FAB-15642 Consensus mig.: permissive maintenance filter

Currently the maintenance filter is not allowing config changes
other than consensus type changes in maintenance mode. It seems
generally useful that the network operator might want to for
instance to modify batch parameters before switching over
consensus type, to add new certificate authorities, etc.

We therefore lift the restriction and let the admin do any kind
of config change he is authorized to in maintenance mode.

Two restrictions remain:

1. Entry to- and exit from- maintenance mode should not be
   accompanied by any config change;
2. ConsensusType.Type can change only in maintenance-mode.

Change-Id: I82387946a5a86c4217cc98aeb7b5d266d93d6054
Signed-off-by: Yoav Tock <tock@il.ibm.com>

Author: tock-ibm

integration/raft/migration_test.go

@@ -419,115 +419,109 @@ var _ = Describe("Kafka2RaftMigration", func() {
 			validateConsensusTypeValue(consensusTypeValue, "kafka", protosorderer.ConsensusType_STATE_MAINTENANCE)
 
 			//=== Step 7: ===
-			By("7) Config update on system channel, changing both ConsensusType.Type and other value is forbidden")
-			config, updatedConfig = prepareTransition(network, peer, orderer, syschannel,
-				"kafka", protosorderer.ConsensusType_STATE_MAINTENANCE,
-				"etcdraft", raftMetadata, protosorderer.ConsensusType_STATE_MAINTENANCE)
-			updateConfigWithBatchTimeout(updatedConfig)
-			updateOrdererConfigFailed(network, orderer, syschannel, config, updatedConfig, peer, orderer)
-
-			//=== Step 8: ===
-			By("8) Config update on standard channel, changing both ConsensusType.Type and other value is forbidden")
-			config, updatedConfig = prepareTransition(network, peer, orderer, channel1,
-				"kafka", protosorderer.ConsensusType_STATE_MAINTENANCE,
-				"etcdraft", raftMetadata, protosorderer.ConsensusType_STATE_MAINTENANCE)
-			updateConfigWithBatchTimeout(updatedConfig)
-			updateOrdererConfigFailed(network, orderer, channel1, config, updatedConfig, peer, orderer)
-
-			//=== Step 9: ===
-			By("9) Config update on system channel, changing value other than ConsensusType.Type is forbidden")
-			config = nwo.GetConfig(network, peer, orderer, syschannel)
-			updatedConfig, consensusTypeValue, err = extractOrdererConsensusType(config)
-			Expect(err).NotTo(HaveOccurred())
-			validateConsensusTypeValue(consensusTypeValue, "kafka", protosorderer.ConsensusType_STATE_MAINTENANCE)
-			updateConfigWithBatchTimeout(updatedConfig)
-			updateOrdererConfigFailed(network, orderer, syschannel, config, updatedConfig, peer, orderer)
-
-			//=== Step 10: ===
-			By("10) Config update on standard channel, changing value other than ConsensusType.Type is forbidden")
-			config = nwo.GetConfig(network, peer, orderer, channel1)
-			updatedConfig, consensusTypeValue, err = extractOrdererConsensusType(config)
-			Expect(err).NotTo(HaveOccurred())
-			validateConsensusTypeValue(consensusTypeValue, "kafka", protosorderer.ConsensusType_STATE_MAINTENANCE)
-			updateConfigWithBatchTimeout(updatedConfig)
-			updateOrdererConfigFailed(network, orderer, channel1, config, updatedConfig, peer, orderer)
-
-			//=== Step 11: ===
-			By("11) Config update on system channel, change ConsensusType.Type to unsupported type, forbidden")
+			By("7) Config update on system channel, change ConsensusType.Type to unsupported type, forbidden")
 			assertTransitionFailed(network, peer, orderer, syschannel,
 				"kafka", protosorderer.ConsensusType_STATE_MAINTENANCE,
 				"solo", nil, protosorderer.ConsensusType_STATE_MAINTENANCE)
 
-			//=== Step 12: ===
-			By("12) Config update on standard channel, change ConsensusType.Type to unsupported type, forbidden")
+			//=== Step 8: ===
+			By("8) Config update on standard channel, change ConsensusType.Type to unsupported type, forbidden")
 			assertTransitionFailed(network, peer, orderer, channel1,
 				"kafka", protosorderer.ConsensusType_STATE_MAINTENANCE,
 				"hesse", nil, protosorderer.ConsensusType_STATE_MAINTENANCE)
 
-			//=== Step 13: ===
-			By("13) Config update on system channel, change ConsensusType.Type and State, forbidden")
+			//=== Step 9: ===
+			By("9) Config update on system channel, change ConsensusType.Type and State, forbidden")
 			assertTransitionFailed(network, peer, orderer, syschannel,
 				"kafka", protosorderer.ConsensusType_STATE_MAINTENANCE,
 				"etcdraft", raftMetadata, protosorderer.ConsensusType_STATE_NORMAL)
 
-			//=== Step 14: ===
-			By("14) Config update on standard channel, change ConsensusType.Type and State, forbidden")
+			//=== Step 10: ===
+			By("10) Config update on standard channel, change ConsensusType.Type and State, forbidden")
 			assertTransitionFailed(network, peer, orderer, channel1,
 				"kafka", protosorderer.ConsensusType_STATE_MAINTENANCE,
 				"etcdraft", raftMetadata, protosorderer.ConsensusType_STATE_NORMAL)
 
