How to add new organization without updating the channel configuration(channel update)?error while adding new organization in hyperledger fabric -1.0HyperLedger Fabric v1.1 adding organizations to existing channelsHow to perform a transaction on a chaincode through java or node sdk which requires two organisation admins signature?Failed to reach implicit threshold of 2 sub-policies, required 1 remainingFailed to connect client peer, please check the configuration and peer statusRestricting some organizations from performing some channel and chaincode operations in Hyperledger FabricHyperledger fabric- adding the CLI and couchdb to “Balanc-transfer” exampleCAs,Enrollment,Registration for HyperLedger Fabric for multi-organizational.“Failed to join all peers to channel. cause:Error: Invalid results returned ::FORBIDDEN”Hyperledger Fabric - How to limit Org2 to install/instantiate/upgrade the chaincode to the channel?
How to find better food in airports
Why didn't Thatcher give Hong Kong to Taiwan?
Why KVM VPS is slower then OPENVZ
Meaning of "educating the ice"
Why do modes sound so different, although they are basically the same as a mode of another scale?
What is the maximal acceptable delay between pilot's input and flight control surface actuation?
Is mathematics truth?
IEEE Registration Authority mac prefix
Can a country avoid prosecution for crimes against humanity by denying it happened?
Initializing a std::array with a constant value
How could reincarnation magic be limited to prevent overuse?
In Toy Story, are toys the only inanimate objects that become alive? And if so, why?
Is there anything in the universe that cannot be compressed?
How to run a command 1 out of N times in Bash
Do we know the problems the University of Manchester's Transistor Computer was intended to solve?
When making yogurt, why doesn't bad bacteria grow as well?
If the UK government illegally doesn't ask for article 50 extension, can parliament do it instead?
What is the most likely cause of short, quick, and useless reviews?
Given a specific computer system, is it possible to estimate the actual precise run time of a piece of Assembly code
Playing boules... IN SPACE!
Would a corpse look different on an interstellar spaceship?
How to fit Schwalbe Marathon Plus 28-622 on 622-16 rim
How do I stop making people jump at home and at work?
How to align values in table according to the pm and point?
How to add new organization without updating the channel configuration(channel update)?
error while adding new organization in hyperledger fabric -1.0HyperLedger Fabric v1.1 adding organizations to existing channelsHow to perform a transaction on a chaincode through java or node sdk which requires two organisation admins signature?Failed to reach implicit threshold of 2 sub-policies, required 1 remainingFailed to connect client peer, please check the configuration and peer statusRestricting some organizations from performing some channel and chaincode operations in Hyperledger FabricHyperledger fabric- adding the CLI and couchdb to “Balanc-transfer” exampleCAs,Enrollment,Registration for HyperLedger Fabric for multi-organizational.“Failed to join all peers to channel. cause:Error: Invalid results returned ::FORBIDDEN”Hyperledger Fabric - How to limit Org2 to install/instantiate/upgrade the chaincode to the channel?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
We already have the the fabric network set up. There are ORG1 and ORG2 in the consortium defined in configtx.yaml already. Each organizations has its own Root CAs. And, ORG2 has an intermediate CA in addition.
configtx.yaml:
---
################################################################################
#
# ORGANIZATIONS
#
# This section defines the organizational identities that can be referenced
# in the configuration profiles.
#
################################################################################
Organizations:
- &OrdererOrg
Name: OrdererOrg
ID: ORDERER
MSPDir: crypto-config/ordererOrganizations/ordererorg/msp
Policies: &OrdererOrgPolicies
Readers:
Type: Signature
Rule: "OR('ORDERER.member')"
Writers:
Type: Signature
Rule: "OR('ORDERER.member')"
Admins:
Type: Signature
Rule: "OR('ORDERER.admin')"
- &ORG1
Name: ORG1
ID: ORG1
MSPDir: crypto-config/peerOrganizations/ORG1.com/msp
Policies: &Org1Policies
Readers:
Type: Signature
Rule: "OR('ORG1.member')"
Writers:
Type: Signature
Rule: "OR('ORG1.member')"
Admins:
Type: Signature
Rule: "OR('ORG1.admin')"
AnchorPeers:
- Host: peer0
Port: 7051
- &ORG2
Name: ORG2
ID: ORG2
MSPDir: crypto-config/ORG2/ORG2.com/msp
Policies: &Org2Policies
Readers:
Type: Signature
Rule: "OR('ORG2.member')"
Writers:
Type: Signature
Rule: "OR('ORG2.member')"
Admins:
Type: Signature
Rule: "OR('ORG2.admin')"
AnchorPeers:
- Host: peer1
Port: 7051
.
.
.
.
SingleMSPSolo:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Addresses:
- kiesnet-dev-orderer:7050
Organizations:
- *OrdererOrg
Consortiums:
DevConsortium:
Organizations:
- *ORG1
- *ORG2
SingleMSPChannel:
Consortium: DevConsortium
Application:
<<: *ApplicationDefaults
Organizations:
- *ORG1
- *ORG2
ORG2's root CA and the intermediate CA will have the same MSPIDs (which is "ORG2") and the end users will be only enrolled from the intermediate CA server.
Here's the problem.
in the above configtx.yaml, "MSPDir: crypto-config/ORG/ORG2.com/msp" is the the ROOT CA's msp directory path, NOT the intermediate's.
However, the end users are only enrolled from the intermediate server, and when those users are trying to query/invoke to ORG1's peer, we get this error:
Error: error endorsing query: rpc error: code = Unknown desc = access denied: channel [ORG1] creator org [ORG2] - proposal response: <nil>
If we test with the end user's certificate which was enrolled from ORG2's root CA, the user can query/invoke to ORG1's peer just fine.
How we tell the network(channel) to trust the users enrolled from the intermediate CA without doing the peer channel update or modifying the channel config file?
the business reason behind on this is that from ORG2, there can be many intermediate CA servers added in the future, so we don't want to update the channel configuration each time we have the new intermediate CAs. So once we registered the ORG2's ROOT CA(when we set up the network first time), we want to trust all users enrolled from it's intermediate CA(s).
I think there should be a way to tell the network to trust all the users enrolled from any intermediate CAs if the intermediate CA is from ORG2's root CA.
hyperledger-fabric
edited Mar 28 at 9:31
Vadim Kotov
5,4187 gold badges36 silver badges49 bronze badges
asked Mar 28 at 1:51
Sam LeeSam Lee
367 bronze badges
add a comment |
We already have the the fabric network set up. There are ORG1 and ORG2 in the consortium defined in configtx.yaml already. Each organizations has its own Root CAs. And, ORG2 has an intermediate CA in addition.
configtx.yaml:
---
################################################################################
#
# ORGANIZATIONS
#
# This section defines the organizational identities that can be referenced
# in the configuration profiles.
#
################################################################################
Organizations:
- &OrdererOrg
Name: OrdererOrg
ID: ORDERER
MSPDir: crypto-config/ordererOrganizations/ordererorg/msp
Policies: &OrdererOrgPolicies
Readers:
Type: Signature
Rule: "OR('ORDERER.member')"
Writers:
Type: Signature
Rule: "OR('ORDERER.member')"
Admins:
Type: Signature
Rule: "OR('ORDERER.admin')"
- &ORG1
Name: ORG1
ID: ORG1
MSPDir: crypto-config/peerOrganizations/ORG1.com/msp
Policies: &Org1Policies
Readers:
Type: Signature
Rule: "OR('ORG1.member')"
Writers:
Type: Signature
Rule: "OR('ORG1.member')"
Admins:
Type: Signature
Rule: "OR('ORG1.admin')"
AnchorPeers:
- Host: peer0
Port: 7051
- &ORG2
Name: ORG2
ID: ORG2
MSPDir: crypto-config/ORG2/ORG2.com/msp
Policies: &Org2Policies
Readers:
Type: Signature
Rule: "OR('ORG2.member')"
Writers:
Type: Signature
Rule: "OR('ORG2.member')"
Admins:
Type: Signature
Rule: "OR('ORG2.admin')"
AnchorPeers:
- Host: peer1
Port: 7051
.
.
.
.
SingleMSPSolo:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Addresses:
- kiesnet-dev-orderer:7050
Organizations:
- *OrdererOrg
Consortiums:
DevConsortium:
Organizations:
- *ORG1
- *ORG2
SingleMSPChannel:
Consortium: DevConsortium
Application:
<<: *ApplicationDefaults
Organizations:
- *ORG1
- *ORG2
ORG2's root CA and the intermediate CA will have the same MSPIDs (which is "ORG2") and the end users will be only enrolled from the intermediate CA server.
Here's the problem.
in the above configtx.yaml, "MSPDir: crypto-config/ORG/ORG2.com/msp" is the the ROOT CA's msp directory path, NOT the intermediate's.
However, the end users are only enrolled from the intermediate server, and when those users are trying to query/invoke to ORG1's peer, we get this error:
Error: error endorsing query: rpc error: code = Unknown desc = access denied: channel [ORG1] creator org [ORG2] - proposal response: <nil>
If we test with the end user's certificate which was enrolled from ORG2's root CA, the user can query/invoke to ORG1's peer just fine.
