对于Fabric的权限和MSP配置这块,可能大家实际部署会给一堆msp目录绕晕,我们回过头来梳理一下。
1.Peer节点如何控制用户的采访权限?
我们以first-network为例, 先看下peer0的启动配置docker-compose-cli.yaml。
引用到base/docker-compose-base.yaml
peer0.org1.example.com:
container_name: peer0.org1.example.com
extends:
file: peer-base.yaml
service: peer-base
environment:
- CORE_PEER_ID=peer0.org1.example.com
- CORE_PEER_ADDRESS=peer0.org1.example.com:7051
- CORE_PEER_GOSSIP_BOOTSTRAP=peer1.org1.example.com:7051
- CORE_PEER_GOSSIP_EXTERNALENDPOINT=peer0.org1.example.com:7051
- CORE_PEER_LOCALMSPID=Org1MSP
volumes:
- /var/run/:/host/var/run/
- ../crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp:/etc/hyperledger/fabric/msp
- ../crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls:/etc/hyperledger/fabric/tls
- peer0.org1.example.com:/var/hyperledger/production
ports:
- 7051:7051
- 7053:7053
引用到base/peer-base.yaml
services:
peer-base:
image: hyperledger/fabric-peer:$IMAGE_TAG
environment:
- CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock
# the following setting starts chaincode containers on the same
# bridge network as the peers
# https://docs.docker.com/compose/networking/
- CORE_VM_DOCKER_HOSTCONFIG_NETWORKMODE=${COMPOSE_PROJECT_NAME}_byfn
- CORE_LOGGING_LEVEL=INFO
#- CORE_LOGGING_LEVEL=DEBUG
- CORE_PEER_TLS_ENABLED=true
- CORE_PEER_GOSSIP_USELEADERELECTION=true
- CORE_PEER_GOSSIP_ORGLEADER=false
- CORE_PEER_PROFILE_ENABLED=true
- CORE_PEER_TLS_CERT_FILE=/etc/hyperledger/fabric/tls/server.crt
- CORE_PEER_TLS_KEY_FILE=/etc/hyperledger/fabric/tls/server.key
- CORE_PEER_TLS_ROOTCERT_FILE=/etc/hyperledger/fabric/tls/ca.crt
working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer
command: peer node start
peer node start启动节点peer0.org1.example.com
环境变量CORE_PEER_MSPCONFIGPATH这里没有显示声明, 默认值应该是对应docker容器里面的/etc/hyperledger/fabric/msp
蓝色部分的卷映射指向主机的
../crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp
[root@k8s-master msp]# pwd
/mnt/sda3/fabric-samples/first-network/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp
[root@k8s-master msp]# ll
总用量 24
drwxr-xr-x. 2 root root 4096 9月 29 10:32 admincerts
drwxr-xr-x. 2 root root 4096 9月 29 10:32 cacerts
-rw-r--r--. 1 root root 254 9月 29 10:32 config.yaml
drwxr-xr-x. 2 root root 4096 9月 29 10:32 keystore
drwxr-xr-x. 2 root root 4096 9月 29 10:32 signcerts
drwxr-xr-x. 2 root root 4096 9月 29 10:32 tlscacerts
(1)cacerts
文件夹放置的用于身份识别的ca根证书, 回忆下基础篇的会员身份使用PKI等数字签名技术用于识别客户身份(这里特指可连接到peer节点的客户端)。
一个组织对一个根CA(不考虑中间CA情况), 所以组织org1下的peer0和peer1实际配置的是同一个ca.org1.example.com-cert.pem, 所以这个文件夹应该放的是对应组织的CA根证书
[root@k8s-master cacerts]# pwd
/mnt/sda3/fabric-samples/first-network/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/cacerts
[root@k8s-master cacerts]# ll
总用量 4
-rw-r--r--. 1 root root 843 9月 29 10:32 ca.org1.example.com-cert.pem
假装专业些给大家看下证书内容
[root@k8s-master cacerts]# openssl x509 -in ca.org1.example.com-cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
17:b3:7f:af:19:79:82:d1:1d:78:86:fb:97:10:e7:50
