I created a small HyperLedger Fabric Network where I have a single channel with a single organization and a few peers along with an ordering service.
After going through the normal steps of creating my cryptographic materials , genesis block and channel.tx file I tried to create my channel in a cli container using the command:
peer channel create -o orderer.example.com:7050 -c mychannel -f ./channel-artifacts/channel.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
After this, I received the following error:
Error: got unexpected status: FORBIDDEN -- Failed to reach implicit threshold of 1 sub-policies, required 1 remaining: permission denied
A part of the output of the cli container logs file:
2019-02-15 20:14:57.323 UTC [orderer/common/server] Start -> INFO 0ab Beginning to serve requests
2019-02-15 20:15:00.063 UTC [orderer/common/server] Deliver -> DEBU 0ac Starting new Deliver handler
2019-02-15 20:15:00.064 UTC [common/deliver] Handle -> DEBU 0ad Starting new deliver loop for 192.168.176.6:38938
2019-02-15 20:15:00.064 UTC [common/deliver] Handle -> DEBU 0ae Attempting to read seek info message from 192.168.176.6:38938
2019-02-15 20:15:00.068 UTC [orderer/common/server] Broadcast -> DEBU 0af Starting new Broadcast handler
2019-02-15 20:15:00.068 UTC [orderer/common/broadcast] Handle -> DEBU 0b0 Starting new broadcast loop for 192.168.176.6:38940
2019-02-15 20:15:00.068 UTC [orderer/common/broadcast] Handle -> DEBU 0b1 [channel: mychannel] Broadcast is processing config update message from 192.168.176.6:38940
2019-02-15 20:15:00.068 UTC [orderer/common/msgprocessor] ProcessConfigUpdateMsg -> DEBU 0b2 Processing config update tx with system channel message processor for channel ID mychannel
2019-02-15 20:15:00.068 UTC [orderer/common/msgprocessor] ProcessConfigUpdateMsg -> DEBU 0b3 Processing config update message for channel mychannel
2019-02-15 20:15:00.069 UTC [policies] Evaluate -> DEBU 0b4 == Evaluating *policies.implicitMetaPolicy Policy /Channel/Writers ==
2019-02-15 20:15:00.069 UTC [policies] Evaluate -> DEBU 0b5 This is an implicit meta policy, it will trigger other policy evaluations, whose failures may be benign
2019-02-15 20:15:00.069 UTC [policies] Evaluate -> DEBU 0b6 == Evaluating *policies.implicitMetaPolicy Policy /Channel/Orderer/Writers ==
2019-02-15 20:15:00.069 UTC [policies] Evaluate -> DEBU 0b7 This is an implicit meta policy, it will trigger other policy evaluations, whose failures may be benign
2019-02-15 20:15:00.069 UTC [policies] Evaluate -> DEBU 0b8 == Evaluating *cauthdsl.policy Policy /Channel/Orderer/OrdererOrg/Writers ==
2019-02-15 20:15:00.069 UTC [msp] DeserializeIdentity -> DEBU 0b9 Obtaining identity
2019-02-15 20:15:00.069 UTC [msp/identity] newIdentity -> DEBU 0ba Creating identity instance for cert -----BEGIN CERTIFICATE-----
MIICEzCCAbmgAwIBAgIQSNAnza0BnDG0ZBvOSPenpDAKBggqhkjOPQQDAjBvMQsw
(LONG TEXTS)9XYOAcEPDg==
-----END CERTIFICATE-----
2019-02-15 20:15:00.069 UTC [cauthdsl] func1 -> DEBU 0bb 0xc42016e118 gate 1550261700069869014 evaluation starts
2019-02-15 20:15:00.069 UTC [cauthdsl] func2 -> DEBU 0bc 0xc42016e118 signed by 0 principal evaluation starts (used [false])
2019-02-15 20:15:00.069 UTC [cauthdsl] func2 -> DEBU 0bd 0xc42016e118 processing identity 0 with bytes of 0a05646c4d5350128e062d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494943457a434341626d674177494241674951534e416e7a6130426e4447305a42764f5350656e7044414b42676771686b6a4f50515144416a42764d5173770a435159445651514745774a56557a45544d4245474131554543424d4b5132467361575a76636d3570595445574d4251474131554542784d4e5532467549455a790a5957356a61584e6a627a45584d4255474131554543684d4f5a4777755a586868625842735a53356a62323078476a415942674e5642414d5445574e684c6d52730a4c6d56345957317762475575593239744d423458445445354d4449784e5449774d5441774d466f58445449354d4449784d6a49774d5441774d466f775754454c0a4d416b474131554542684d4356564d78457a415242674e5642416754436b4e6862476c6d62334a7561574578466a415542674e564241635444564e68626942470a636d467559326c7a593238784854416242674e5642414d4d4645466b62576c75514752734c6d56345957317762475575593239744d466b77457759484b6f5a490a7a6a3043415159494b6f5a497a6a304441516344516741456431357541374a6d464176472f78416c786f567977765459595a4f717677592b36307a37526d59650a743775617553467879777965724456453249497669374f2b626e56463163564d4a544b2b374775434531706c56614e4e4d45737744675944565230504151482f0a42415144416765414d41774741315564457745422f7751434d4141774b7759445652306a42435177496f41673370722f4f6c702f4443314d477a5266525855360a4b4c75576d7353346a347959616f48633158366e306e3077436759494b6f5a497a6a3045417749445341417752514968414e46647870675247546f73545734460a734243794e35474857465539637a61354c467765613243334d6143534169414954462f54366d515872557639644c4c7231426d3342316a697470526b745579650a3958594f4163455044673d3d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a
2019-02-15 20:15:00.070 UTC [cauthdsl] func2 -> DEBU 0be 0xc42016e118 identity 0 does not satisfy principal: the identity is a member of a different MSP (expected OrdererMSP, got dlMSP)
2019-02-15 20:15:00.070 UTC [cauthdsl] func2 -> DEBU 0bf 0xc42016e118 principal evaluation fails
2019-02-15 20:15:00.070 UTC [cauthdsl] func1 -> DEBU 0c0 0xc42016e118 gate 1550261700069869014 evaluation fails
2019-02-15 20:15:00.070 UTC [policies] Evaluate -> DEBU 0c1 Signature set did not satisfy policy /Channel/Orderer/OrdererOrg/Writers
2019-02-15 20:15:00.070 UTC [policies] Evaluate -> DEBU 0c2 == Done Evaluating *cauthdsl.policy Policy /Channel/Orderer/OrdererOrg/Writers
2019-02-15 20:15:00.070 UTC [policies] func1 -> DEBU 0c3 Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ OrdererOrg.Writers ]
2019-02-15 20:15:00.070 UTC [policies] Evaluate -> DEBU 0c4 Signature set did not satisfy policy /Channel/Orderer/Writers
2019-02-15 20:15:00.070 UTC [policies] Evaluate -> DEBU 0c5 == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Orderer/Writers
2019-02-15 20:15:00.070 UTC [policies] func1 -> DEBU 0c6 Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ Orderer.Writers Consortiums.Writers ]
2019-02-15 20:15:00.070 UTC [policies] Evaluate -> DEBU 0c7 Signature set did not satisfy policy /Channel/Writers
2019-02-15 20:15:00.070 UTC [policies] Evaluate -> DEBU 0c8 == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Writers
2019-02-15 20:15:00.070 UTC [orderer/common/broadcast] Handle -> WARN 0c9 [channel: mychannel] Rejecting broadcast of config message from 192.168.176.6:38940 because of error: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining: permission denied
2019-02-15 20:15:00.070 UTC [orderer/common/server] func1 -> DEBU 0ca Closing Broadcast stream
2019-02-15 20:15:00.072 UTC [grpc] warningf -> DEBU 0cb transport: http2Server.HandleStreams failed to read frame: read tcp 192.168.176.4:7050->192.168.176.6:38940: read: connection reset by peer
2019-02-15 20:15:00.072 UTC [grpc] infof -> DEBU 0cc transport: loopyWriter.run returning. connection error: desc = "transport is closing"
2019-02-15 20:15:00.073 UTC [common/deliver] Handle -> WARN 0cd Error reading from 192.168.176.6:38938: rpc error: code = Canceled desc = context canceled
2019-02-15 20:15:00.073 UTC [orderer/common/server] func1 -> DEBU 0cf Closing Deliver stream
2019-02-15 20:15:00.073 UTC [grpc] infof -> DEBU 0ce transport: loopyWriter.run returning. connection error: desc = "transport is closing"
The configtx.yaml file:
Organizations:
- &OrdererOrg
Name: OrdererOrg
ID: OrdererMSP
MSPDir: crypto-config/ordererOrganizations/example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Writers:
Type: Signature
Rule: "OR('OrdererMSP.member')"
Admins:
Type: Signature
Rule: "OR('OrdererMSP.admin')"
- &dl
Name: dlMSP
ID: dlMSP
MSPDir: crypto-config/peerOrganizations/dl.example.com/msp
Policies:
Readers:
Type: Signature
Rule: "OR('dlMSP.admin', 'dlMSP.peer', 'dlMSP.client')"
Writers:
Type: Signature
Rule: "OR('dlMSP.admin', 'dlMSP.client')"
Admins:
Type: Signature
Rule: "OR('dlMSP.admin')"
Capabilities:
Channel: &ChannelCapabilities
V1_3: true
Orderer: &OrdererCapabilities
V1_1: true
Application: &ApplicationCapabilities
V1_3: true
V1_2: false
V1_1: false
Application: &ApplicationDefaults
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Orderer: &OrdererDefaults
OrdererType: solo
Addresses:
- orderer.example.com:7050
BatchTimeout: 2s
BatchSize:
MaxMessageCount: 10
AbsoluteMaxBytes: 99 MB
PreferredMaxBytes: 512 KB
Kafka:
Brokers:
- 127.0.0.1:9092
Organizations:
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
BlockValidation:
Type: ImplicitMeta
Rule: "ANY Writers"
Channel: &ChannelDefaults
Policies:
Readers:
Type: ImplicitMeta
Rule: "ANY Readers"
Writers:
Type: ImplicitMeta
Rule: "ANY Writers"
Admins:
Type: ImplicitMeta
Rule: "MAJORITY Admins"
Capabilities:
<<: *ChannelCapabilities
Profiles:
SingleOrgOrdererGenesis:
<<: *ChannelDefaults
Orderer:
<<: *OrdererDefaults
Organizations:
- *OrdererOrg
Capabilities:
<<: *OrdererCapabilities
Consortiums:
SampleConsortium:
Organizations:
- *dl
SingleOrgChannel:
Consortium: SampleConsortium
Application:
<<: *ApplicationDefaults
Organizations:
- *dl
Capabilities:
<<: *ApplicationCapabilities
The crypto-config.yaml file:
OrdererOrgs:
- Name: orderer
Domain: example.com
Specs:
- Hostname: orderer
PeerOrgs:
- Name: dl
Domain: dl.example.com
EnableNodeOUs: true
Template:
Count: 3 #NUMBER OF PEERS
Users:
Count: 2 #NUMBER OF USERS APART FROM THE ADMIN
The docker-compose-cli.yaml file
version: '2'
volumes:
orderer.example.com:
peer0.dl.example.com:
peer1.dl.example.com:
peer2.dl.example.com:
networks:
v1:
services:
orderer.example.com:
extends:
file: base/docker-compose-base.yaml
service: orderer.example.com
container_name: orderer.example.com
networks:
- v1
peer0.dl.example.com:
container_name: peer0.dl.example.com
extends:
file: base/docker-compose-base.yaml
service: peer0.dl.example.com
networks:
- v1
peer1.dl.example.com:
container_name: peer1.dl.example.com
extends:
file: base/docker-compose-base.yaml
service: peer1.dl.example.com
networks:
- v1
peer2.dl.example.com:
container_name: peer2.dl.example.com
extends:
file: base/docker-compose-base.yaml
service: peer2.dl.example.com
networks:
- v1
cli:
container_name: cli
image: hyperledger/fabric-tools:$IMAGE_TAG
tty: true
stdin_open: true
environment:
- GOPATH=/opt/gopath
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
#- CORE_LOGGING_LEVEL=DEBUG
- CORE_LOGGING_LEVEL=INFO
- CORE_PEER_ID=cli
- CORE_PEER_ADDRESS=peer0.dl.example.com:7051
- CORE_PEER_LOCALMSPID=dlMSP
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/dl.example.com/peers/peer0.dl.example.com/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/dl.example.com/peers/peer0.dl.example.com/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/dl.example.com/peers/peer0.dl.example.com/tls/ca.crt
- CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/dl.example.com/users/[email protected]/msp
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
command: /bin/bash
volumes:
- /var/run/:/host/var/run/
- ./../chaincode/:/opt/gopath/src/github.com/chaincode
- ./crypto-config:/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/
- ./scripts:/opt/gopath/src/github.com/hyperledger/fabric/peer/scripts/
- ./channel-artifacts:/opt/gopath/src/github.com/hyperledger/fabric/peer/channel-artifacts
depends_on:
- orderer.example.com
- peer0.dl.example.com
- peer1.dl.example.com
- peer2.dl.example.com
networks:
- v1
The docker-compose-base.yaml file:
version: '2'
services:
orderer.example.com:
container_name: orderer.example.com
image: hyperledger/fabric-orderer:$IMAGE_TAG
environment:
#- ORDERER_GENERAL_LOGLEVEL=INFO
- ORDERER_GENERAL_LOGLEVEL=DEBUG
- ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
- ORDERER_GENERAL_GENESISMETHOD=file
- ORDERER_GENERAL_GENESISFILE=/var/hyperledger/orderer/orderer.genesis.block
- ORDERER_GENERAL_LOCALMSPID=OrdererMSP
- ORDERER_GENERAL_LOCALMSPDIR=/var/hyperledger/orderer/msp
# enabled TLS
- ORDERER_GENERAL_TLS_ENABLED=true
- ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key
- ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt
- ORDERER_GENERAL_TLS_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
working_dir: /opt/gopath/src/github.com/hyperledger/fabric
command: orderer
volumes:
- ../channel-artifacts/genesis.block:/var/hyperledger/orderer/orderer.genesis.block
- ../crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/msp:/var/hyperledger/orderer/msp
- ../crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/tls/:/var/hyperledger/orderer/tls
- orderer.example.com:/var/hyperledger/production/orderer
ports:
- 7050:7050
peer0.dl.example.com:
container_name: peer0.dl.example.com
extends:
file: peer-base.yaml
service: peer-base
environment:
- CORE_PEER_ID=peer0.dl.example.com
- CORE_PEER_ADDRESS=peer0.dl.example.com:7051
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1.dl.example.com:7051
# - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.dl.example.com:7051
- CORE_PEER_LOCALMSPID=dlMSP
volumes:
- /var/run/:/host/var/run/
- ../crypto-config/peerOrganizations/dl.example.com/peers/peer0.dl.example.com/msp:/etc/hyperledger/fabric/msp
- ../crypto-config/peerOrganizations/dl.example.com/peers/peer0.dl.example.com/tls:/etc/hyperledger/fabric/tls
- peer0.dl.example.com:/var/hyperledger/production
ports:
- 7051:7051
- 7053:7053
peer1.dl.example.com:
container_name: peer1.dl.example.com
extends:
file: peer-base.yaml
service: peer-base
environment:
- CORE_PEER_ID=peer1.dl.example.com
- CORE_PEER_ADDRESS=peer1.dl.example.com:7051
# - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer1.dl.example.com:7051
- CORE_PEER_GOSSIP_BOOTSTRAP=peer0.dl.example.com:7051
- CORE_PEER_LOCALMSPID=dlMSP
volumes:
- /var/run/:/host/var/run/
- ../crypto-config/peerOrganizations/dl.example.com/peers/peer1.dl.example.com/msp:/etc/hyperledger/fabric/msp
- ../crypto-config/peerOrganizations/dl.example.com/peers/peer1.dl.example.com/tls:/etc/hyperledger/fabric/tls
- peer1.dl.example.com:/var/hyperledger/production
ports:
- 8051:7051
- 8053:7053
peer2.dl.example.com:
container_name: peer2.dl.example.com
extends:
file: peer-base.yaml
service: peer-base
environment:
- CORE_PEER_ID=peer2.dl.example.com
- CORE_PEER_ADDRESS=peer2.dl.example.com:7051
# - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.dl.example.com:7051
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1.dl.example.com:7051
- CORE_PEER_LOCALMSPID=dlMSP
volumes:
- /var/run/:/host/var/run/
- ../crypto-config/peerOrganizations/dl.example.com/peers/peer2.dl.example.com/msp:/etc/hyperledger/fabric/msp
- ../crypto-config/peerOrganizations/dl.example.com/peers/peer2.dl.example.com/tls:/etc/hyperledger/fabric/tls
- peer2.dl.example.com:/var/hyperledger/production
ports:
- 9051:7051
- 9053:7053
Link to my code: https://mega.nz/#F!vJIUWKgZ!hx1geJ916PH0LrKKe5Q0RA!LQRBmITR
try using different names for ChannelID in command (here ChannelID value is byfn-sys-channel and it's so called "system channel"):
../bin/configtxgen -profile TwoOrgsOrdererGenesis -channelID byfn-sys-channel -outputBlock ./channel-artifacts/genesis.block
and all the rest commands with ChannelID (here is DIFFERENT channel with ChannelID mychannel):
export CHANNEL_NAME=mychannel && ../bin/configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/channel.tx -channelID $CHANNEL_NAME
...
export CHANNEL_NAME=mychannel
peer channel create -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem
I've got the same error.
Error: got unexpected status: FORBIDDEN -- implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied
After removing everything in docker using this command, the error is sovled.
docker stop $(docker ps -a -q) ; docker rm -f $(docker ps -aq) ; docker system prune -a ; docker volume prune ; docker ps -a ; docker images -a ; docker volume ls
Especially the 'docker volume prune' command is important.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With