对于Fabric的权限和MSP配置这块,可能大家实际部署会给一堆msp目录绕晕,我们回过头来梳理一下。
1.Peer节点如何控制用户的采访权限? 我们以first-network为例, 先看下peer0的启动配置docker-compose-cli.yaml。
引用到base/docker-compose-base.yaml
peer0.org1.example.com:
container_name: peer0.org1.example.com
extends:
file: peer-base.yaml
service: peer-base
environment:
- CORE_PEER_ID=peer0.org1.example.com
- CORE_PEER_ADDRESS=peer0.org1.example.com:7051
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1.org1.example.com:7051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org1.example.com:7051
- CORE_PEER_LOCALMSPID=Org1MSP
volumes:
- /var/run/:/host/var/run/
- ../crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp:/etc/hyperledger/fabric/msp
- ../crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls:/etc/hyperledger/fabric/tls
- peer0.org1.example.com:/var/hyperledger/production
ports:
- 7051:7051
- 7053:7053
引用到base/peer-base.yaml
services:
peer-base:
image: hyperledger/fabric-peer:$IMAGE_TAG
environment:
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
# the following setting starts chaincode containers on the same
# bridge network as the peers
# https://docs.docker.com/compose/networking/
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_byfn
- CORE_LOGGING_LEVEL=INFO
#- CORE_LOGGING_LEVEL=DEBUG
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_PROFILE_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
command: peer node start
peer node start启动节点peer0.org1.example.com
环境变量CORE_PEER_MSPCONFIGPATH这里没有显示声明, 默认值应该是对应docker容器里面的/etc/hyperledger/fabric/msp
蓝色部分的卷映射指向主机的 ../crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp
[root@k8s-master msp]# pwd
/mnt/sda3/fabric-samples/first-network/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp
[root@k8s-master msp]# ll
总用量 24
drwxr-xr-x. 2 root root 4096 9月 29 10:32 admincerts
drwxr-xr-x. 2 root root 4096 9月 29 10:32 cacerts
-rw-r--r--. 1 root root 254 9月 29 10:32 config.yaml
drwxr-xr-x. 2 root root 4096 9月 29 10:32 keystore
drwxr-xr-x. 2 root root 4096 9月 29 10:32 signcerts
drwxr-xr-x. 2 root root 4096 9月 29 10:32 tlscacerts
(1)cacerts
文件夹放置的用于身份识别的ca根证书, 回忆下基础篇的会员身份使用PKI等数字签名技术用于识别客户身份(这里特指可连接到peer节点的客户端)。
一个组织对一个根CA(不考虑中间CA情况), 所以组织org1下的peer0和peer1实际配置的是同一个ca.org1.example.com-cert.pem, 所以这个文件夹应该放的是对应组织的CA根证书
[root@k8s-master cacerts]# pwd
/mnt/sda3/fabric-samples/first-network/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/cacerts
[root@k8s-master cacerts]# ll
总用量 4
-rw-r--r--. 1 root root 843 9月 29 10:32 ca.org1.example.com-cert.pem
假装专业些给大家看下证书内容
[root@k8s-master cacerts]# openssl x509 -in ca.org1.example.com-cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
17:b3:7f:af:19:79:82:d1:1d:78:86:fb:97:10:e7:50
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, ST=California, L=San Francisco, O=org1.example.com, CN=ca.org1.example.com
Validity
Not Before: Sep 29 02:27:16 2018 GMT
Not After : Sep 26 02:27:16 2028 GMT
Subject: C=US, ST=California, L=San Francisco, O=org1.example.com, CN=ca.org1.example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:13:93:55:07:a9:bf:a1:19:7d:21:c0:ee:2d:2a:
94:d4:e6:9b:27:35:c9:56:f4:72:81:a1:41:08:96:
77:b6:6b:2b:c9:fa:78:b7:07:fe:a1:db:20:e5:1c:
88:1b:94:7b:57:6f:e4:47:5c:ab:a5:fe:dd:c1:ff:
30:9f:2a:02:ae
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
Any Extended Key Usage
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
F3:40:31:60:A2:2B:B9:CB:B5:FD:10:24:E1:BA:65:D9:8D:2C:E4:E1:AB:51:FB:55:6B:17:35:E1:11:CF:6E:82
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:03:84:0c:0e:e5:12:dd:77:af:5d:cc:ea:a3:f0:
e2:e4:b5:8a:b2:36:7c:27:9b:e9:6d:e0:8a:e4:c1:97:7b:33:
02:20:7b:bf:6e:2b:f5:fc:94:18:cf:db:f0:55:15:ea:22:7c:
ee:df:38:30:04:33:b0:81:7b:08:b1:79:44:4c:42:d7
[root@k8s-master cacerts]#
(2)config.yaml 主要配置的可采访的组织单元,也就是说X.509 PEM证书里面的OU(组织单元)要么是client或者peer才能采访当前节点。
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/ca.org1.example.com-cert.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/ca.org1.example.com-cert.pem
OrganizationalUnitIdentifier: peer
对于这里的Certification配置也有一些疑惑, cacerts文件夹使用根CA证书确定了连接客户身份,这里的config.yaml算是第二层过滤吧, 每个不同类型的组织单元OUIdentifier的Certificate应该不能对应其它的CA根证书,应该只能是同一个CA根证书或者不同的中间CA证书。
OU=client的证书实际上后面会看到admincerts是OU=client, org1下的User1@org1.example.com用户也是OU=client, 貌似外部接入peer节点的用户都归到OU=client.
OU=peer的证书暂时只有peer节点自身的证书,例如peer0,peer1都是OU=peer /mnt/sda3/fabric-samples/first-network/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/signcerts/peer0.org1.example.com-cert.pem
实际OU=client和peer的有什么不同权限,笔者估计是peer是标记不同peer节点的调用, 或者是在链码安装的时候可以指定不同的OU
config.yaml的配置是可选的, 它是通过crypto-config.yaml下org设置了EnableNodeOUs: true才默认会生成MSP模板。
(3)keystore 存放的peer0节点的私钥,可以用于数字签名。
[root@k8s-master msp]# cd keystore/
[root@k8s-master keystore]# ll
总用量 4
-rw-------. 1 root root 241 9月 29 10:32
47374918f7a4640f8d28d89b66820505702cb269bd2f1314ca420fbb64950223_sk
私钥内容
——-BEGIN PRIVATE KEY——- MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgMJM5N0U+nS8GYarY GwQfj++skU1ttNDj9xalBVZrUOShRANCAASQemtTNZXyQktIv1XrWqRItxB6ldSp PWWszknMJvRetGBMG03ekUeeNeIDbdQSiLhcjttWfBZgMxZziEXqj22O ——-END PRIVATE KEY——-
(4)signcerts
存放的是peer0被ca.org1.example.com签名的证书。注意到蓝色部分, OU=peer
[root@k8s-master msp]# cd signcerts/
[root@k8s-master signcerts]# ll
总用量 4
-rw-r--r--. 1 root root 810 9月 29 10:32 peer0.org1.example.com-cert.pem
[root@k8s-master signcerts]# vim peer0.org1.example.com-cert.pem
[root@k8s-master signcerts]# openssl x509 -in peer0.org1.example.com-cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
97:ca:cf:78:35:11:e4:02:f7:c8:a9:52:61:b6:e6:44
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, ST=California, L=San Francisco, O=org1.example.com, CN=ca.org1.example.com
Validity
Not Before: Sep 29 02:27:16 2018 GMT
Not After : Sep 26 02:27:16 2028 GMT
Subject: C=US, ST=California, L=San Francisco, OU=peer, CN=peer0.org1.example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:90:7a:6b:53:35:95:f2:42:4b:48:bf:55:eb:5a:
a4:48:b7:10:7a:95:d4:a9:3d:65:ac:ce:49:cc:26:
f4:5e:b4:60:4c:1b:4d:de:91:47:9e:35:e2:03:6d:
d4:12:88:b8:5c:8e:db:56:7c:16:60:33:16:73:88:
45:ea:8f:6d:8e
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:F3:40:31:60:A2:2B:B9:CB:B5:FD:10:24:E1:BA:65:D9:8D:2C:E4:E1:AB:51:FB:55:6B:17:35:E1:11:CF:6E:82
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:d2:c3:79:5f:cc:95:be:6c:39:bc:b0:ee:ce:
c2:95:d7:59:2b:b3:30:fc:f3:4c:ae:cb:5a:16:9b:90:43:87:
a9:02:20:5d:ab:06:b6:7d:8d:23:bc:20:2b:e2:66:59:31:35:
d6:35:a3:e3:bf:3d:5c:3a:13:e9:f2:b9:71:b4:b0:1c:4f
[root@k8s-master signcerts]#
(5)tlscacerts
如果peer0启用了TLS保证安全和校验,就必须指定tlscacerts证书了,一般使用与cacerts不同的ca证书会安全些。 证书内容如下:
[root@k8s-master tlscacerts]# ll
总用量 4
-rw-r--r--. 1 root root 855 9月 29 10:32 tlsca.org1.example.com-cert.pem
[root@k8s-master tlscacerts]# openssl x509 -in tlsca.org1.example.com-cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
7a:fa:31:77:69:bb:28:fc:b9:3d:81:98:7b:f3:83:64
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, ST=California, L=San Francisco, O=org1.example.com, CN=tlsca.org1.example.com
Validity
Not Before: Sep 29 02:27:16 2018 GMT
Not After : Sep 26 02:27:16 2028 GMT
Subject: C=US, ST=California, L=San Francisco, O=org1.example.com, CN=tlsca.org1.example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:92:79:62:41:43:06:7d:30:65:ef:2c:ae:87:8e:
41:f6:12:27:f0:9f:a0:c1:3d:f1:03:3d:ee:e7:45:
87:58:72:f7:a0:24:85:d8:3d:01:42:d2:01:15:fc:
e1:8a:d8:6b:56:0c:25:e2:98:8d:09:fb:0e:a5:65:
ea:4a:ec:a0:06
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
Any Extended Key Usage
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
25:41:EA:7D:4B:4F:14:0B:13:6D:E1:EE:09:AA:00:A6:90:66:B4:2B:2F:90:6B:DF:E2:EF:D6:59:AE:17:40:4B
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:cd:3b:23:ed:fb:2b:de:bf:64:87:f0:af:f6:
0a:02:5f:26:83:ff:32:08:58:16:23:ba:30:36:b5:ee:aa:c9:
55:02:20:4b:40:a8:89:c7:2d:0c:8f:c0:b6:34:9a:72:f0:47:
0e:66:8a:85:7b:d6:51:d6:1f:75:1e:e6:03:40:95:09:c9
参考peer-base.yaml是开启了TLS的 - CORE_PEER_TLS_ENABLED=true
(6)admincerts 这里存放的是整个组织org1的管理员证书, 和 /mnt/sda3/fabric-samples/first-network/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com下的签名证书是一致的, peer1.org1.example.com节点也是如此。
就是说执行cryptogen generate —config=./crypto-config.yaml默认就是让org1下的所有peer都有相同的admin.
如果peer0和peer1的admincerts不一样,应该会有问题,第二个问题我们会查看下创世块的具体内容,里面指定的是组织的admin而不会有节点的admin。
话说这个admin的权限就比较大了,可以把peer节点加入到channel, 可以安装和实例化chaincode。BYFN里面容器里面执行的peer命令实际对应的都是admin的msp.
[root@k8s-master admincerts]# pwd
/mnt/sda3/fabric-samples/first-network/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/admincerts
[root@k8s-master admincerts]# ll
总用量 4
-rw-r--r--. 1 root root 810 9月 29 10:32 Admin@org1.example.com-cert.pem
我们看下组织管理员证书的内容, OU=client
[root@k8s-master admincerts]# openssl x509 -in Admin\@org1.example.com-cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
48:15:46:a1:6c:25:63:98:c7:e9:c5:26:b8:67:f9:53
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, ST=California, L=San Francisco, O=org1.example.com, CN=ca.org1.example.com
Validity
Not Before: Sep 29 02:27:16 2018 GMT
Not After : Sep 26 02:27:16 2028 GMT
Subject: C=US, ST=California, L=San Francisco, OU=client, CN=Admin@org1.example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:59:01:48:99:af:c8:30:17:e2:5a:b4:ee:5a:1c:
c6:79:a7:c5:3a:14:20:d1:a0:39:de:13:5e:99:c6:
d1:4e:9c:cd:63:fb:73:96:9f:b4:48:60:4f:8e:72:
10:ee:54:19:33:5f:dc:29:e2:94:39:b3:4e:f2:d3:
cd:1f:3d:0a:54
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
keyid:F3:40:31:60:A2:2B:B9:CB:B5:FD:10:24:E1:BA:65:D9:8D:2C:E4:E1:AB:51:FB:55:6B:17:35:E1:11:CF:6E:82
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:0c:be:41:5b:58:1e:df:7e:78:5d:77:00:44:c7:
a1:c8:2f:e1:6b:bb:8a:ac:b2:26:aa:ab:35:f6:f5:4b:66:6d:
02:20:46:b7:32:c2:4f:a1:d0:89:20:32:42:35:50:80:8e:9e:
ba:66:d6:b2:6b:55:1f:e0:b5:5f:2c:04:be:b0:6c:1e
小结: PEER作为接入点, 主要也是靠本地的MSP去识别用户身份,判断用户是否是所信任的CA颁发证书, 再结合组织单元等确定用户是否可采访节点。
2.Channel是如何控制不同组织或peer节点的接入权限的?
一个channel对应一个ledger账本, 也可以说对应一条区块链,怎么控制采访账本的用户呢?
先看BYFN如何创建channel:
cryptogen generate --config=./crypto-config.yaml
export CHANNEL_NAME=mychannel
configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/channel.tx -channelID $CHANNEL_NAME
Channel.tx实际是创建通道的请求报文内容,看下configtx.yaml的TwoOrgsChannel profile对应的联盟和通道应用,包含了Org1和Org2, 即mychannel通道允许org1或org2下的用户采访。
Profiles:
TwoOrgsOrdererGenesis:
Capabilities:
关注
打赏
![]()
1659628745
查看更多评论
最近更新
- 深拷贝和浅拷贝的区别(重点)
- 【Vue】走进Vue框架世界
- 【云服务器】项目部署—搭建网站—vue电商后台管理系统
- 【React介绍】 一文带你深入React
- 【React】React组件实例的三大属性之state,props,refs(你学废了吗)
- 【脚手架VueCLI】从零开始,创建一个VUE项目
- 【React】深入理解React组件生命周期----图文详解(含代码)
- 【React】DOM的Diffing算法是什么?以及DOM中key的作用----经典面试题
- 【React】1_使用React脚手架创建项目步骤--------详解(含项目结构说明)
- 【React】2_如何使用react脚手架写一个简单的页面?
