Hyperledger Fabric权限进阶篇

最新推荐文章于 2023-02-05 17:29:55 发布

VIP文章 phymat.nico

最新推荐文章于 2023-02-05 17:29:55 发布

阅读量1.9k

点赞数 1

本文链接：https://blog.csdn.net/shixin_0125/article/details/105519658

版权

对于Fabric的权限和MSP配置这块，可能大家实际部署会给一堆msp目录绕晕，我们回过头来梳理一下。

1.Peer节点如何控制用户的采访权限？
我们以first-network为例, 先看下peer0的启动配置docker-compose-cli.yaml。

引用到base/docker-compose-base.yaml

peer0.org1.example.com:
    container_name: peer0.org1.example.com
    extends:
      file: peer-base.yaml
      service: peer-base
    environment:
      - CORE_PEER_ID=peer0.org1.example.com
      - CORE_PEER_ADDRESS=peer0.org1.example.com:7051
      - CORE_PEER_GOSSIP_BOOTSTRAP=peer1.org1.example.com:7051
      - CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org1.example.com:7051
      - CORE_PEER_LOCALMSPID=Org1MSP
    volumes:
        - /var/run/:/host/var/run/
        - ../crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp:/etc/hyperledger/fabric/msp
        - ../crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls:/etc/hyperledger/fabric/tls
        - peer0.org1.example.com:/var/hyperledger/production
    ports:
      - 7051:7051
      - 7053:7053

引用到base/peer-base.yaml

services:
  peer-base:
    image: hyperledger/fabric-peer:$IMAGE_TAG
    environment:
      - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
      # the following setting starts chaincode containers on the same
      # bridge network as the peers
      # https://docs.docker.com/compose/networking/
      - CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_byfn
      - CORE_LOGGING_LEVEL=INFO
      #- CORE_LOGGING_LEVEL=DEBUG
      - CORE_PEER_TLS_ENABLED=true
      - CORE_PEER_GOSSIP_USELEADERELECTION=true
      - CORE_PEER_GOSSIP_ORGLEADER=false
      - CORE_PEER_PROFILE_ENABLED=true
      - CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
      - CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
      - CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
    working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
    command: peer node start

peer node start启动节点peer0.org1.example.com

环境变量CORE_PEER_MSPCONFIGPATH这里没有显示声明, 默认值应该是对应docker容器里面的/etc/hyperledger/fabric/msp

蓝色部分的卷映射指向主机的
../crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp

[root@k8s-master msp]# pwd
/mnt/sda3/fabric-samples/first-network/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp
[root@k8s-master msp]# ll
总用量 24
drwxr-xr-x. 2 root root 4096 9月  29 10:32 admincerts
drwxr-xr-x. 2 root root 4096 9月  29 10:32 cacerts
-rw-r--r--. 1 root root  254 9月  29 10:32 config.yaml
drwxr-xr-x. 2 root root 4096 9月  29 10:32 keystore
drwxr-xr-x. 2 root root 4096 9月  29 10:32 signcerts
drwxr-xr-x. 2 root root 4096 9月  29 10:32 tlscacerts

(1)cacerts

文件夹放置的用于身份识别的ca根证书, 回忆下基础篇的会员身份使用PKI等数字签名技术用于识别客户身份(这里特指可连接到peer节点的客户端)。

一个组织对一个根CA(不考虑中间CA情况), 所以组织org1下的peer0和peer1实际配置的是同一个ca.org1.example.com-cert.pem，所以这个文件夹应该放的是对应组织的CA根证书

[root@k8s-master cacerts]# pwd
/mnt/sda3/fabric-samples/first-network/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/cacerts
[root@k8s-master cacerts]# ll
总用量 4
-rw-r--r--. 1 root root 843 9月  29 10:32 ca.org1.example.com-cert.pem

