Hyperledger Fabric: Как одноранговый администратор может создать канал, если у него нет прав на запись заказчику?

Question

Во всех шаблонах создание канала выполняется пользователем-администратором.Однако этот пользователь даже не имеет прав на запись заказчику.Так как же это может быть успешным?Возьмем конкретный пример first-network :

- CORE_PEER_LOCALMSPID=Org1MSP
- CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp

, чтобы создание канала выполнялось с правами администратора org1.Но когда мы смотрим на configtx.yaml :

 - &OrdererOrg
        # DefaultOrg defines the organization which is used in the sampleconfig
        # of the fabric.git development environment
        Name: OrdererOrg

        # ID to load the MSP definition as
        ID: OrdererMSP

        # MSPDir is the filesystem path which contains the MSP configuration
        MSPDir: crypto-config/ordererOrganizations/example.com/msp

        # Policies defines the set of policies at this level of the config tree
        # For organization policies, their canonical path is usually
        #   /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
        Policies:
            Readers:
                Type: Signature
                Rule: "OR('OrdererMSP.member')"
            Writers:
                Type: Signature
                Rule: "OR('OrdererMSP.member')"
            Admins:
                Type: Signature
                Rule: "OR('OrdererMSP.admin')"

, чтобы написать заказчику, нужно быть OrdererMSP.member, который явно не является администратором org1.Итак, как он может пройти проверку политики?

Когда мы пытаемся разработать приложение, используя шаблон в фабричных примерах, мы получаем ошибку при попытке создать канал с учетными данными равноправного администратора:

2019-03-12 17:05:09.337 UTC [orderer/common/msgprocessor] ProcessConfigUpdateMsg -> DEBU 0d9 Processing config update message for channel dscsa
2019-03-12 17:05:09.337 UTC [policies] Evaluate -> DEBU 0da == Evaluating *policies.implicitMetaPolicy Policy /Channel/Writers ==
2019-03-12 17:05:09.337 UTC [policies] Evaluate -> DEBU 0db This is an implicit meta policy, it will trigger other policy evaluations, whose failures may be benign
2019-03-12 17:05:09.337 UTC [policies] Evaluate -> DEBU 0dc == Evaluating *policies.implicitMetaPolicy Policy /Channel/Orderer/Writers ==
2019-03-12 17:05:09.337 UTC [policies] Evaluate -> DEBU 0dd This is an implicit meta policy, it will trigger other policy evaluations, whose failures may be benign
2019-03-12 17:05:09.337 UTC [policies] Evaluate -> DEBU 0de == Evaluating *cauthdsl.policy Policy /Channel/Orderer/ord/Writers ==
2019-03-12 17:05:09.337 UTC [msp] DeserializeIdentity -> DEBU 0df Obtaining identity
2019-03-12 17:05:09.337 UTC [msp/identity] newIdentity -> DEBU 0e0 Creating identity instance for cert -----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
2019-03-12 17:05:09.338 UTC [cauthdsl] func1 -> DEBU 0e1 0xc42000e1e8 gate 1552410309337999686 evaluation starts
2019-03-12 17:05:09.338 UTC [cauthdsl] func2 -> DEBU 0e2 0xc42000e1e8 signed by 0 principal evaluation starts (used [false])
2019-03-12 17:05:09.338 UTC [cauthdsl] func2 -> DEBU 0e3 0xc42000e1e8 processing identity 0 with bytes of ...
2019-03-12 17:05:09.338 UTC [cauthdsl] func2 -> DEBU 0e4 0xc42000e1e8 identity 0 does not satisfy principal: the identity is a member of a different MSP (expected ordMSP, got org1MSP)
2019-03-12 17:05:09.338 UTC [cauthdsl] func2 -> DEBU 0e5 0xc42000e1e8 principal evaluation fails
2019-03-12 17:05:09.338 UTC [cauthdsl] func1 -> DEBU 0e6 0xc42000e1e8 gate 1552410309337999686 evaluation fails
2019-03-12 17:05:09.338 UTC [policies] Evaluate -> DEBU 0e7 Signature set did not satisfy policy /Channel/Orderer/ord/Writers
2019-03-12 17:05:09.338 UTC [policies] Evaluate -> DEBU 0e8 == Done Evaluating *cauthdsl.policy Policy /Channel/Orderer/ord/Writers
2019-03-12 17:05:09.338 UTC [policies] func1 -> DEBU 0e9 Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ ord.Writers ]
2019-03-12 17:05:09.338 UTC [policies] Evaluate -> DEBU 0ea Signature set did not satisfy policy /Channel/Orderer/Writers
2019-03-12 17:05:09.338 UTC [policies] Evaluate -> DEBU 0eb == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Orderer/Writers
2019-03-12 17:05:09.338 UTC [policies] func1 -> DEBU 0ec Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ Orderer.Writers Consortiums.Writers ]
2019-03-12 17:05:09.338 UTC [policies] Evaluate -> DEBU 0ed Signature set did not satisfy policy /Channel/Writers
2019-03-12 17:05:09.338 UTC [policies] Evaluate -> DEBU 0ee == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Writers
2019-03-12 17:05:09.338 UTC [orderer/common/broadcast] Handle -> WARN 0ef [channel: dscsa] Rejecting broadcast of config message from 10.0.0.192:54232 because of error: Failed to reach implicit threshold of 1 sub-policies, required 1 remaining: permission denied