TechQA.

Hyperledger Fabric enroll & register admin not working

834 views Asked by At

I'm trying to enroll & register an admin to perform peer operations. This is the bash code:

#!/bin/bash
user="$1"
pass="$2"
org="$3"
type="$4"
tlscerts="/chainset/hyperledger-config/crypto-config/ordererOrganizations/default.svc.cluster.local/msp/tlscacerts/ca-root-7054.pem"

fabric-ca-client enroll -u http://admin:adminpw@ca-root:7054

fabric-ca-client register --id.name ${user} --id.secret ${pass} --id.type ${type} --id.affiliation ${org} --id.attrs 'hf.Revoker=true,admin=true:ecert' -u http://ca-root:7054 --tls.certfiles ${tlscerts}

export FABRIC_CA_CLIENT_HOME=/chainset/hyperledger-config/crypto-config/peerOrganizations/${org}/users/${user}@${org}/
fabric-ca-client enroll -u http://${user}:${pass}@ca-root:7054 --id.affiliation ${org} --tls.certfiles ${tlscerts} 

mv /chainset/hyperledger-config/crypto-config/peerOrganizations/${org}/users/${user}@${org}/msp/signcerts/cert.pem /chainset/hyperledger-config/crypto-config/peerOrganizations/${org}/users/${user}@${org}/msp/signcerts/${user}@${org}-cert.pem
mkdir /chainset/hyperledger-config/crypto-config/peerOrganizations/${org}/users/${user}@${org}/msp/admincerts/
cp /chainset/hyperledger-config/crypto-config/peerOrganizations/${org}/users/${user}@${org}/msp/signcerts/* /chainset/hyperledger-config/crypto-config/peerOrganizations/${org}/users/${user}@${org}/msp/admincerts/

When I try to create a new channel I get this error:

Description: error validating channel creation transaction for new channel 'newchannelf', could not successfully apply update to template configuration: error authorizing update: error validating DeltaSet: policy for [Group]  /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied

This is my configtx.yml configuration. I don't know if it is a problem with the policies in this configuration file or if I'm not registering & enrolling the user correctly.

Organizations:
  - &orderer
    Name: orderer
    ID: orderer
    MSPDir: crypto-config/ordererOrganizations/default.svc.cluster.local/msp
    Policies:
      Readers:
        Type: Signature
        Rule: "OR('orderer.member')"
      Writers:
        Type: Signature
        Rule: "OR('orderer.member')"
      Admins:
        Type: Signature
        Rule: "OR('orderer.admin')"

  - &org1
    Name: org1
    ID: org1
    MSPDir: crypto-config/peerOrganizations/org1/msp
    Policies:
      Readers:
        Type: Signature
        Rule: "OR('org1.admin', 'org1.peer', 'org1.client', 'org1.member')"
      Writers:
        Type: Signature
        Rule: "OR('org1.admin', 'org1.peer', 'org1.client', 'org1.member')"
      Admins:
        Type: Signature
        Rule: "OR('org1.admin')"
    AnchorPeers:
      - Host: peer0-org1-service
        Port: 7051

  - &org2
    Name: org2
    ID: org2
    MSPDir: crypto-config/peerOrganizations/org2/msp
    Policies:
      Readers:
        Type: Signature
        Rule: "OR('org2.admin', 'org2.peer', 'org2.client', 'org2.member')"
      Writers:
        Type: Signature
        Rule: "OR('org2.admin', 'org2.peer', 'org2.client', 'org2.member')"
      Admins:
        Type: Signature
        Rule: "OR('org2.admin')"
    AnchorPeers:
      - Host: peer0-org2-service
        Port: 7051

Capabilities:
  Channel: &ChannelCapabilities
    V1_4_3: true

  Orderer: &OrdererCapabilities
    V1_4_2: true

  Application: &ApplicationCapabilities
    V1_4_2: true

Application: &ApplicationDefaults
  Organizations:
    - *orderer
    - *org1
    - *org2

