1. Channel configuration resolution
When you initially create a channel, you need to specify configuration information, which includes permission definitions and so on.
The configuration transaction generates a configuration block. In the configuration block, there is no other transaction except the configuration transaction. The first configuration block is the Genesis block. The process of updating a configuration is to pull the configuration, convert it to a human-readable format, modify it, and submit it for review.
This is the configuration structure of the entire channel. Proto is defined as follows:
message ConfigGroup { uint64 version = 1; ConfigGroup> groups = 2; Orderer <string,ConfigValue> values = 3; Map <string,ConfigPolicy> policies = 4; Mod_policy = 5; mod_policy = 5; ## Change the permission policy of the content under the current structure}Copy the codeBefore going into the details, you need to understand the change policy for the Fabric configuration. It is a layered policy configuration. For example, the topmost ConfigGroup has its own mod_policy that applies to the current layer, such as changing the hash algorithm in values. The transaction signature must satisfy mod_policy, which is defined in policies.
Here’s a look at the configuration file:
{ "channel_group": { "groups": { "Application": {}, "Orderer": {} }, "mod_policy": "Admins", "policies": { "Admins": { "mod_policy": "Admins", "policy": { "type": 3, "value": { "rule": "MAJORITY", "sub_policy": "Admins" } }, "version": "0" }, "Readers": { "mod_policy": "Admins", "policy": { "type": 3, "value": { "rule": "ANY", "sub_policy": "Readers" } }, "version": "0" }, "Writers": { "mod_policy": "Admins", "policy": { "type": 3, "value": { "rule": "ANY", "sub_policy": "Writers" } }, "version": "0" } }, "values": { "BlockDataHashingStructure": { "mod_policy": "Admins", "value": { "width": 4294967295 }, "version": "0" }, "Capabilities": { "mod_policy": "Admins", "value": { "capabilities": { "V1_4_3": {} } }, "version": "0" }, "Consortium": { "mod_policy": "Admins", "value": { "name": "SampleConsortium" }, "version": "0" }, "HashingAlgorithm": { "mod_policy": "Admins", "value": { "name": "SHA256" }, "version": "0" }, "OrdererAddresses": { "mod_policy": "/Channel/Orderer/Admins", "value": { "addresses": "Orderer.example.com: 7050"}, "version" : "0"}}, "version" : "0"}, "sequence" : "3 + 1 # # every time submit configuration}Copy the codeFirst, let’s look at policies. Policy Admins is as follows:
"Admins": {
"mod_policy": "Admins",
"policy": {
"type": 3,
"value": {
"rule": "MAJORITY",
"sub_policy": "Admins"
}
},
"version": "0"
},
Copy the codeWhere, the policy structure corresponds to the content of the entire policy:
type: There are four types as follows:
enum PolicyType {
UNKNOWN = 0; // Reserved to check for proper initialization
SIGNATURE = 1;
MSP = 2;
IMPLICIT_META = 3;
}
Copy the codeIn this example, 3 stands for ImplicitMetaPolicy, which Fabric interprets as follows:
// ImplicitMetaPolicy is a policy type which depends on the hierarchical nature of the configuration
// It is implicit because the rule is generate implicitly based on the number of sub policies
// It is meta because it depends only on the result of other policies
// When evaluated, this policy iterates over all immediate child sub-groups, retrieves the policy
// of name sub_policy, evaluates the collection and applies the rule.
// For example, with 4 sub-groups, and a policy name of "foo", ImplicitMetaPolicy retrieves
// each sub-group, retrieves policy "foo" for each subgroup, evaluates it, and, in the case of ANY
// 1 satisfied is sufficient, ALL would require 4 signatures, and MAJORITY would require 3 signatures.
message ImplicitMetaPolicy {
enum Rule {
ANY = 0; // Requires any of the sub-policies be satisfied, if no sub-policies exist, always returns true
ALL = 1; // Requires all of the sub-policies be satisfied
MAJORITY = 2; // Requires a strict majority (greater than half) of the sub-policies be satisfied
}
string sub_policy = 1;
Rule rule = 2;
}
Copy the codeMAJORITY means that more than half of the subpolicies must be satisfied, i.e., both Application and Orderer must be satisfied.
value: This part corresponds toImplicitMetaPolicy.sub_policyThis is the name of the policy to be satisfied at the next level, and rule is one of three.
Let’s look at the contents of the first subgroup Application:
{
"Application": {
"groups": {
"Org1MSP": {... },"Org2MSP": {...}
},
"mod_policy": "Admins"."policies": {
"Admins": {
"mod_policy": "Admins"."policy": {
"type": 3."value": {
"rule": "MAJORITY"."sub_policy": "Admins"}},"version": "0"
},
"Readers": {
"mod_policy": "Admins"."policy": {
"type": 3."value": {
"rule": "ANY"."sub_policy": "Readers"}},"version": "0"
},
"Writers": {
"mod_policy": "Admins"."policy": {
"type": 3."value": {
"rule": "ANY"."sub_policy": "Writers"}},"version": "0"}},"values": {
"Capabilities": {
"mod_policy": "Admins"."value": {
"capabilities": {
"V1_4_2": {}}}."version": "0"}},"version": "1"}}Copy the codeApplication layer is similar to channel_group, consisting of groups, values, policies, versions and mod_policy. It can be seen that the so-called layer is groups and groups. Policies are defined at each level.
The key is the content of Org1MSP and Org2MSP in the next layer of Application. Here shows Org1MSP:
{
"groups": {},
"mod_policy": "Admins"."policies": {
"Admins": {
"mod_policy": "Admins"."policy": {
"type": 1."value": {
"identities": [{
"principal": {
"msp_identifier": "Org1MSP"."role": "ADMIN"
},
"principal_classification": "ROLE"}]."rule": {
"n_out_of": {
"n": 1."rules": [{
"signed_by": 0}}},"version": 0}},"version": "0"
},
"Readers": {
"mod_policy": "Admins"."policy": {
"type": 1."value": {
"identities": [{
"principal": {
"msp_identifier": "Org1MSP"."role": "ADMIN"
},
"principal_classification": "ROLE"
},
{
"principal": {
"msp_identifier": "Org1MSP"."role": "PEER"
},
"principal_classification": "ROLE"
},
{
"principal": {
"msp_identifier": "Org1MSP"."role": "CLIENT"
},
"principal_classification": "ROLE"}]."rule": {
"n_out_of": {
"n": 1."rules": [{
"signed_by": 0
},
{
"signed_by": 1
},
{
"signed_by": 2}}},"version": 0}},"version": "0"
},
"Writers": {
"mod_policy": "Admins"."policy": {
"type": 1."value": {
"identities": [{
"principal": {
"msp_identifier": "Org1MSP"."role": "ADMIN"
},
"principal_classification": "ROLE"
},
{
"principal": {
"msp_identifier": "Org1MSP"."role": "CLIENT"
},
"principal_classification": "ROLE"}]."rule": {
"n_out_of": {
"n": 1."rules": [{
"signed_by": 0
},
{
"signed_by": 1}}},"version": 0}},"version": "0"}},"values": {
"AnchorPeers": {
"mod_policy": "Admins"."value": {
"anchor_peers": [{
"host": "peer0.org1.example.com"."port": 7051}},"version": "0"
},
"MSP": {
"mod_policy": "Admins"."value": {
"config": {
"admins": []."crypto_config": {
"identity_identifier_hash_function": "SHA256"."signature_hash_family": "SHA2"
},
"fabric_node_ous": {
"admin_ou_identifier": {
"certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNVVENDQWZpZ0F3SUJBZ0lSQU5TMEM5Nkdpb1U1ZWNiMUpUVi9PYmt3Q2dZSUtvWkl6ajBFQXdJd2N 6RUwKTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVENrTmhiR2xtYjNKdWFXRXhGakFVQmdOVkJBY1REVk5oYmlCRwpjbUZ1WTJselkyOHhHVEFYQmdOVkJ Bb1RFRzl5WnpFdVpYaGhiWEJzWlM1amIyMHhIREFhQmdOVkJBTVRFMk5oCkxtOXlaekV1WlhoaGJYQnNaUzVqYjIwd0hoY05NakF4TVRBMU1EY3dNekF3V2h jTk16QXhNVEF6TURjd016QXcKV2pCek1Rc3dDUVlEVlFRR0V3SlZVekVUTUJFR0ExVUVDQk1LUTJGc2FXWnZjbTVwWVRFV01CUUdBMVVFQnhNTgpVMkZ1SUV aeVlXNWphWE5qYnpFWk1CY0dBMVVFQ2hNUWIzSm5NUzVsZUdGdGNHeGxMbU52YlRFY01Cb0dBMVVFCkF4TVRZMkV1YjNKbk1TNWxlR0Z0Y0d4bExtTnZiVEJ aTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUEKQktvUy85YUxFMW1NdExPclNsdCtESDlTVTNKM2VmUnczTkZsU1JMMXh2dUZ1WkcvanQvZEdXRnZ wa3lXZEdOZwpGYS9xcDBTcm1zSjhnSXZuVWhRMTlmU2piVEJyTUE0R0ExVWREd0VCL3dRRUF3SUJwakFkQmdOVkhTVUVGakFVCkJnZ3JCZ0VGQlFjREFnWUl Ld1lCQlFVSEF3RXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QXBCZ05WSFE0RUlnUWcKblFvR0JLRk9uYzNUcW84emE4am1qdHFkdXBhdW5NU0ZTSm9TUUgrM0M zRXdDZ1lJS29aSXpqMEVBd0lEUndBdwpSQUlnY2dOOUdUdk85NDZNN2dwbmhJY1RYdXplcDAxdTYxQlZlOXhleEw3K1lEY0NJRWpPR2ZxZnpURkRQMWFaClB vdThUbVoyZmtjYnVZWVNhcHdLRFE3blZtYmoKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="."organizational_unit_identifier": "admin"
},
"client_ou_identifier": {
"certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNVVENDQWZpZ0F3SUJBZ0lSQU5TMEM5Nkdpb1U1ZWNiMUpUVi9PYmt3Q2dZSUtvWkl6ajBFQXdJd2N 6RUwKTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVENrTmhiR2xtYjNKdWFXRXhGakFVQmdOVkJBY1REVk5oYmlCRwpjbUZ1WTJselkyOHhHVEFYQmdOVkJ Bb1RFRzl5WnpFdVpYaGhiWEJzWlM1amIyMHhIREFhQmdOVkJBTVRFMk5oCkxtOXlaekV1WlhoaGJYQnNaUzVqYjIwd0hoY05NakF4TVRBMU1EY3dNekF3V2h jTk16QXhNVEF6TURjd016QXcKV2pCek1Rc3dDUVlEVlFRR0V3SlZVekVUTUJFR0ExVUVDQk1LUTJGc2FXWnZjbTVwWVRFV01CUUdBMVVFQnhNTgpVMkZ1SUV aeVlXNWphWE5qYnpFWk1CY0dBMVVFQ2hNUWIzSm5NUzVsZUdGdGNHeGxMbU52YlRFY01Cb0dBMVVFCkF4TVRZMkV1YjNKbk1TNWxlR0Z0Y0d4bExtTnZiVEJ aTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUEKQktvUy85YUxFMW1NdExPclNsdCtESDlTVTNKM2VmUnczTkZsU1JMMXh2dUZ1WkcvanQvZEdXRnZ wa3lXZEdOZwpGYS9xcDBTcm1zSjhnSXZuVWhRMTlmU2piVEJyTUE0R0ExVWREd0VCL3dRRUF3SUJwakFkQmdOVkhTVUVGakFVCkJnZ3JCZ0VGQlFjREFnWUl Ld1lCQlFVSEF3RXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QXBCZ05WSFE0RUlnUWcKblFvR0JLRk9uYzNUcW84emE4am1qdHFkdXBhdW5NU0ZTSm9TUUgrM0M zRXdDZ1lJS29aSXpqMEVBd0lEUndBdwpSQUlnY2dOOUdUdk85NDZNN2dwbmhJY1RYdXplcDAxdTYxQlZlOXhleEw3K1lEY0NJRWpPR2ZxZnpURkRQMWFaClB vdThUbVoyZmtjYnVZWVNhcHdLRFE3blZtYmoKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="."organizational_unit_identifier": "client"
},
"enable": true."orderer_ou_identifier": {
"certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNVVENDQWZpZ0F3SUJBZ0lSQU5TMEM5Nkdpb1U1ZWNiMUpUVi9PYmt3Q2dZSUtvWkl6ajBFQXdJd2N 6RUwKTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVENrTmhiR2xtYjNKdWFXRXhGakFVQmdOVkJBY1REVk5oYmlCRwpjbUZ1WTJselkyOHhHVEFYQmdOVkJ Bb1RFRzl5WnpFdVpYaGhiWEJzWlM1amIyMHhIREFhQmdOVkJBTVRFMk5oCkxtOXlaekV1WlhoaGJYQnNaUzVqYjIwd0hoY05NakF4TVRBMU1EY3dNekF3V2h jTk16QXhNVEF6TURjd016QXcKV2pCek1Rc3dDUVlEVlFRR0V3SlZVekVUTUJFR0ExVUVDQk1LUTJGc2FXWnZjbTVwWVRFV01CUUdBMVVFQnhNTgpVMkZ1SUV aeVlXNWphWE5qYnpFWk1CY0dBMVVFQ2hNUWIzSm5NUzVsZUdGdGNHeGxMbU52YlRFY01Cb0dBMVVFCkF4TVRZMkV1YjNKbk1TNWxlR0Z0Y0d4bExtTnZiVEJ aTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUEKQktvUy85YUxFMW1NdExPclNsdCtESDlTVTNKM2VmUnczTkZsU1JMMXh2dUZ1WkcvanQvZEdXRnZ wa3lXZEdOZwpGYS9xcDBTcm1zSjhnSXZuVWhRMTlmU2piVEJyTUE0R0ExVWREd0VCL3dRRUF3SUJwakFkQmdOVkhTVUVGakFVCkJnZ3JCZ0VGQlFjREFnWUl Ld1lCQlFVSEF3RXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QXBCZ05WSFE0RUlnUWcKblFvR0JLRk9uYzNUcW84emE4am1qdHFkdXBhdW5NU0ZTSm9TUUgrM0M zRXdDZ1lJS29aSXpqMEVBd0lEUndBdwpSQUlnY2dOOUdUdk85NDZNN2dwbmhJY1RYdXplcDAxdTYxQlZlOXhleEw3K1lEY0NJRWpPR2ZxZnpURkRQMWFaClB vdThUbVoyZmtjYnVZWVNhcHdLRFE3blZtYmoKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="."organizational_unit_identifier": "orderer"
},
"peer_ou_identifier": {
"certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNVVENDQWZpZ0F3SUJBZ0lSQU5TMEM5Nkdpb1U1ZWNiMUpUVi9PYmt3Q2dZSUtvWkl6ajBFQXdJd2N 6RUwKTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVENrTmhiR2xtYjNKdWFXRXhGakFVQmdOVkJBY1REVk5oYmlCRwpjbUZ1WTJselkyOHhHVEFYQmdOVkJ Bb1RFRzl5WnpFdVpYaGhiWEJzWlM1amIyMHhIREFhQmdOVkJBTVRFMk5oCkxtOXlaekV1WlhoaGJYQnNaUzVqYjIwd0hoY05NakF4TVRBMU1EY3dNekF3V2h jTk16QXhNVEF6TURjd016QXcKV2pCek1Rc3dDUVlEVlFRR0V3SlZVekVUTUJFR0ExVUVDQk1LUTJGc2FXWnZjbTVwWVRFV01CUUdBMVVFQnhNTgpVMkZ1SUV aeVlXNWphWE5qYnpFWk1CY0dBMVVFQ2hNUWIzSm5NUzVsZUdGdGNHeGxMbU52YlRFY01Cb0dBMVVFCkF4TVRZMkV1YjNKbk1TNWxlR0Z0Y0d4bExtTnZiVEJ aTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUEKQktvUy85YUxFMW1NdExPclNsdCtESDlTVTNKM2VmUnczTkZsU1JMMXh2dUZ1WkcvanQvZEdXRnZ wa3lXZEdOZwpGYS9xcDBTcm1zSjhnSXZuVWhRMTlmU2piVEJyTUE0R0ExVWREd0VCL3dRRUF3SUJwakFkQmdOVkhTVUVGakFVCkJnZ3JCZ0VGQlFjREFnWUl Ld1lCQlFVSEF3RXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QXBCZ05WSFE0RUlnUWcKblFvR0JLRk9uYzNUcW84emE4am1qdHFkdXBhdW5NU0ZTSm9TUUgrM0M zRXdDZ1lJS29aSXpqMEVBd0lEUndBdwpSQUlnY2dOOUdUdk85NDZNN2dwbmhJY1RYdXplcDAxdTYxQlZlOXhleEw3K1lEY0NJRWpPR2ZxZnpURkRQMWFaClB vdThUbVoyZmtjYnVZWVNhcHdLRFE3blZtYmoKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="."organizational_unit_identifier": "peer"}},"intermediate_certs": []."name": "Org1MSP"."organizational_unit_identifiers": []."revocation_list": []."root_certs": [
"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNVVENDQWZpZ0F3SUJBZ0lSQU5TMEM5Nkdpb1U1ZWNiMUpUVi9PYmt3Q2dZSUtvWkl6ajBFQXdJd2N 6RUwKTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVENrTmhiR2xtYjNKdWFXRXhGakFVQmdOVkJBY1REVk5oYmlCRwpjbUZ1WTJselkyOHhHVEFYQmdOVkJ Bb1RFRzl5WnpFdVpYaGhiWEJzWlM1amIyMHhIREFhQmdOVkJBTVRFMk5oCkxtOXlaekV1WlhoaGJYQnNaUzVqYjIwd0hoY05NakF4TVRBMU1EY3dNekF3V2h jTk16QXhNVEF6TURjd016QXcKV2pCek1Rc3dDUVlEVlFRR0V3SlZVekVUTUJFR0ExVUVDQk1LUTJGc2FXWnZjbTVwWVRFV01CUUdBMVVFQnhNTgpVMkZ1SUV aeVlXNWphWE5qYnpFWk1CY0dBMVVFQ2hNUWIzSm5NUzVsZUdGdGNHeGxMbU52YlRFY01Cb0dBMVVFCkF4TVRZMkV1YjNKbk1TNWxlR0Z0Y0d4bExtTnZiVEJ aTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUEKQktvUy85YUxFMW1NdExPclNsdCtESDlTVTNKM2VmUnczTkZsU1JMMXh2dUZ1WkcvanQvZEdXRnZ wa3lXZEdOZwpGYS9xcDBTcm1zSjhnSXZuVWhRMTlmU2piVEJyTUE0R0ExVWREd0VCL3dRRUF3SUJwakFkQmdOVkhTVUVGakFVCkJnZ3JCZ0VGQlFjREFnWUl Ld1lCQlFVSEF3RXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QXBCZ05WSFE0RUlnUWcKblFvR0JLRk9uYzNUcW84emE4am1qdHFkdXBhdW5NU0ZTSm9TUUgrM0M zRXdDZ1lJS29aSXpqMEVBd0lEUndBdwpSQUlnY2dOOUdUdk85NDZNN2dwbmhJY1RYdXplcDAxdTYxQlZlOXhleEw3K1lEY0NJRWpPR2ZxZnpURkRQMWFaClB vdThUbVoyZmtjYnVZWVNhcHdLRFE3blZtYmoKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="]."signing_identity": null."tls_intermediate_certs": []."tls_root_certs": [
"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNXRENDQWY2Z0F3SUJBZ0lSQUtqL29zM1c5R2FaRzJCT1d0T0NxbUl3Q2dZSUtvWkl6ajBFQXdJd2R qRUwKTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVENrTmhiR2xtYjNKdWFXRXhGakFVQmdOVkJBY1REVk5oYmlCRwpjbUZ1WTJselkyOHhHVEFYQmdOVkJ Bb1RFRzl5WnpFdVpYaGhiWEJzWlM1amIyMHhIekFkQmdOVkJBTVRGblJzCmMyTmhMbTl5WnpFdVpYaGhiWEJzWlM1amIyMHdIaGNOTWpBeE1UQTFNRGN3TXp Bd1doY05NekF4TVRBek1EY3cKTXpBd1dqQjJNUXN3Q1FZRFZRUUdFd0pWVXpFVE1CRUdBMVVFQ0JNS1EyRnNhV1p2Y201cFlURVdNQlFHQTFVRQpCeE1OVTJ GdUlFWnlZVzVqYVhOamJ6RVpNQmNHQTFVRUNoTVFiM0puTVM1bGVHRnRjR3hsTG1OdmJURWZNQjBHCkExVUVBeE1XZEd4elkyRXViM0puTVM1bGVHRnRjR3h sTG1OdmJUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDkKQXdFSEEwSUFCTnlNTjVPaGFVb3NVUWtTVDBodllaOFNSeFJNTnJVZE1mdkkzLy9VcHUyTkJJWG4 xNWxSWk9yOQp1akZzNUNFQXlBeGVTVE9neFNxOWloRDJXVXRLejF5amJUQnJNQTRHQTFVZER3RUIvd1FFQXdJQnBqQWRCZ05WCkhTVUVGakFVQmdnckJnRUZ CUWNEQWdZSUt3WUJCUVVIQXdFd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBcEJnTlYKSFE0RUlnUWdWdWdaaDV5S3AvWnc4RGFXc2FleWhrZE1OT3A0aFFVbk1 UVTJ1UnRNaHlRd0NnWUlLb1pJemowRQpBd0lEU0FBd1JRSWhBTXAvMDRncE5jZEZGSHhzMDhXVmNZbXZuU3kwYUVrdWFlWnc1Y2pLekRwNUFpQXRHcnpJCmR 3ZmN2bmNtc0p2NnVCNEhabUtFU3A1ZUVLQ2tsbkNNTGZIeTBnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="]},"type": 0
},
"version": "0"}},"version": "1"
}
Copy the codeStart with the permission policy.
Admins policies are specific. Here is what Admins says:
{
"mod_policy": "Admins"."policy": {
"type": 1."value": {
"identities": [{
"principal": {
"msp_identifier": "Org1MSP"."role": "ADMIN"
},
"principal_classification": "ROLE"}]."rule": {
"n_out_of": {
"n": 1."rules": [{
"signed_by": 0}}},"version": 0}},"version": "0"
}
Copy the codeThe policy type is 1 (SIGNATURE), and the value corresponds to the following structure:
// SignaturePolicyEnvelope wraps a SignaturePolicy and includes a version for future enhancements
message SignaturePolicyEnvelope {
int32 version = 1;
SignaturePolicy rule = 2;
repeated MSPPrincipal identities = 3;
}
// SignaturePolicy is a recursive message structure which defines a featherweight DSL for describing
// policies which are more complicated than 'exactly this signature'. The NOutOf operator is sufficent
// to express AND as well as OR, as well as of course N out of the following M policies
// SignedBy implies that the signature is from a valid certificate which is signed by the trusted
// authority specified in the bytes. This will be the certificate itself for a self-signed certificate
// and will be the CA for more traditional certificates
message SignaturePolicy {
message NOutOf {
int32 n = 1;
repeated SignaturePolicy rules = 2;
}
oneof Type {
int32 signed_by = 1;
NOutOf n_out_of = 2; }}Copy the codeIn a SignaturePolicyEnvelope, identities refer to a list of signed entities, and rules refer to the set of rules that validate signatures. This set is a SignaturePolicy, which is constructed recursively. N_out_of (n_out_of) means that n of the subrules are required to recurse to signed_BY (signed_BY), which means that the subrule requires the identity of the ID signature in the identities.
So the policy Admins means that there must be a signature from the ADMIN role of Org1MSP.
At this point, the permission policy definition is clear. The validation starts recursion from the ImplicitMetaPolicy of the first layer channel_group to the SignaturePolicyEnvelope of the first layer Org1MSP.
Here’s the values section.
{
"AnchorPeers": {
"mod_policy": "Admins"."value": {
"anchor_peers": [{
"host": "peer0.org1.example.com"."port": 7051}},"version": "0"
},
"MSP": {... },"version": "0"}}Copy the codeThe first part of AnchorPeers is a list of anchor nodes of organization 1. Anchor nodes can communicate with anchor nodes of other organizations through P2P and synchronize transactions based on the Gossip protocol.
– Part 2: MSP, again looking directly at protobuf structures:
// MSPConfig collects all the configuration information for
// an MSP. The Config field should be unmarshalled in a way
// that depends on the Type
message MSPConfig {
// Type holds the type of the MSP; the default one would
// be of type FABRIC implementing an X.509 based provider
int32 type = 1;
// Config is MSP dependent configuration info
bytes config = 2;
}
Copy the codeMSP is the channelMSP mentioned earlier.
The config content is as follows:
{
"admins": [],
"crypto_config": {
"identity_identifier_hash_function": "SHA256",
"signature_hash_family": "SHA2"
},
"fabric_node_ous": {
"admin_ou_identifier": {
"certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNVVENDQWZpZ0F3SUJBZ0lSQU5TMEM5Nkdpb1U1ZWNiMUpUVi9PYmt3Q2dZSUtvWkl6ajBFQXdJd2N6RUwKTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVENrTmhiR2xtYjNKdWFXRXhGakFVQmdOVkJBY1REVk5oYmlCRwpjbUZ1WTJselkyOHhHVEFYQmdOVkJBb1RFRzl5WnpFdVpYaGhiWEJzWlM1amIyMHhIREFhQmdOVkJBTVRFMk5oCkxtOXlaekV1WlhoaGJYQnNaUzVqYjIwd0hoY05NakF4TVRBMU1EY3dNekF3V2hjTk16QXhNVEF6TURjd016QXcKV2pCek1Rc3dDUVlEVlFRR0V3SlZVekVUTUJFR0ExVUVDQk1LUTJGc2FXWnZjbTVwWVRFV01CUUdBMVVFQnhNTgpVMkZ1SUVaeVlXNWphWE5qYnpFWk1CY0dBMVVFQ2hNUWIzSm5NUzVsZUdGdGNHeGxMbU52YlRFY01Cb0dBMVVFCkF4TVRZMkV1YjNKbk1TNWxlR0Z0Y0d4bExtTnZiVEJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUEKQktvUy85YUxFMW1NdExPclNsdCtESDlTVTNKM2VmUnczTkZsU1JMMXh2dUZ1WkcvanQvZEdXRnZwa3lXZEdOZwpGYS9xcDBTcm1zSjhnSXZuVWhRMTlmU2piVEJyTUE0R0ExVWREd0VCL3dRRUF3SUJwakFkQmdOVkhTVUVGakFVCkJnZ3JCZ0VGQlFjREFnWUlLd1lCQlFVSEF3RXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QXBCZ05WSFE0RUlnUWcKblFvR0JLRk9uYzNUcW84emE4am1qdHFkdXBhdW5NU0ZTSm9TUUgrM0MzRXdDZ1lJS29aSXpqMEVBd0lEUndBdwpSQUlnY2dOOUdUdk85NDZNN2dwbmhJY1RYdXplcDAxdTYxQlZlOXhleEw3K1lEY0NJRWpPR2ZxZnpURkRQMWFaClBvdThUbVoyZmtjYnVZWVNhcHdLRFE3blZtYmoKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=",
"organizational_unit_identifier": "admin"
},
"client_ou_identifier": {
"certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNVVENDQWZpZ0F3SUJBZ0lSQU5TMEM5Nkdpb1U1ZWNiMUpUVi9PYmt3Q2dZSUtvWkl6ajBFQXdJd2N6RUwKTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVENrTmhiR2xtYjNKdWFXRXhGakFVQmdOVkJBY1REVk5oYmlCRwpjbUZ1WTJselkyOHhHVEFYQmdOVkJBb1RFRzl5WnpFdVpYaGhiWEJzWlM1amIyMHhIREFhQmdOVkJBTVRFMk5oCkxtOXlaekV1WlhoaGJYQnNaUzVqYjIwd0hoY05NakF4TVRBMU1EY3dNekF3V2hjTk16QXhNVEF6TURjd016QXcKV2pCek1Rc3dDUVlEVlFRR0V3SlZVekVUTUJFR0ExVUVDQk1LUTJGc2FXWnZjbTVwWVRFV01CUUdBMVVFQnhNTgpVMkZ1SUVaeVlXNWphWE5qYnpFWk1CY0dBMVVFQ2hNUWIzSm5NUzVsZUdGdGNHeGxMbU52YlRFY01Cb0dBMVVFCkF4TVRZMkV1YjNKbk1TNWxlR0Z0Y0d4bExtTnZiVEJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUEKQktvUy85YUxFMW1NdExPclNsdCtESDlTVTNKM2VmUnczTkZsU1JMMXh2dUZ1WkcvanQvZEdXRnZwa3lXZEdOZwpGYS9xcDBTcm1zSjhnSXZuVWhRMTlmU2piVEJyTUE0R0ExVWREd0VCL3dRRUF3SUJwakFkQmdOVkhTVUVGakFVCkJnZ3JCZ0VGQlFjREFnWUlLd1lCQlFVSEF3RXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QXBCZ05WSFE0RUlnUWcKblFvR0JLRk9uYzNUcW84emE4am1qdHFkdXBhdW5NU0ZTSm9TUUgrM0MzRXdDZ1lJS29aSXpqMEVBd0lEUndBdwpSQUlnY2dOOUdUdk85NDZNN2dwbmhJY1RYdXplcDAxdTYxQlZlOXhleEw3K1lEY0NJRWpPR2ZxZnpURkRQMWFaClBvdThUbVoyZmtjYnVZWVNhcHdLRFE3blZtYmoKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=",
"organizational_unit_identifier": "client"
},
"enable": true,
"orderer_ou_identifier": {
"certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNVVENDQWZpZ0F3SUJBZ0lSQU5TMEM5Nkdpb1U1ZWNiMUpUVi9PYmt3Q2dZSUtvWkl6ajBFQXdJd2N6RUwKTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVENrTmhiR2xtYjNKdWFXRXhGakFVQmdOVkJBY1REVk5oYmlCRwpjbUZ1WTJselkyOHhHVEFYQmdOVkJBb1RFRzl5WnpFdVpYaGhiWEJzWlM1amIyMHhIREFhQmdOVkJBTVRFMk5oCkxtOXlaekV1WlhoaGJYQnNaUzVqYjIwd0hoY05NakF4TVRBMU1EY3dNekF3V2hjTk16QXhNVEF6TURjd016QXcKV2pCek1Rc3dDUVlEVlFRR0V3SlZVekVUTUJFR0ExVUVDQk1LUTJGc2FXWnZjbTVwWVRFV01CUUdBMVVFQnhNTgpVMkZ1SUVaeVlXNWphWE5qYnpFWk1CY0dBMVVFQ2hNUWIzSm5NUzVsZUdGdGNHeGxMbU52YlRFY01Cb0dBMVVFCkF4TVRZMkV1YjNKbk1TNWxlR0Z0Y0d4bExtTnZiVEJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUEKQktvUy85YUxFMW1NdExPclNsdCtESDlTVTNKM2VmUnczTkZsU1JMMXh2dUZ1WkcvanQvZEdXRnZwa3lXZEdOZwpGYS9xcDBTcm1zSjhnSXZuVWhRMTlmU2piVEJyTUE0R0ExVWREd0VCL3dRRUF3SUJwakFkQmdOVkhTVUVGakFVCkJnZ3JCZ0VGQlFjREFnWUlLd1lCQlFVSEF3RXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QXBCZ05WSFE0RUlnUWcKblFvR0JLRk9uYzNUcW84emE4am1qdHFkdXBhdW5NU0ZTSm9TUUgrM0MzRXdDZ1lJS29aSXpqMEVBd0lEUndBdwpSQUlnY2dOOUdUdk85NDZNN2dwbmhJY1RYdXplcDAxdTYxQlZlOXhleEw3K1lEY0NJRWpPR2ZxZnpURkRQMWFaClBvdThUbVoyZmtjYnVZWVNhcHdLRFE3blZtYmoKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=",
"organizational_unit_identifier": "orderer"
},
"peer_ou_identifier": {
"certificate": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNVVENDQWZpZ0F3SUJBZ0lSQU5TMEM5Nkdpb1U1ZWNiMUpUVi9PYmt3Q2dZSUtvWkl6ajBFQXdJd2N6RUwKTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVENrTmhiR2xtYjNKdWFXRXhGakFVQmdOVkJBY1REVk5oYmlCRwpjbUZ1WTJselkyOHhHVEFYQmdOVkJBb1RFRzl5WnpFdVpYaGhiWEJzWlM1amIyMHhIREFhQmdOVkJBTVRFMk5oCkxtOXlaekV1WlhoaGJYQnNaUzVqYjIwd0hoY05NakF4TVRBMU1EY3dNekF3V2hjTk16QXhNVEF6TURjd016QXcKV2pCek1Rc3dDUVlEVlFRR0V3SlZVekVUTUJFR0ExVUVDQk1LUTJGc2FXWnZjbTVwWVRFV01CUUdBMVVFQnhNTgpVMkZ1SUVaeVlXNWphWE5qYnpFWk1CY0dBMVVFQ2hNUWIzSm5NUzVsZUdGdGNHeGxMbU52YlRFY01Cb0dBMVVFCkF4TVRZMkV1YjNKbk1TNWxlR0Z0Y0d4bExtTnZiVEJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUEKQktvUy85YUxFMW1NdExPclNsdCtESDlTVTNKM2VmUnczTkZsU1JMMXh2dUZ1WkcvanQvZEdXRnZwa3lXZEdOZwpGYS9xcDBTcm1zSjhnSXZuVWhRMTlmU2piVEJyTUE0R0ExVWREd0VCL3dRRUF3SUJwakFkQmdOVkhTVUVGakFVCkJnZ3JCZ0VGQlFjREFnWUlLd1lCQlFVSEF3RXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QXBCZ05WSFE0RUlnUWcKblFvR0JLRk9uYzNUcW84emE4am1qdHFkdXBhdW5NU0ZTSm9TUUgrM0MzRXdDZ1lJS29aSXpqMEVBd0lEUndBdwpSQUlnY2dOOUdUdk85NDZNN2dwbmhJY1RYdXplcDAxdTYxQlZlOXhleEw3K1lEY0NJRWpPR2ZxZnpURkRQMWFaClBvdThUbVoyZmtjYnVZWVNhcHdLRFE3blZtYmoKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=",
"organizational_unit_identifier": "peer"
}
},
"intermediate_certs": [],
"name": "Org1MSP",
"organizational_unit_identifiers": [],
"revocation_list": [],
"root_certs": [
"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNVVENDQWZpZ0F3SUJBZ0lSQU5TMEM5Nkdpb1U1ZWNiMUpUVi9PYmt3Q2dZSUtvWkl6ajBFQXdJd2N6RUwKTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVENrTmhiR2xtYjNKdWFXRXhGakFVQmdOVkJBY1REVk5oYmlCRwpjbUZ1WTJselkyOHhHVEFYQmdOVkJBb1RFRzl5WnpFdVpYaGhiWEJzWlM1amIyMHhIREFhQmdOVkJBTVRFMk5oCkxtOXlaekV1WlhoaGJYQnNaUzVqYjIwd0hoY05NakF4TVRBMU1EY3dNekF3V2hjTk16QXhNVEF6TURjd016QXcKV2pCek1Rc3dDUVlEVlFRR0V3SlZVekVUTUJFR0ExVUVDQk1LUTJGc2FXWnZjbTVwWVRFV01CUUdBMVVFQnhNTgpVMkZ1SUVaeVlXNWphWE5qYnpFWk1CY0dBMVVFQ2hNUWIzSm5NUzVsZUdGdGNHeGxMbU52YlRFY01Cb0dBMVVFCkF4TVRZMkV1YjNKbk1TNWxlR0Z0Y0d4bExtTnZiVEJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUEKQktvUy85YUxFMW1NdExPclNsdCtESDlTVTNKM2VmUnczTkZsU1JMMXh2dUZ1WkcvanQvZEdXRnZwa3lXZEdOZwpGYS9xcDBTcm1zSjhnSXZuVWhRMTlmU2piVEJyTUE0R0ExVWREd0VCL3dRRUF3SUJwakFkQmdOVkhTVUVGakFVCkJnZ3JCZ0VGQlFjREFnWUlLd1lCQlFVSEF3RXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QXBCZ05WSFE0RUlnUWcKblFvR0JLRk9uYzNUcW84emE4am1qdHFkdXBhdW5NU0ZTSm9TUUgrM0MzRXdDZ1lJS29aSXpqMEVBd0lEUndBdwpSQUlnY2dOOUdUdk85NDZNN2dwbmhJY1RYdXplcDAxdTYxQlZlOXhleEw3K1lEY0NJRWpPR2ZxZnpURkRQMWFaClBvdThUbVoyZmtjYnVZWVNhcHdLRFE3blZtYmoKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
],
"signing_identity": null,
"tls_intermediate_certs": [],
"tls_root_certs": [
"LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNXRENDQWY2Z0F3SUJBZ0lSQUtqL29zM1c5R2FaRzJCT1d0T0NxbUl3Q2dZSUtvWkl6ajBFQXdJd2RqRUwKTUFrR0ExVUVCaE1DVlZNeEV6QVJCZ05WQkFnVENrTmhiR2xtYjNKdWFXRXhGakFVQmdOVkJBY1REVk5oYmlCRwpjbUZ1WTJselkyOHhHVEFYQmdOVkJBb1RFRzl5WnpFdVpYaGhiWEJzWlM1amIyMHhIekFkQmdOVkJBTVRGblJzCmMyTmhMbTl5WnpFdVpYaGhiWEJzWlM1amIyMHdIaGNOTWpBeE1UQTFNRGN3TXpBd1doY05NekF4TVRBek1EY3cKTXpBd1dqQjJNUXN3Q1FZRFZRUUdFd0pWVXpFVE1CRUdBMVVFQ0JNS1EyRnNhV1p2Y201cFlURVdNQlFHQTFVRQpCeE1OVTJGdUlFWnlZVzVqYVhOamJ6RVpNQmNHQTFVRUNoTVFiM0puTVM1bGVHRnRjR3hsTG1OdmJURWZNQjBHCkExVUVBeE1XZEd4elkyRXViM0puTVM1bGVHRnRjR3hsTG1OdmJUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDkKQXdFSEEwSUFCTnlNTjVPaGFVb3NVUWtTVDBodllaOFNSeFJNTnJVZE1mdkkzLy9VcHUyTkJJWG4xNWxSWk9yOQp1akZzNUNFQXlBeGVTVE9neFNxOWloRDJXVXRLejF5amJUQnJNQTRHQTFVZER3RUIvd1FFQXdJQnBqQWRCZ05WCkhTVUVGakFVQmdnckJnRUZCUWNEQWdZSUt3WUJCUVVIQXdFd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBcEJnTlYKSFE0RUlnUWdWdWdaaDV5S3AvWnc4RGFXc2FleWhrZE1OT3A0aFFVbk1UVTJ1UnRNaHlRd0NnWUlLb1pJemowRQpBd0lEU0FBd1JRSWhBTXAvMDRncE5jZEZGSHhzMDhXVmNZbXZuU3kwYUVrdWFlWnc1Y2pLekRwNUFpQXRHcnpJCmR3ZmN2bmNtc0p2NnVCNEhabUtFU3A1ZUVLQ2tsbkNNTGZIeTBnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
]
}
Copy the codeProto structure is as follows:
// FabricMSPConfig collects all the configuration information for
// a Fabric MSP.
// Here we assume a default certificate validation policy, where
// any certificate signed by any of the listed rootCA certs would
// be considered as valid under this MSP.
// This MSP may or may not come with a signing identity. If it does,
// it can also issue signing identities. If it does not, it can only
// be used to validate and verify certificates.
message FabricMSPConfig {
// Name holds the identifier of the MSP; MSP identifier
// is chosen by the application that governs this MSP.
// For example, and assuming the default implementation of MSP,
// that is X.509-based and considers a single Issuer,
// this can refer to the Subject OU field or the Issuer OU field.
string name = 1;
// List of root certificates trusted by this MSP
// they are used upon certificate validation (see
// comment for IntermediateCerts below)
repeated bytes root_certs = 2;
// List of intermediate certificates trusted by this MSP;
// they are used upon certificate validation as follows:
// validation attempts to build a path from the certificate
// to be validated (which is at one end of the path) and
// one of the certs in the RootCerts field (which is at
// the other end of the path). If the path is longer than
// 2, certificates in the middle are searched within the
// IntermediateCerts pool
repeated bytes intermediate_certs = 3;
// Identity denoting the administrator of this MSP
repeated bytes admins = 4;
// Identity revocation list
repeated bytes revocation_list = 5;
// SigningIdentity holds information on the signing identity
// this peer is to use, and which is to be imported by the
// MSP defined before
SigningIdentityInfo signing_identity = 6;
// OrganizationalUnitIdentifiers holds one or more
// fabric organizational unit identifiers that belong to
// this MSP configuration
repeated FabricOUIdentifier organizational_unit_identifiers = 7;
// FabricCryptoConfig contains the configuration parameters
// for the cryptographic algorithms used by this MSP
FabricCryptoConfig crypto_config = 8;
// List of TLS root certificates trusted by this MSP.
// They are returned by GetTLSRootCerts.
repeated bytes tls_root_certs = 9;
// List of TLS intermediate certificates trusted by this MSP;
// They are returned by GetTLSIntermediateCerts.
repeated bytes tls_intermediate_certs = 10;
// fabric_node_ous contains the configuration to distinguish clients from peers from orderers
// based on the OUs.
FabricNodeOUs fabric_node_ous = 11;
}
Copy the codeLocalMSP and channelMSP use the same structure. The meaning of each field is clearly explained in the comments, focusing on fabric_node_ous. Fabric_node_ous specifies the client, peer, admin, and orderer roles. Certificate sets the issuer of the certificate for these roles. Organizational_unit_identifier specifies their names, which must be consistent with their CA’s OU.
// FabricNodeOUs contains configuration to tell apart clients from peers from orderers
// based on OUs. If NodeOUs recognition is enabled then an msp identity
// that does not contain any of the specified OU will be considered invalid.
message FabricNodeOUs {
// If true then an msp identity that does not contain any of the specified OU will be considered invalid.
bool enable = 1;
// OU Identifier of the clients
FabricOUIdentifier client_ou_identifier = 2;
// OU Identifier of the peers
FabricOUIdentifier peer_ou_identifier = 3;
// OU Identifier of the admins
FabricOUIdentifier admin_ou_identifier = 4;
// OU Identifier of the orderers
FabricOUIdentifier orderer_ou_identifier = 5;
}
// FabricOUIdentifier represents an organizational unit and
// its related chain of trust identifier.
message FabricOUIdentifier {
// Certificate represents the second certificate in a certification chain.
// (Notice that the first certificate in a certification chain is supposed
// to be the certificate of an identity).
// It must correspond to the certificate of root or intermediate CA
// recognized by the MSP this message belongs to.
// Starting from this certificate, a certification chain is computed
// and bound to the OrganizationUnitIdentifier specified
bytes certificate = 1;
// OrganizationUnitIdentifier defines the organizational unit under the
// MSP identified with MSPIdentifier
string organizational_unit_identifier = 2;
}
Copy the codeSimilarly, various policies and configurations are recorded in the Orderer group, such as the consensus type of the sort channel, in this case SOLO.
2. Access Control List (ACL)
In the ACL part, you can control permissions in a more granular way, including calling a method of chain code and adding permissions. The Settings are similar to those above.
You can add your own policies by: modifying configtx.yaml before initializing channels; Alternatively, update channels can be used to acquire configuration blocks, modify configurations, and send update configuration transactions.