创建新通道时隐式策略评估失败
Implicit policy evaluation failed when creating a new channel
我正在 运行通过 Kubernetes 创建一个自定义的 Hyperledger Fabric 网络,现在我正在尝试自动创建和加入通道。我现在遇到的错误与频道本身的创建有关。
我遵循的与频道创建相关的顺序如下(示例频道名为 global):
- 使用
configtx.yaml 创建 genesis.block:
configtxgen -profile OrgsOrdererGenesis -configPath /data/config -outputBlock /data/genesis.block --channelID orderersglobal
- 使用之前创建的
genesis.block 创建 channel.tx:
configtxgen -profile OrgsChannel -configPath /data/config -outputCreateChannelTx /data/global.tx -channelID global
将 channel.tx 复制到每个 CLI 和 org
在每个 CLI 上,我注册为管理员并运行以下命令创建频道块:
peer channel create -o orderer0.org1:7050 --channelID global -f /data/global.tx
但是,我得到这个错误:
2019-10-08 12:25:51.089 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: got unexpected status: BAD_REQUEST -- error validating channel creation transaction for new channel 'global', could not successfully apply update to template configuration: error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
因此,我无法继续测试网络。我最初对 genesis.block 和 channel.block 使用相同的 channelID,但我已经更改了它。我已经阅读了一些关于此的帖子,但似乎没有什么可以解决我的问题。我希望你们中的一些人能帮助我。
这是我的网络架构(我没有使用 TLS)
- org1
- peer0(锚点)
- 同行 1
- 订购者 0
- org2
- peer0(锚点)
- 同行 1
- 订购者 0
- org3
- 订购者 0
这是我的 configtx.yaml 文件的内容:
Capabilities:
Global: &ChannelCapabilities
V1_3: true
Orderer: &OrdererCapabilities
V1_1: true
Application: &ApplicationCapabilities
V1_3: true
Organizations:
- &org1
Name: org1
ID: org1MSP
MSPDir: /data/orgs/org1/msp
AdminPrincipal: Role.ADMIN
Policies:
Readers:
Type: Signature
Rule: "OR('org1MSP.member')"
Writers:
Type: Signature
Rule: "OR('org1MSP.member')"
Admins:
Type: Signature
Rule: "OR('org1MSP.admin')"
AnchorPeers:
- Host: peer0.org1
Port: 7051
- &org2
Name: org2
ID: org2MSP
MSPDir: /data/orgs/org2/msp
AdminPrincipal: Role.ADMIN
Policies:
Readers:
Type: Signature
Rule: "OR('org2MSP.member')"
Writers:
Type: Signature
Rule: "OR('org2MSP.member')"
Admins:
Type: Signature
Rule: "OR('org2MSP.admin')"
AnchorPeers:
- Host: peer0.org2
Port: 7051
- &org3
Name: org3
ID: org3MSP
MSPDir: /data/orgs/org3/msp
AdminPrincipal: Role.ADMIN
Policies:
Readers:
Type: Signature
Rule: "OR('org3MSP.member')"
Writers:
Type: Signature
Rule: "OR('org3MSP.member')"
Admins:
Type: Signature
Rule: "OR('org3MSP.admin')"
Orderer: &OrdererDefaults
OrdererType: kafka
Addresses:
- orderer0.org1:7050
- orderer0.org2:7050
- orderer0.org3:7050
BatchTimeout: 2s
BatchSize:
MaxMessageCount: 10
AbsoluteMaxBytes: 98 MB
PreferredMaxBytes: 512 KB
MaxChannels: 0
Kafka:
Brokers:
- bootstrap.kafka:9092
Organizations:
- *org1
- *org2
- *org3
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
Capabilities:
<<: *OrdererCapabilities
Channel: &ChannelDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ChannelCapabilities
Application: &ApplicationDefaults
ACLs: &ACLsDefault
lscc/ChaincodeExists: /Channel/Application/Readers
lscc/GetDeploymentSpec: /Channel/Application/Readers
lscc/GetChaincodeData: /Channel/Application/Readers
lscc/GetInstantiatedChaincodes: /Channel/Application/Readers
qscc/GetChainInfo: /Channel/Application/Readers
qscc/GetBlockByNumber: /Channel/Application/Readers
qscc/GetBlockByHash: /Channel/Application/Readers
qscc/GetTransactionByID: /Channel/Application/Readers