  Policies:
    Readers:
      Type: ImplicitMeta
      Rule: "ANY Readers"
    Writers:
      Type: ImplicitMeta
      Rule: "ANY Writers"
    Admins:
      Type: ImplicitMeta
      Rule: "ANY Admins"
    BlockValidation:
      Type: ImplicitMeta
      Rule: "ANY Writers"

  Capabilities:
    <<: *ApplicationCapabilities

Orderer: &OrdererDefaults

  OrdererType: etcdraft
  EtcdRaft:
    Consenters:
      - Host: orderer0-service
        Port: 7050
        ClientTLSCert: crypto-config/ordererOrganizations/default.svc.cluster.local/orderers/orderer0.default.svc.cluster.local/tls/server.crt
        ServerTLSCert: crypto-config/ordererOrganizations/default.svc.cluster.local/orderers/orderer0.default.svc.cluster.local/tls/server.crt
      - Host: orderer1-service
        Port: 7050
        ClientTLSCert: crypto-config/ordererOrganizations/default.svc.cluster.local/orderers/orderer1.default.svc.cluster.local/tls/server.crt
        ServerTLSCert: crypto-config/ordererOrganizations/default.svc.cluster.local/orderers/orderer1.default.svc.cluster.local/tls/server.crt
      - Host: orderer2-service
        Port: 7050
        ClientTLSCert: crypto-config/ordererOrganizations/default.svc.cluster.local/orderers/orderer2.default.svc.cluster.local/tls/server.crt
        ServerTLSCert: crypto-config/ordererOrganizations/default.svc.cluster.local/orderers/orderer2.default.svc.cluster.local/tls/server.crt
  Addresses:
    - orderer0-service:7050
    - orderer1-service:7050
    - orderer2-service:7050

  BatchTimeout: 1s
  BatchSize:
    MaxMessageCount: 10
    AbsoluteMaxBytes: 99 MB
    PreferredMaxBytes: 512 KB

  Kafka:
    Brokers:
      - 127.0.0.1:9092

  Organizations:
    - *orderer

  Policies:
    Readers:
      Type: ImplicitMeta
      Rule: "ANY Readers"
    Writers:
      Type: ImplicitMeta
      Rule: "ANY Writers"
    Admins:
      Type: ImplicitMeta
      Rule: "MAJORITY Admins"
    BlockValidation:
      Type: ImplicitMeta
      Rule: "ANY Writers"

Channel: &ChannelDefaults

  Policies:
    Readers:
      Type: ImplicitMeta
      Rule: "ANY Readers"
    Writers:
      Type: ImplicitMeta
      Rule: "ANY Writers"
    Admins:
      Type: ImplicitMeta
      Rule: "ANY Admins"

  Capabilities:
    <<: *ChannelCapabilities

Profiles:

  OrdererGenesis:
    <<: *ChannelDefaults
    Capabilities:
      <<: *ChannelCapabilities
    Orderer:
      <<: *OrdererDefaults
      Organizations:
        - *orderer
      Capabilities:
        <<: *OrdererCapabilities
    Application:
      <<: *ApplicationDefaults
      Organizations:
        - <<: *orderer
    Consortiums:
      MAIN:
        Organizations:
          - *org1
          - *org2

  MainChannel:
    <<: *ChannelDefaults
    Consortium: MAIN
    Application:
      <<: *ApplicationDefaults
      Organizations:
        - *org1
        - *org2
      Capabilities:
        <<: *ApplicationCapabilities
hyperledger-fabric user-enrollment
Original Q&A
1

There are 1 answers

4
Chintan Rajvir On BEST ANSWER

This is what is happening:

You created a system channel (which is the orderer genesis block) by creating the MAIN consortium. Now the system channel was created with the peer organization MSPs at that moment. Followed by this, after the network was up, you went into org1/users and created an admin identity. You update local MSP of peer but the already existing system channel was never updated.

Possible solutions:

  1. Update the admin credentials within org1/users before the network is set up.
  2. Update the system channel configuration with the admin2 credentials post deployment by creating a channel update transaction.
  3. Enable NodeOUs so that any admin identity generated dynamically post the network deployment can perform admin related transactions.

Related Questions in HYPERLEDGER-FABRIC

Related Questions in USER-ENROLLMENT

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions