Details
-
Bug
-
Status: Unverified
-
High
-
Resolution: Unresolved
-
v2.x
-
None
-
None
Description
I have a network where one organization is the admin of the channel: mychannel.
This organization (Org1), at the first time, was working with Fabric 1.4.3 and now, we migrated it to use the version 2.2. The migration process, that includes orderer, couchdb and peer data, worked as expected.
Now I want to add a new external organization (Org2) into this channel. The existing Org1 executed the process to fetch the channel configuration and update it with the new organization definition, that looks like this:
Organizations: - &Org2 Name: Org2 ID: Org2MSP MSPDir: ./../crypto-config/peerOrganizations/Org2.com/msp Policies: Readers: Type: Signature Rule: "OR('Org2MSP.admin', 'Org2MSP.peer', 'Org2MSP.client')" Writers: Type: Signature Rule: "OR('Org2MSP.admin', 'Org2MSP.client')" Admins: Type: Signature Rule: "OR('Org2MSP.admin')" Endorsement: Type: Signature Rule: "OR('Org2MSP.peer')" # Anchor peers AnchorPeers: - Host: peer0.Org2.com Port: 8052 - Host: peer1.Org2.com Port: 8053
We used this process in order to update the channel config using the cli of the Org1:
peer channel fetch config config_block.pb -o orderer0.example.com:7050 --ordererTLSHostnameOverride orderer0.example.com -c mychannel --tls --cafile ${ORDERER_CA}
configtxlator proto_decode --input config_block.pb --type common.Block --output config_block.json
jq .data.data[0].payload.data.config config_block.json > config.json
jq -s '.[0] * {"channel_group":{"groups":{"Application":{"groups": {"Org2MSP":.[1]}}}}}' config.json Org2.json > modified_config.json
configtxlator proto_encode --input config.json --type common.Config --output config.pb
configtxlator proto_encode --input modified_config.json --type common.Config --output modified_config.pb
configtxlator compute_update --channel_id mychannel --original config.pb --updated modified_config.pb --output Org2_update.pb
configtxlator proto_decode --input Org2_update.pb --type common.ConfigUpdate --output Org2_update.json
echo '{"payload":{"header":{"channel_header":{"channel_id":"'mychannel'", "type":2}},"data":{"config_update":'$(cat Org2_update.json)'}}}' | jq . > Org2_update_in_envelope.json
configtxlator proto_encode --input Org2_update_in_envelope.json --type common.Envelope --output Org2_update_in_envelope.pb
peer channel update -f Org2_update_in_envelope.pb -c mychannel -o orderer0.example.com:7050 --ordererTLSHostnameOverride orderer0.example.com --tls --cafile ${ORDERER_CA}
The last step in the Org1 works as expected:
2021-06-16 15:09:09.834 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized 2021-06-16 15:09:09.851 UTC [channelCmd] update -> INFO 002 Successfully submitted channel update
Now the other organization (Org2) if it tries to fetch the block 0 and join the channel, then it gets an error:
bash-5.1# peer channel fetch config ch.block -o orderer0.example.com:7050 --ordererTLSHostnameOverride orderer0.example.com -c mychannel --tls --cafile $ORDERER_CA
2021-06-16 15:14:55.854 UTC [channelCmd] InitCmdFactory -> INFO 001 Endorser and orderer connections initialized
2021-06-16 15:14:55.856 UTC [cli.common] readBlock -> INFO 002 Expect block, but got status: &
{FORBIDDEN}
Error: can't read the block: &{FORBIDDEN}
And the orderer says that:
2021-06-16 15:23:41.416 UTC [common.deliver] deliverBlocks -> WARN 083 [channel: mychannel] Client 172.28.0.6:35980 is not authorized: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied
I don't know why this occurs, because if I fetch the channel config from the Org1, I'm able to see that the Org2 has permission to read in the application section.
See the attached complete channel configuration (test.json)
Any idea on how to solve this?
Thanks in advance