创建通道失败:只满足了0项策略,但需要1项[ OrdererOrg/Writers ]
创建通道失败:只满足了0项策略,但需要1项[ OrdererOrg/Writers ]
提问于 2020-12-15 17:37:26
我用版本2.3尝试了Hyperledger的教程,其中它们实例化了2个对等点(Org1和Org2)和一个orderer节点(Orderer),并试图在不同的VM上实例化每个节点。最后的目标是用raft协商一致的方式将对等节点和订单节点相乘,每个节点都有自己的VM。我定义了以下configtx.yaml。
---
Organizations:
- &OrdererOrg
Name: OrdererOrg
ID: OrdererMSP
MSPDir: ../organizations/ordererOrganizations/example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('OrdererMSP.member','OrdererMSP.orderer')"
Writers:
Type: Signature
Rule: "OR('OrdererMSP.member','OrdererMSP.orderer')"
Admins:
Type: Signature
Rule: "OR('OrdererMSP.admin')"
OrdererEndpoints:
- orderer0.example.com:7050
- &Org1
Name: Org1MSP
ID: Org1MSP
MSPDir: ../organizations/peerOrganizations/org1.example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org1MSP.admin', 'Org1MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org1MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('Org1MSP.peer')"
AnchorPeers:
- Host: peer0.org1.example.com
Port: 7051
- &Org2
Name: Org2MSP
ID: Org2MSP
MSPDir: ../organizations/peerOrganizations/org2.example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.peer', 'Org2MSP.client')"
Writers:
Type: Signature
Rule: "OR('Org2MSP.admin', 'Org2MSP.client')"
Admins:
Type: Signature
Rule: "OR('Org2MSP.admin')"
Endorsement:
Type: Signature
Rule: "OR('Org2MSP.peer')"
AnchorPeers:
- Host: peer0.org2.example.com
Port: 7051
Capabilities:
Channel: &ChannelCapabilities
V2_0: true
Orderer: &OrdererCapabilities
V2_0: true
Application: &ApplicationCapabilities
V2_0: true
Application: &ApplicationDefaults
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
LifecycleEndorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Endorsement:
Type: ImplicitMeta
Rule: "MAJORITY Endorsement"
Capabilities:
<<: *ApplicationCapabilities
Orderer: &OrdererDefaults
OrdererType: etcdraft
EtcdRaft:
Consenters:
- Host: orderer0.example.com
Port: 7050
ClientTLSCert: ../organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/server.crt
ServerTLSCert: ../organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/server.crt
BatchTimeout: 2s
BatchSize:
MaxMessageCount: 10
AbsoluteMaxBytes: 99 MB
PreferredMaxBytes: 512 KB
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
Channel: &ChannelDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ChannelCapabilities
Profiles:
AllOrgsOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *OrdererOrg
Capabilities:
<<: *OrdererCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *Org1
- *Org2
AllOrgsChannel:
Consortium: SampleConsortium
<<: *ChannelDefaults
Application:
<<: *ApplicationDefaults
Organizations:
- *Org1
- *Org2
Capabilities:
<<: *ApplicationCapabilities在节点Org1上,在使用加密技术创建密码材料之后,我用configtxgen创建了成因块和应用程序通道。
configtxgen -profile AllOrgsOrdererGenesis -outputBlock ./channel-artifacts/genesis.block -channelID mychannel
configtxgen -profile AllOrgsChannel -outputCreateChannelTx ./channel-artifacts/mychannel.tx -channelID mychannel接下来,我已经将该项共享给所有节点,并启动了相关的dockers。下一步是创建通道,因此在Org1 VM上,我使用以下命令:
peer channel create -o <IP of the ordering node>:7050 --ordererTLSHostnameOverride orderer0.example.com -c mychannel -f ./channel-artifacts/mychannel.tx --outputBlock ./channel-artifacts/mychannel.block --tls –cafile ${PWD}/organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/msp/tlscacerts/tlsca.example.com-cert.pem我的shell上有以下错误:
2020-12-15 16:52:38.764 UTC channelCmd InitCmdFactory -> INFO 001授权程序和命令器连接初始化错误:获得意外状态:对现有通道的禁用-配置更新没有通过初始检查:隐式策略评估失败-0子策略得到满足,但此策略需要满足一个“作家”子策略:拒绝许可。
在orderer日志中进行调查会给出以下错误:
[36m2020-12-15 16:52:38.780 UTC [cauthdsl] func2 -> DEBU 368 [0m 0xc000902e60 signed by 0 principal evaluation starts (used [false])
[36m2020-12-15 16:52:38.780 UTC [cauthdsl] func2 -> DEBU 369 [0m 0xc000902e60 processing identity 0 - &{Org1MSP 6ead373932c104ed8f9aa3da8431824fbe733b84eeee6d8b70a0f2ddca84a932}
[36m2020-12-15 16:52:38.782 UTC [cauthdsl] func2 -> DEBU 36a [0m 0xc000902e60 identity 0 does not satisfy principal: the identity is a member of a different MSP (expected OrdererMSP, got Org1MSP)
[36m2020-12-15 16:52:38.782 UTC [cauthdsl] func2 -> DEBU 36b [0m 0xc000902e60 principal evaluation fails
[36m2020-12-15 16:52:38.782 UTC [cauthdsl] func1 -> DEBU 36c [0m 0xc000902e60 gate 1608051158780630929 evaluation fails
[36m2020-12-15 16:52:38.782 UTC [policies] EvaluateSignedData -> DEBU 36d [0m Signature set did not satisfy policy /Channel/Orderer/OrdererOrg/Writers
[36m2020-12-15 16:52:38.782 UTC [policies] EvaluateSignedData -> DEBU 36e [0m == Done Evaluating *cauthdsl.policy Policy /Channel/Orderer/OrdererOrg/Writers
[36m2020-12-15 16:52:38.782 UTC [policies] func1 -> DEBU 36f [0m Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ OrdererOrg/Writers ]
[36m2020-12-15 16:52:38.782 UTC [policies] EvaluateSignedData -> DEBU 370 [0m Signature set did not satisfy policy /Channel/Orderer/Writers
[36m2020-12-15 16:52:38.782 UTC [policies] EvaluateSignedData -> DEBU 371 [0m == Done Evaluating *policies.ImplicitMetaPolicy Policy /Channel/Orderer/Writers
[36m2020-12-15 16:52:38.782 UTC [policies] func1 -> DEBU 372 [0m Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ Consortiums/Writers Orderer/Writers ]
[36m2020-12-15 16:52:38.782 UTC [policies] EvaluateSignedData -> DEBU 373 [0m Signature set did not satisfy policy /Channel/Writers
[36m2020-12-15 16:52:38.782 UTC [policies] EvaluateSignedData -> DEBU 374 [0m == Done Evaluating *policies.ImplicitMetaPolicy Policy /Channel/Writers我假设orderer策略期望来自订购者的通道创建需求,但只有对等方才能做到这一点。也许我在写保单时犯了个错误。拜托,你能帮我修一下平台吗?
编辑:在您的评论之后,我完成了: Org1的一些可变环境是:
export CORE_PEER_TLS_ENABLED=true
export CORE_PEER_LOCALMSPID="Org1MSP"
export CORE_PEER_TLS_ROOTCERT_FILE=${PWD}/organizations/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
export CORE_PEER_MSPCONFIGPATH=${PWD}/organizations/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp
export CORE_PEER_ADDRESS=localhost:7051orderer容器的停靠器撰写文件的卷部分是:
volumes:
- ../channel-artifacts/genesis.block:/var/hyperledger/orderer/orderer.genesis.block
- ../organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/msp:/var/hyperledger/orderer/msp
- ../organizations/ordererOrganizations/example.com/orderers/orderer0.example.com/tls/:/var/hyperledger/orderer/tls
- ../orgconfig/orderer.yaml:/etc/hyperledger/fabric/orderer.yaml
- orderer0.example.com:/var/hyperledger/production/orderer与其MSP相关联的Orderer配置值为:
General.LocalMSPDir = "/var/hyperledger/orderer/msp"
General.LocalMSPID = "OrdererMSP"
General.TLS.Enabled = true
General.TLS.PrivateKey = "/var/hyperledger/orderer/tls/server.key"
General.TLS.Certificate = "/var/hyperledger/orderer/tls/server.crt"
General.TLS.RootCAs = [/var/hyperledger/orderer/tls/ca.crt]
General.TLS.ClientAuthRequired = false
General.TLS.ClientRootCAs = []根据orderer的日志,TLS握手完成时没有出错
回答 1
Stack Overflow用户
发布于 2020-12-16 12:06:07
orderer日志可能表明,您在orderer的本地MSP目录中提供的证书属于org1,而不是orderer。为了确保,进入orderer日志,就在您提供的行之前,必须在日志上打印一些公共证书。从日志中复制它们,并将它们抛到pem证书解码器在线上,以从证书的属性中检查它们属于哪个组织。如果确实是错误的证书,请确保包含您用密码生成的orderer的MSP目录中的正确证书。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/65310894
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号