Uploaded image for project: 'Fabric'
  1. Fabric
  2. FAB-16846

Unable to create channel with Permission Denied when enabled NodeOU's and define Organizational Units

    XMLWordPrintable

Details

    • Bug
    • Status: To Do
    • Medium
    • Resolution: Unresolved
    • v1.4.0, v1.4.1, v1.4.2, v1.4.3
    • None
    • fabric-crypto, fabric-peer
    • Hide
      generate crypto-config

      modify crypto-config/peerOrganizations/org1.example.com/msp/config.yaml

      copy ou crypto artifacts

      generate Genesis.block and mychannel.tx

      build network up

      create channel use org1 admin
      Show
      generate crypto-config modify crypto-config/peerOrganizations/org1.example.com/msp/config.yaml copy ou crypto artifacts generate Genesis.block and mychannel.tx build network up create channel use org1 admin

    Description

      Channel creation is failing with the following error enable NodeOU's and modify msp/config.yaml file to define my own Organizational Units.

      error validating channel creation transaction for new channel 'mychannel', could not succesfully apply update to template configuration: error authorizing update: error validating DeltaSet: policy for [Group]  /Channel/Application not satisfied: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Admins' sub-policies to be satisfied
      

      Here is the identity check failed:

      Certificate:
          Data:
              Version: 3 (0x2)
              Serial Number:
                  a9:f9:13:88:17:22:64:ff:5a:ec:cd:5d:a0:5b:3c:e9
          Signature Algorithm: ecdsa-with-SHA256
              Issuer: C=US, ST=California, L=San Francisco, O=org1.example.com, CN=ca.org1.example.com
              Validity
                  Not Before: Oct 11 02:33:00 2019 GMT
                  Not After : Oct  8 02:33:00 2029 GMT
              Subject: C=US, ST=California, L=San Francisco, OU=admin, CN=Admin@org1.example.com
              Subject Public Key Info:
                  Public Key Algorithm: id-ecPublicKey
                      Public-Key: (256 bit)
                      pub: 
                          04:84:de:91:6c:77:b1:7b:99:2b:1d:37:dd:23:58:
                          52:34:6f:06:15:70:cb:8b:c3:5e:d4:39:d1:80:a8:
                          9e:f4:6e:12:67:72:04:36:6c:8e:f0:b2:c6:b1:e4:
                          15:63:7c:c1:6f:66:52:2a:60:1a:09:d0:ae:0d:61:
                          b4:f2:f5:75:b0
                      ASN1 OID: prime256v1
                      NIST CURVE: P-256
              X509v3 extensions:
                  X509v3 Key Usage: critical
                      Digital Signature
                  X509v3 Basic Constraints: critical
                      CA:FALSE
                  X509v3 Authority Key Identifier: 
                      keyid:89:13:7F:F5:7D:B9:7C:E5:2B:8B:16:A9:C2:3C:70:68:14:DE:A8:5D:4C:98:AD:F4:D5:5E:12:F8:28:B6:88:48
      
      
          Signature Algorithm: ecdsa-with-SHA256
               30:44:02:20:4b:06:d5:c8:dd:45:3a:98:a7:55:ed:be:bc:f1:
               a2:5f:d7:7b:77:1a:81:18:31:98:52:cd:5d:6a:54:f8:96:6e:
               02:20:37:29:c0:9a:22:af:11:bf:e6:87:4b:39:77:9d:e0:97:
               50:05:fa:71:d6:15:21:3e:38:c4:43:d7:21:26:d8:74

      Indeed the problem is that the identity with nodeOU 'admin' validation is failed, because `msp.Validate(id)` will run `msp.validateIdentityOUsV1(id)` which checks that the identity's OUs are compatible with those recognized by this MSP. 

      if len(msp.ouIdentifiers) > 0 {
         found := false
      
         for _, OU := range id.GetOrganizationalUnits() {
            certificationIDs, exists := msp.ouIdentifiers[OU.OrganizationalUnitIdentifier]
      
            if exists {
               for _, certificationID := range certificationIDs {
                  if bytes.Equal(certificationID, OU.CertifiersIdentifier) {
                     found = true
                     break
                  }
               }
            }
         }
      
         if !found {
            if len(id.GetOrganizationalUnits()) == 0 {
               return errors.New("the identity certificate does not contain an Organizational Unit (OU)")
            }
            return errors.Errorf("none of the identity's organizational units [%v] are in MSP %s", id.GetOrganizationalUnits(), msp.name)
         }
      }
      

      consider I have define my own ou, the array msp.ouIdentifiers are not empty (only contain the OrganizationalUnits I've defined and not contain node ou).So 'admin' ou will not be found.

       

      To fix this check node_ou and user define OrganizationalUnits in just one loop.

      Attachments

        1. config.yaml
          0.6 kB
        2. ordererlog
          9 kB
        3. org1msp.json
          12 kB

        Activity

          People

            denyeart David Enyeart
            ChaoZhang99 chao zhang
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: