Error: got unexpected status: FORBIDDEN — implicit policy evaluation failed

0
votes

I'm trying to make network with 3 org(each has 3 peers), two orderer node with Kafka and zookeeper in fabric 1.4.3.

then, when I do peer create channel with

docker exec cli peer channel create -o orderer0.example.com:7050 -c $CHANNEL_NAME -f $ARTIFACTS_DIR/channel.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer0.example.com/msp/tlscacerts/tlsca.example.com-cert.pem

below error occurs in cli

Error: got unexpected status: FORBIDDEN -- implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied

and this is docker logs of orderer0

2019-10-12 09:01:16.513 UTC [orderer.consensus.kafka] setupChannelConsumerForChannel -> INFO 011 [channel: channel.first] Setting up the channel consumer for this channel (start offset: -2)...
2019-10-12 09:01:16.524 UTC [orderer.consensus.kafka] startThread -> INFO 012 [channel: channel.first] Channel consumer set up successfully
2019-10-12 09:01:16.543 UTC [orderer.consensus.kafka] startThread -> INFO 013 [channel: channel.first] Start phase completed successfully
2019-10-12 09:01:18.537 UTC [orderer.common.broadcast] ProcessMessage -> WARN 014 [channel: channel.first] Rejecting broadcast of config message from 172.18.0.29:35290 because of error: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied
2019-10-12 09:01:18.537 UTC [comm.grpc.server] 1 -> INFO 015 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Broadcast grpc.peer_address=172.18.0.29:35290 grpc.code=OK grpc.call_duration=1.888934ms
2019-10-12 09:01:18.541 UTC [common.deliver] Handle -> WARN 016 Error reading from 172.18.0.29:35288: rpc error: code = Canceled desc = context canceled
2019-10-12 09:01:18.542 UTC [comm.grpc.server] 1 -> INFO 017 streaming call completed grpc.service=orderer.AtomicBroadcast grpc.method=Deliver grpc.peer_address=172.18.0.29:35288 error="rpc error: code = Canceled desc = context canceled" grpc.code=Canceled grpc.call_duration=10.552989ms

dicectories

|──directories
|     └──────artifacts
|     |   └──────channel.tx
|     |   └──────genesis.block
|     |
|     └──────bin
|     |   └──────crypto-config
|     |   |      └──────...
|     |   └──────...
|     |
|     └──────network
|         └──────docker-compose-mq.yaml
|         └──────docker-compose-orderer.yaml
|         └──────...

I read some solutions like me in here ,but I did't solved it yet.

This is my parts of configtx.yaml

Organizations:
    - &OrdererOrg
        Name: OrdererOrg
        ID: OrdererMSP
        MSPDir: ./crypto-config/ordererOrganizations/example.com/msp

        Policies:
            Readers:
                Type: Signature
                Rule: "OR('OrdererMSP.member')"
            Writers:
                Type: Signature
                Rule: "OR('OrdererMSP.member')"
            Admins:
                Type: Signature
                Rule: "OR('OrdererMSP.admin')"
    - &Org1
        Name: Org1MSP
        ID: Org1MSP

        MSPDir: ./crypto-config/peerOrganizations/org1.example.com/msp

        Policies:
            Readers:
                Type: Signature
                Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
            Writers:
                Type: Signature
                Rule: "OR('Org1MSP.admin', 'Org1MSP.client')"
            Admins:
                Type: Signature
                Rule: "OR('Org1MSP.admin')"

        AnchorPeers:
            - Host: peer0.org1.example.com
              Port: 7051

and this is docker-compose-cli.yaml

cli:
    container_name: cli
    image: hyperledger/fabric-tools:1.4.3
    tty: true
    stdin_open: true
    environment:
      - SYS_CHANNEL=$SYS_CHANNEL
      - GOPATH=/opt/gopath
      - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
      #- FABRIC_LOGGING_SPEC=DEBUG
      - FABRIC_LOGGING_SPEC=INFO
      - CORE_PEER_ID=cli
      - CORE_PEER_ADDRESS=peer0.org1.example.com
      - CORE_PEER_LOCALMSPID=Org1MSP
      - CORE_PEER_TLS_ENABLED=true
      - CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt
      - CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key
      - CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt
      - CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/[email protected]/msp
    working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
    command: /bin/bash
    volumes:
        - /var/run/:/host/var/run/
        - ../chaincode/:/opt/gopath/src/github.com/chaincode
        - ./crypto-config:/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/
        - ../artifacts:/opt/gopath/src/github.com/hyperledger/fabric/peer/channel-artifacts
        - ../chaincode:/opt/gopath/src/github.com/hyperledger/fabric/chaincode
        #- ./:/etc/hyperledger/fabric

crypto-config.yaml

OrdererOrgs:
  - Name: Orderer
    Domain: example.com
    EnableNodeOUs: true
    Specs:
      - Hostname: orderer
    Template:
      Count: 2

PeerOrgs:
  - Name: Org1
    Domain: org1.example.com
    EnableNodeOUs: true
    Template:
      Count: 3
    Users:
      Count: 1

docker-compose-orderer.yaml

version: '2'
networks:
  blockchain_network:

services:
  orderer0.example.com:
    container_name: orderer0.example.com
    image: hyperledger/fabric-orderer:1.4.3
    environment:
      - ORDERER_GENERAL_LOGLEVEL=debug
      - ORDERER_GENERAL_LISTENADDRESS=0.0.0.0
      - ORDERER_GENERAL_GENESISMETHOD=file
      - ORDERER_GENERAL_GENESISFILE=/var/hyperledger/orderer/orderer.genesis.block
      - ORDERER_GENERAL_LOCALMSPID=OrdererMSP
      - ORDERER_GENERAL_LOCALMSPDIR=/var/hyperledger/orderer/msp
      - ORDERER_GENERAL_TLS_ENABLED=true
      - ORDERER_GENERAL_TLS_PRIVATEKEY=/var/hyperledger/orderer/tls/server.key
      - ORDERER_GENERAL_TLS_CERTIFICATE=/var/hyperledger/orderer/tls/server.crt
      - ORDERER_GENERAL_TLS_ROOTCAS=[/var/hyperledger/orderer/tls/ca.crt]
      - ORDERER_KAFKA_RETRY_SHORTINTERVAL=1s
      - ORDERER_KAFKA_RETRY_SHORTTOTAL=30s
      - ORDERER_KAFKA_VERBOSE=true
    working_dir: /opt/gopath/src/github.com/hyperledger/fabric
    command: orderer
    volumes:
        - ../artifacts/genesis.block:/var/hyperledger/orderer/orderer.genesis.block
        - ./crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/msp:/var/hyperledger/orderer/msp
        - ./crypto-config/ordererOrganizations/example.com/orderers/orderer0.example.com/tls:/var/hyperledger/orderer/tls
    ports:
      - 7050:7050
    networks:
      - blockchain_network

  # orderer1 is same with upside

I want to know why this error occurs and how to solve them.

1
docker-composehyperledger-fabric

1 Answers

-1
votes

What's your channel configuration inside configtx.yaml?

Have you tried to run the peer command inside the client bash (I'm not sure that your MSP related environment variables are active the way you are using "docker exec")?

docker exec -it cli bash
peer channel create -o orderer0.example.com:7050 -c $CHANNEL_NAME -f $ARTIFACTS_DIR/channel.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer0.example.com/msp/tlscacerts/tlsca.example.com-cert.pem