2019 1:44 AM
 

Hello Jason,

 

Than you so much for the quick reply.

 

As you suggested, I signed the config block with OrdererMSP and sent an update request to the orderer but no luck, getting same error message.
 

Heartfelt Regards,
Pavan Adhav

Blockchain Developer
Cell Phone:+91-8390114357  E-Mail: adhavpavan@...
 

 

On Thu, Nov 21, 2019 at 11:29 AM Jason K Yellick <jyellick@...> wrote:

You need to sign and submit with the OrdererMSP admin identity to change consensus type parameters, not the application/peer org admins.

Thanks,
~Jason

 

----- Original message -----
From: "Adhav Pavan" <adhavpavan@...>
Sent by: fabric@...
To: fabric@...
Cc: saurabh@...
Subject: [EXTERNAL] [Hyperledger Fabric] Error while migrating from kafka to RAFT
Date: Wed, Nov 20, 2019 11:48 PM
 

Hello Team,

 

I am migrating from kafka to raft, When I have changed state from "NORMAL" to "STATE_MAINTENANCE"  and created the final expected envelope as per the procedure.

 

Note: We are using BYFN script

 

My CLI pointed to Org1MSP, I signed config update transaction, later I changed CLI pointing to Org2MSP and signed, finally submitted the new channel config update to the orderer.

After submission, getting a following error message.

 

Error on CLI: "Error: got unexpected status: BAD_REQUEST -- error applying config update to existing channel 'mychannel': error authorizing update: error validating DeltaSet: policy for [Value]  /Channel/Orderer/ConsensusType not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied"

 

Orderer log: "[channel: mychannel] Rejecting broadcast of config message from 172.21.0.13:51078 because of error: error applying config update to existing channel 'mychannel': error authorizing update: error validating DeltaSet: policy for [Value]  /Channel/Orderer/ConsensusType not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied"

 

Please let me know if I am doing something wrong.

 

Thanks in advance.

 

Heartfelt Regards,
Pavan Adhav

Blockchain Developer
Cell Phone:+91-8390114357  E-Mail: adhavpavan@...