假装专业些给大家看下证书内容

[root@k8s-master cacerts]# openssl x509 -in ca.org1.example.com-cert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            17:b3:7f:af:19:79:82:d1:1d:78:86:fb:97:10:e7:50
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=US, ST=California, L=San Francisco, O=org1.example.com, CN=ca.org1.example.com
        Validity
            Not Before: Sep 29 02:27:16 2018 GMT
            Not After : Sep 26 02:27:16 2028 GMT
        Subject: C=US, ST=California, L=San Francisco, O=org1.example.com, CN=ca.org1.example.com
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:13:93:55:07:a9:bf:a1:19:7d:21:c0:ee:2d:2a:
                    94:d4:e6:9b:27:35:c9:56:f4:72:81:a1:41:08:96:
                    77:b6:6b:2b:c9:fa:78:b7:07:fe:a1:db:20:e5:1c:
                    88:1b:94:7b:57:6f:e4:47:5c:ab:a5:fe:dd:c1:ff:
                    30:9f:2a:02:ae
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage: 
                Any Extended Key Usage
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                F3:40:31:60:A2:2B:B9:CB:B5:FD:10:24:E1:BA:65:D9:8D:2C:E4:E1:AB:51:FB:55:6B:17:35:E1:11:CF:6E:82
    Signature Algorithm: ecdsa-with-SHA256
         30:44:02:20:03:84:0c:0e:e5:12:dd:77:af:5d:cc:ea:a3:f0:
         e2:e4:b5:8a:b2:36:7c:27:9b:e9:6d:e0:8a:e4:c1:97:7b:33:
         02:20:7b:bf:6e:2b:f5:fc:94:18:cf:db:f0:55:15:ea:22:7c:
         ee:df:38:30:04:33:b0:81:7b:08:b1:79:44:4c:42:d7
[root@k8s-master cacerts]#

(2)config.yaml
主要配置的可采访的组织单元，也就是说X.509 PEM证书里面的OU(组织单元)要么是client或者peer才能采访当前节点。

NodeOUs:
  Enable: true
  ClientOUIdentifier:
    Certificate: cacerts/ca.org1.example.com-cert.pem
    OrganizationalUnitIdentifier: client
  PeerOUIdentifier:
    Certificate: cacerts/ca.org1.example.com-cert.pem
    OrganizationalUnitIdentifier: peer

对于这里的Certification配置也有一些疑惑, cacerts文件夹使用根CA证书确定了连接客户身份，这里的config.yaml算是第二层过滤吧, 每个不同类型的组织单元OUIdentifier的Certificate应该不能对应其它的CA根证书，应该只能是同一个CA根证书或者不同的中间CA证书。

OU=client的证书实际上后面会看到admincerts是OU=client, org1下的
[email protected]用户也是OU=client, 貌似外部接入peer节点的用户都归到OU=client.

OU=peer的证书暂时只有peer节点自身的证书，例如peer0,peer1都是OU=peer
/mnt/sda3/fabric-samples/first-network/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/signcerts/peer0.org1.example.com-cert.pem

实际OU=client和peer的有什么不同权限，笔者估计是peer是标记不同peer节点的调用，或者是在链码安装的时候可以指定不同的OU

config.yaml的配置是可选的, 它是通过crypto-config.yaml下org设置了EnableNodeOUs: true才默认会生成MSP模板。

(3)keystore
存放的peer0节点的私钥，可以用于数字签名。

[root@k8s-master msp]# cd keystore/
[root@k8s-master keystore]# ll
总用量 4
-rw-------. 1 root root 241 9月  29 10:32 
47374918f7a4640f8d28d89b66820505702cb269bd2f1314ca420fbb64950223_sk

私钥内容

——-BEGIN PRIVATE KEY——-
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgMJM5N0U+nS8GYarY
GwQfj++skU1ttNDj9xalBVZrUOShRANCAASQemtTNZXyQktIv1XrWqRItxB6ldSp
PWWszknMJvRetGBMG03ekUeeNeIDbdQSiLhcjttWfBZgMxZziEXqj22O
——-END PRIVATE KEY——-

(4)signcerts

存放的是peer0被ca.org1.example.com签名的证书。注意到蓝色部分, OU=peer

[root@k8s-master msp]# cd signcerts/
[root@k8s-master signcerts]# ll
总用量 4
-rw-r--r--. 1 root root 810 9月  29 10:32 peer0.org1.example.com-cert.pem
[root@k8s-master signcerts]# vim peer0.org1.example.com-cert.pem 
[root@k8s-master signcerts]# openssl x509 -in peer0.org1.example.com-cert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            97:ca:cf:78:35:11:e4:02:f7:c8:a9:52:61:b6:e6:44
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=US, ST=California, L=San Francisco, O=org1.example.com, CN=ca.org1

最低0.47元/天解锁文章

phymat.nico

关注

1
点赞
踩
2

收藏

觉得还不错? 一键收藏
2
评论
Hyperledger Fabric权限进阶篇

对于Fabric的权限和MSP配置这块，可能大家实际部署会给一堆msp目录绕晕，我们回过头来梳理一下。1.Peer节点如何控制用户的采访权限？我们以first-network为例, 先看下peer0的启动配置docker-compose-cli.yaml。引用到base/docker-compose-base.yamlpeer0.org1.example.com: cont...
复制链接

扫一扫