How we tell the network(channel) to trust the users enrolled from the intermediate CA without doing the peer channel update or modifying the channel config file?
the business reason behind on this is that from ORG2, there can be many intermediate CA servers added in the future, so we don't want to update the channel configuration each time we have the new intermediate CAs. So once we registered the ORG2's ROOT CA(when we set up the network first time), we want to trust all users enrolled from it's intermediate CA(s).
I think there should be a way to tell the network to trust all the users enrolled from any intermediate CAs if the intermediate CA is from ORG2's root CA.
hyperledger-fabric
edited Mar 28 at 9:31
Vadim Kotov
5,4187 gold badges36 silver badges49 bronze badges
asked Mar 28 at 1:51
Sam LeeSam Lee
367 bronze badges
add a comment |
We already have the the fabric network set up. There are ORG1 and ORG2 in the consortium defined in configtx.yaml already. Each organizations has its own Root CAs. And, ORG2 has an intermediate CA in addition.
configtx.yaml:
---
################################################################################
#
# ORGANIZATIONS
#
# This section defines the organizational identities that can be referenced
# in the configuration profiles.
#
################################################################################
Organizations:
- &OrdererOrg
Name: OrdererOrg
ID: ORDERER
MSPDir: crypto-config/ordererOrganizations/ordererorg/msp
Policies: &OrdererOrgPolicies
Readers:
Type: Signature
Rule: "OR('ORDERER.member')"
Writers:
Type: Signature
Rule: "OR('ORDERER.member')"
Admins:
Type: Signature
Rule: "OR('ORDERER.admin')"
- &ORG1
Name: ORG1
ID: ORG1
MSPDir: crypto-config/peerOrganizations/ORG1.com/msp
Policies: &Org1Policies
Readers:
Type: Signature
Rule: "OR('ORG1.member')"
Writers:
Type: Signature
Rule: "OR('ORG1.member')"
Admins:
Type: Signature
Rule: "OR('ORG1.admin')"
AnchorPeers:
- Host: peer0
Port: 7051
- &ORG2
Name: ORG2
ID: ORG2
MSPDir: crypto-config/ORG2/ORG2.com/msp
Policies: &Org2Policies
Readers:
Type: Signature
Rule: "OR('ORG2.member')"
Writers:
Type: Signature
Rule: "OR('ORG2.member')"
Admins:
Type: Signature
Rule: "OR('ORG2.admin')"
AnchorPeers:
- Host: peer1
Port: 7051
.
.
.
.
SingleMSPSolo:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Addresses:
- kiesnet-dev-orderer:7050
Organizations:
- *OrdererOrg
Consortiums:
DevConsortium:
Organizations:
- *ORG1
- *ORG2
SingleMSPChannel:
Consortium: DevConsortium
Application:
<<: *ApplicationDefaults
Organizations:
- *ORG1
- *ORG2
ORG2's root CA and the intermediate CA will have the same MSPIDs (which is "ORG2") and the end users will be only enrolled from the intermediate CA server.
Here's the problem.
in the above configtx.yaml, "MSPDir: crypto-config/ORG/ORG2.com/msp" is the the ROOT CA's msp directory path, NOT the intermediate's.
However, the end users are only enrolled from the intermediate server, and when those users are trying to query/invoke to ORG1's peer, we get this error:
Error: error endorsing query: rpc error: code = Unknown desc = access denied: channel [ORG1] creator org [ORG2] - proposal response: <nil>
If we test with the end user's certificate which was enrolled from ORG2's root CA, the user can query/invoke to ORG1's peer just fine.
How we tell the network(channel) to trust the users enrolled from the intermediate CA without doing the peer channel update or modifying the channel config file?
the business reason behind on this is that from ORG2, there can be many intermediate CA servers added in the future, so we don't want to update the channel configuration each time we have the new intermediate CAs. So once we registered the ORG2's ROOT CA(when we set up the network first time), we want to trust all users enrolled from it's intermediate CA(s).