qscc/GetBlockByTxID: /Channel/Application/Readers
cscc/GetConfigBlock: /Channel/Application/Readers
cscc/GetConfigTree: /Channel/Application/Readers
cscc/SimulateConfigTreeUpdate: /Channel/Application/Readers
peer/Propose: /Channel/Application/Writers
peer/ChaincodeToChaincode: /Channel/Application/Readers
event/Block: /Channel/Application/Readers
event/FilteredBlock: /Channel/Application/Readers
Organizations:
Policies: &ApplicationDefaultPolicies
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ApplicationCapabilities
Profiles:
OrgsOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *org1
- *org2
- *org3
Capabilities:
<<: *OrdererCapabilities
Application:
<<: *ApplicationDefaults
Organizations:
- *org1
- *org2
- *org3
Capabilities:
<<: *ApplicationCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *org1
- *org2
OrgsChannel:
Capabilities:
<<: *ChannelCapabilities
Consortium: SampleConsortium
Application:
<<: *ApplicationDefaults
Organizations:
- *org1
- *org2
Capabilities:
<<: *ApplicationCapabilities
最有可能发生的事情是:您尝试作为管理员使用的证书并不是真正的管理员。您可以检查并查看哪里做错的事情:
- 在您用于 configtx.yaml(/data/orgs/org1/msp 和 /data/orgs/org2/msp)的 MSP 文件夹中,此文件夹是您计算机上的一个文件夹(实际上 computer/container 即 运行 configtxgen 命令),首先要检查文件夹是否正确创建。
- MSP 文件夹内的
admincerts 文件夹中是否有证书?如果您没有,则 MSP 没有管理员。
- 要记住的另一件事是使用持久卷来 "pass" Fabric CA、cryptogen 或任何其他 CA 生成的证书
- 我知道 MSPDir 使用 configtx.yaml 的相对路径工作。我不知道它是否可以使用您正在使用的绝对路径。
检查每个 MSP 使用哪个证书的另一件事是获取最后一个配置块 peer channel fetch config 和 configtxlator proto_decode --input <channel name>_config.block --type common.Block --output config.json,然后检查此 JSON 文件
我正在 运行通过 Kubernetes 创建一个自定义的 Hyperledger Fabric 网络,现在我正在尝试自动创建和加入通道。我现在遇到的错误与频道本身的创建有关。
我遵循的与频道创建相关的顺序如下(示例频道名为 global):
- 使用
configtx.yaml创建genesis.block:
configtxgen -profile OrgsOrdererGenesis -configPath /data/config -outputBlock /data/genesis.block --channelID orderersglobal
- 使用之前创建的
genesis.block创建channel.tx:
configtxgen -profile OrgsChannel -configPath /data/config -outputCreateChannelTx /data/global.tx -channelID global
将
channel.tx复制到每个 CLI 和 org在每个 CLI 上,我注册为管理员并运行以下命令创建频道块:
peer channel create -o orderer0.org1:7050 --channelID global -f /data/global.tx
但是,我得到这个错误:
2019-10-08 12:25:51.089 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
Error: got unexpected status: BAD_REQUEST -- error validating channel creation transaction for new channel 'global', could not successfully apply update to template configuration: error authorizing update: error validating DeltaSet: policy for [Group] /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
因此,我无法继续测试网络。我最初对 genesis.block 和 channel.block 使用相同的 channelID,但我已经更改了它。我已经阅读了一些关于此的帖子,但似乎没有什么可以解决我的问题。我希望你们中的一些人能帮助我。
这是我的网络架构(我没有使用 TLS)
- org1
- peer0(锚点)
- 同行 1
- 订购者 0
- org2
- peer0(锚点)
- 同行 1
- 订购者 0
- org3
- 订购者 0
这是我的 configtx.yaml 文件的内容:
Capabilities:
Global: &ChannelCapabilities
V1_3: true
Orderer: &OrdererCapabilities
V1_1: true
Application: &ApplicationCapabilities
V1_3: true
Organizations:
- &org1
Name: org1
ID: org1MSP
MSPDir: /data/orgs/org1/msp
AdminPrincipal: Role.ADMIN
Policies:
Readers:
Type: Signature
Rule: "OR('org1MSP.member')"
Writers:
Type: Signature
Rule: "OR('org1MSP.member')"
Admins:
Type: Signature
Rule: "OR('org1MSP.admin')"
AnchorPeers:
- Host: peer0.org1
Port: 7051
- &org2
Name: org2
ID: org2MSP
MSPDir: /data/orgs/org2/msp
AdminPrincipal: Role.ADMIN
Policies:
Readers:
Type: Signature
Rule: "OR('org2MSP.member')"
Writers:
Type: Signature
Rule: "OR('org2MSP.member')"
Admins:
Type: Signature
Rule: "OR('org2MSP.admin')"
AnchorPeers:
- Host: peer0.org2
Port: 7051
- &org3
Name: org3
ID: org3MSP
MSPDir: /data/orgs/org3/msp
AdminPrincipal: Role.ADMIN
Policies:
Readers:
Type: Signature
Rule: "OR('org3MSP.member')"
Writers:
Type: Signature
Rule: "OR('org3MSP.member')"
Admins:
Type: Signature
Rule: "OR('org3MSP.admin')"
Orderer: &OrdererDefaults
OrdererType: kafka
Addresses:
- orderer0.org1:7050
- orderer0.org2:7050
- orderer0.org3:7050
BatchTimeout: 2s
BatchSize:
MaxMessageCount: 10
AbsoluteMaxBytes: 98 MB
PreferredMaxBytes: 512 KB
MaxChannels: 0
Kafka:
Brokers:
- bootstrap.kafka:9092
Organizations:
- *org1
- *org2
- *org3
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
Capabilities:
<<: *OrdererCapabilities
Channel: &ChannelDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ChannelCapabilities
Application: &ApplicationDefaults
ACLs: &ACLsDefault
lscc/ChaincodeExists: /Channel/Application/Readers
lscc/GetDeploymentSpec: /Channel/Application/Readers
lscc/GetChaincodeData: /Channel/Application/Readers
lscc/GetInstantiatedChaincodes: /Channel/Application/Readers
qscc/GetChainInfo: /Channel/Application/Readers
qscc/GetBlockByNumber: /Channel/Application/Readers
qscc/GetBlockByHash: /Channel/Application/Readers
qscc/GetTransactionByID: /Channel/Application/Readers
qscc/GetBlockByTxID: /Channel/Application/Readers
cscc/GetConfigBlock: /Channel/Application/Readers
cscc/GetConfigTree: /Channel/Application/Readers
cscc/SimulateConfigTreeUpdate: /Channel/Application/Readers
peer/Propose: /Channel/Application/Writers
peer/ChaincodeToChaincode: /Channel/Application/Readers
event/Block: /Channel/Application/Readers
event/FilteredBlock: /Channel/Application/Readers
Organizations:
Policies: &ApplicationDefaultPolicies
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ApplicationCapabilities
Profiles:
OrgsOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *org1
- *org2
- *org3
Capabilities:
<<: *OrdererCapabilities
Application:
<<: *ApplicationDefaults
Organizations:
- *org1
- *org2
- *org3
Capabilities:
<<: *ApplicationCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *org1
- *org2
OrgsChannel:
Capabilities:
<<: *ChannelCapabilities
Consortium: SampleConsortium
Application:
<<: *ApplicationDefaults
Organizations:
- *org1
- *org2
Capabilities:
<<: *ApplicationCapabilities
最有可能发生的事情是:您尝试作为管理员使用的证书并不是真正的管理员。您可以检查并查看哪里做错的事情:
- 在您用于 configtx.yaml(/data/orgs/org1/msp 和 /data/orgs/org2/msp)的 MSP 文件夹中,此文件夹是您计算机上的一个文件夹(实际上 computer/container 即 运行 configtxgen 命令),首先要检查文件夹是否正确创建。
- MSP 文件夹内的
admincerts文件夹中是否有证书?如果您没有,则 MSP 没有管理员。 - 要记住的另一件事是使用持久卷来 "pass" Fabric CA、cryptogen 或任何其他 CA 生成的证书
- 我知道 MSPDir 使用 configtx.yaml 的相对路径工作。我不知道它是否可以使用您正在使用的绝对路径。
检查每个 MSP 使用哪个证书的另一件事是获取最后一个配置块 peer channel fetch config 和 configtxlator proto_decode --input <channel name>_config.block --type common.Block --output config.json,然后检查此 JSON 文件