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, ST=California, L=San Francisco, O=org1.example.com, CN=ca.org1.example.com
Validity
Not Before: Sep 29 02:27:16 2018 GMT
Not After : Sep 26 02:27:16 2028 GMT
Subject: C=US, ST=California, L=San Francisco, O=org1.example.com, CN=ca.org1.example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:13:93:55:07:a9:bf:a1:19:7d:21:c0:ee:2d:2a:
94:d4:e6:9b:27:35:c9:56:f4:72:81:a1:41:08:96:
77:b6:6b:2b:c9:fa:78:b7:07:fe:a1:db:20:e5:1c:
88:1b:94:7b:57:6f:e4:47:5c:ab:a5:fe:dd:c1:ff:
30:9f:2a:02:ae
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
Any Extended Key Usage
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
F3:40:31:60:A2:2B:B9:CB:B5:FD:10:24:E1:BA:65:D9:8D:2C:E4:E1:AB:51:FB:55:6B:17:35:E1:11:CF:6E:82
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:03:84:0c:0e:e5:12:dd:77:af:5d:cc:ea:a3:f0:
e2:e4:b5:8a:b2:36:7c:27:9b:e9:6d:e0:8a:e4:c1:97:7b:33:
02:20:7b:bf:6e:2b:f5:fc:94:18:cf:db:f0:55:15:ea:22:7c:
ee:df:38:30:04:33:b0:81:7b:08:b1:79:44:4c:42:d7
[root@k8s-master cacerts]#
(2)config.yaml
主要配置的可采访的组织单元,也就是说X.509 PEM证书里面的OU(组织单元)要么是client或者peer才能采访当前节点。
NodeOUs:
Enable: true
ClientOUIdentifier:
Certificate: cacerts/ca.org1.example.com-cert.pem
OrganizationalUnitIdentifier: client
PeerOUIdentifier:
Certificate: cacerts/ca.org1.example.com-cert.pem
OrganizationalUnitIdentifier: peer
对于这里的Certification配置也有一些疑惑, cacerts文件夹使用根CA证书确定了连接客户身份,这里的config.yaml算是第二层过滤吧, 每个不同类型的组织单元OUIdentifier的Certificate应该不能对应其它的CA根证书,应该只能是同一个CA根证书或者不同的中间CA证书。
OU=client的证书实际上后面会看到admincerts是OU=client, org1下的
[email protected]用户也是OU=client, 貌似外部接入peer节点的用户都归到OU=client.
OU=peer的证书暂时只有peer节点自身的证书,例如peer0,peer1都是OU=peer
/mnt/sda3/fabric-samples/first-network/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/msp/signcerts/peer0.org1.example.com-cert.pem
实际OU=client和peer的有什么不同权限,笔者估计是peer是标记不同peer节点的调用, 或者是在链码安装的时候可以指定不同的OU
config.yaml的配置是可选的, 它是通过crypto-config.yaml下org设置了EnableNodeOUs: true才默认会生成MSP模板。
(3)keystore
存放的peer0节点的私钥,可以用于数字签名。
[root@k8s-master msp]# cd keystore/
[root@k8s-master keystore]# ll
总用量 4
-rw-------. 1 root root 241 9月 29 10:32
47374918f7a4640f8d28d89b66820505702cb269bd2f1314ca420fbb64950223_sk
私钥内容
——-BEGIN PRIVATE KEY——-
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgMJM5N0U+nS8GYarY
GwQfj++skU1ttNDj9xalBVZrUOShRANCAASQemtTNZXyQktIv1XrWqRItxB6ldSp
PWWszknMJvRetGBMG03ekUeeNeIDbdQSiLhcjttWfBZgMxZziEXqj22O
——-END PRIVATE KEY——-
(4)signcerts
存放的是peer0被ca.org1.example.com签名的证书。注意到蓝色部分, OU=peer
[root@k8s-master msp]# cd signcerts/
[root@k8s-master signcerts]# ll
总用量 4
-rw-r--r--. 1 root root 810 9月 29 10:32 peer0.org1.example.com-cert.pem
[root@k8s-master signcerts]# vim peer0.org1.example.com-cert.pem
[root@k8s-master signcerts]# openssl x509 -in peer0.org1.example.com-cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
97:ca:cf:78:35:11:e4:02:f7:c8:a9:52:61:b6:e6:44
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=US, ST=California, L=San Francisco, O=org1.example.com, CN=ca.org1