I think there should be a way to tell the network to trust all the users enrolled from any intermediate CAs if the intermediate CA is from ORG2's root CA.
hyperledger-fabric
edited Mar 28 at 9:31
Vadim Kotov
5,4187 gold badges36 silver badges49 bronze badges
asked Mar 28 at 1:51
Sam LeeSam Lee
367 bronze badges
We already have the the fabric network set up. There are ORG1 and ORG2 in the consortium defined in configtx.yaml already. Each organizations has its own Root CAs. And, ORG2 has an intermediate CA in addition.
configtx.yaml:
---
################################################################################
#
# ORGANIZATIONS
#
# This section defines the organizational identities that can be referenced
# in the configuration profiles.
#
################################################################################
Organizations:
- &OrdererOrg
Name: OrdererOrg
ID: ORDERER
MSPDir: crypto-config/ordererOrganizations/ordererorg/msp
Policies: &OrdererOrgPolicies
Readers:
Type: Signature
Rule: "OR('ORDERER.member')"
Writers:
Type: Signature
Rule: "OR('ORDERER.member')"
Admins:
Type: Signature
Rule: "OR('ORDERER.admin')"
- &ORG1
Name: ORG1
ID: ORG1
MSPDir: crypto-config/peerOrganizations/ORG1.com/msp
Policies: &Org1Policies
Readers:
Type: Signature
Rule: "OR('ORG1.member')"
Writers:
Type: Signature
Rule: "OR('ORG1.member')"
Admins:
Type: Signature
Rule: "OR('ORG1.admin')"
AnchorPeers:
- Host: peer0
Port: 7051
- &ORG2
Name: ORG2
ID: ORG2
MSPDir: crypto-config/ORG2/ORG2.com/msp
Policies: &Org2Policies
Readers:
Type: Signature
Rule: "OR('ORG2.member')"
Writers:
Type: Signature
Rule: "OR('ORG2.member')"
Admins:
Type: Signature
Rule: "OR('ORG2.admin')"
AnchorPeers:
- Host: peer1
Port: 7051
.
.
.
.
SingleMSPSolo:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Addresses:
- kiesnet-dev-orderer:7050
Organizations:
- *OrdererOrg
Consortiums:
DevConsortium:
Organizations:
- *ORG1
- *ORG2
SingleMSPChannel:
Consortium: DevConsortium
Application:
<<: *ApplicationDefaults
Organizations:
- *ORG1
- *ORG2
ORG2's root CA and the intermediate CA will have the same MSPIDs (which is "ORG2") and the end users will be only enrolled from the intermediate CA server.
Here's the problem.
in the above configtx.yaml, "MSPDir: crypto-config/ORG/ORG2.com/msp" is the the ROOT CA's msp directory path, NOT the intermediate's.
However, the end users are only enrolled from the intermediate server, and when those users are trying to query/invoke to ORG1's peer, we get this error:
Error: error endorsing query: rpc error: code = Unknown desc = access denied: channel [ORG1] creator org [ORG2] - proposal response: <nil>
If we test with the end user's certificate which was enrolled from ORG2's root CA, the user can query/invoke to ORG1's peer just fine.
How we tell the network(channel) to trust the users enrolled from the intermediate CA without doing the peer channel update or modifying the channel config file?
the business reason behind on this is that from ORG2, there can be many intermediate CA servers added in the future, so we don't want to update the channel configuration each time we have the new intermediate CAs. So once we registered the ORG2's ROOT CA(when we set up the network first time), we want to trust all users enrolled from it's intermediate CA(s).
I think there should be a way to tell the network to trust all the users enrolled from any intermediate CAs if the intermediate CA is from ORG2's root CA.
hyperledger-fabric
hyperledger-fabric
edited Mar 28 at 9:31
Vadim Kotov
5,4187 gold badges36 silver badges49 bronze badges
asked Mar 28 at 1:51
Sam LeeSam Lee
367 bronze badges
edited Mar 28 at 9:31
Vadim Kotov
5,4187 gold badges36 silver badges49 bronze badges
asked Mar 28 at 1:51
Sam LeeSam Lee
367 bronze badges
edited Mar 28 at 9:31
Vadim Kotov
5,4187 gold badges36 silver badges49 bronze badges
edited Mar 28 at 9:31
Vadim Kotov
5,4187 gold badges36 silver badges49 bronze badges
edited Mar 28 at 9:31
Vadim Kotov
5,4187 gold badges36 silver badges49 bronze badges
5,4187 gold badges36 silver badges49 bronze badges
asked Mar 28 at 1:51
Sam LeeSam Lee
367 bronze badges
asked Mar 28 at 1:51
Sam LeeSam Lee
367 bronze badges
asked Mar 28 at 1:51
Sam LeeSam Lee
367 bronze badges
367 bronze badges
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55389030%2fhow-to-add-new-organization-without-updating-the-channel-configurationchannel-u%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Is this question similar to what you get asked at work? Learn more about asking and sharing private information with your coworkers using Stack Overflow for Teams.
Is this question similar to what you get asked at work? Learn more about asking and sharing private information with your coworkers using Stack Overflow for Teams.
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55389030%2fhow-to-add-new-organization-without-updating-the-channel-configurationchannel-u%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