-			//=== Step 15: ===
-			By("15) Config update on system channel, change ConsensusType.Type")
+			//=== Step 11: ===
+			By("11) Config update on system channel, changing both ConsensusType.Type and other value is permitted")
 			config, updatedConfig = prepareTransition(network, peer, orderer, syschannel,
 				"kafka", protosorderer.ConsensusType_STATE_MAINTENANCE,
 				"etcdraft", raftMetadata, protosorderer.ConsensusType_STATE_MAINTENANCE)
+			updateConfigWithBatchTimeout(updatedConfig)
 			nwo.UpdateOrdererConfig(network, orderer, syschannel, config, updatedConfig, peer, orderer)
 
-			By("15) Verify: system channel config changed")
+			By("11) Verify: system channel config changed")
 			sysBlockNum := nwo.CurrentConfigBlockNumber(network, peer, orderer, syschannel)
 			Expect(sysBlockNum).To(Equal(sysStartBlockNum + 1))
 			config = nwo.GetConfig(network, peer, orderer, syschannel)
 			updatedConfig, consensusTypeValue, err = extractOrdererConsensusType(config)
 			Expect(err).NotTo(HaveOccurred())
 			validateConsensusTypeValue(consensusTypeValue, "etcdraft", protosorderer.ConsensusType_STATE_MAINTENANCE)
 
-			//=== Step 16: ===
-			By("16) Config update on standard channel, changing ConsensusType.Type")
+			//=== Step 12: ===
+			By("12) Config update on standard channel, changing both ConsensusType.Type and other value is permitted")
 			config, updatedConfig = prepareTransition(network, peer, orderer, channel1,
 				"kafka", protosorderer.ConsensusType_STATE_MAINTENANCE,
 				"etcdraft", raftMetadata, protosorderer.ConsensusType_STATE_MAINTENANCE)
+			updateConfigWithBatchTimeout(updatedConfig)
 			nwo.UpdateOrdererConfig(network, orderer, channel1, config, updatedConfig, peer, orderer)
 
-			By("16) Verify: standard channel config changed")
+			By("12) Verify: standard channel config changed")
 			std1BlockNum := nwo.CurrentConfigBlockNumber(network, peer, orderer, channel1)
 			Expect(std1BlockNum).To(Equal(std1StartBlockNum + 1))
 			config = nwo.GetConfig(network, peer, orderer, channel1)
 			updatedConfig, consensusTypeValue, err = extractOrdererConsensusType(config)
 			Expect(err).NotTo(HaveOccurred())
 			validateConsensusTypeValue(consensusTypeValue, "etcdraft", protosorderer.ConsensusType_STATE_MAINTENANCE)
 
-			//=== Step 17: ===
-			By("17) Config update on system channel, change ConsensusType.Type back to kafka, forbidden")
+			//=== Step 13: ===
+			By("13) Config update on system channel, changing value other than ConsensusType.Type is permitted")
+			config = nwo.GetConfig(network, peer, orderer, syschannel)
+			updatedConfig, consensusTypeValue, err = extractOrdererConsensusType(config)
+			Expect(err).NotTo(HaveOccurred())
+			validateConsensusTypeValue(consensusTypeValue, "etcdraft", protosorderer.ConsensusType_STATE_MAINTENANCE)
+			updateConfigWithBatchTimeout(updatedConfig)
+			nwo.UpdateOrdererConfig(network, orderer, syschannel, config, updatedConfig, peer, orderer)
+
+			By("13) Verify: system channel config changed")
+			sysBlockNum = nwo.CurrentConfigBlockNumber(network, peer, orderer, syschannel)
+			Expect(sysBlockNum).To(Equal(sysStartBlockNum + 2))
+
+			//=== Step 14: ===
+			By("14) Config update on standard channel, changing value other than ConsensusType.Type is permitted")
+			config = nwo.GetConfig(network, peer, orderer, channel1)
+			updatedConfig, consensusTypeValue, err = extractOrdererConsensusType(config)
+			Expect(err).NotTo(HaveOccurred())
+			validateConsensusTypeValue(consensusTypeValue, "etcdraft", protosorderer.ConsensusType_STATE_MAINTENANCE)
+			updateConfigWithBatchTimeout(updatedConfig)
+			nwo.UpdateOrdererConfig(network, orderer, channel1, config, updatedConfig, peer, orderer)
+
+			By("14) Verify: standard channel config changed")
+			std1BlockNum = nwo.CurrentConfigBlockNumber(network, peer, orderer, channel1)
+			Expect(std1BlockNum).To(Equal(std1StartBlockNum + 2))
+
+			//=== Step 15: ===
+			By("15) Config update on system channel, change ConsensusType.Type back to kafka, forbidden")
 			assertTransitionFailed(network, peer, orderer, syschannel,
 				"etcdraft", protosorderer.ConsensusType_STATE_MAINTENANCE,
 				"kafka", nil, protosorderer.ConsensusType_STATE_MAINTENANCE)
 
-			//=== Step 18: ===
-			By("18) Config update on standard channel, changing ConsensusType.Type back to kafka, forbidden")
+			//=== Step 16: ===
+			By("16) Config update on standard channel, changing ConsensusType.Type back to kafka, forbidden")
 			assertTransitionFailed(network, peer, orderer, channel1,
 				"etcdraft", protosorderer.ConsensusType_STATE_MAINTENANCE,
 				"kafka", nil, protosorderer.ConsensusType_STATE_MAINTENANCE)
 
-			//=== Step 19: ===
-			By("19) Config update on system channel, changing both ConsensusType State & some other value is forbidden")
+			//=== Step 17: ===
+			By("17) Config update on system channel, changing both ConsensusType State & some other value is forbidden")
 			config, updatedConfig = prepareTransition(network, peer, orderer, syschannel,
 				"etcdraft", protosorderer.ConsensusType_STATE_MAINTENANCE,
 				"etcdraft", raftMetadata, protosorderer.ConsensusType_STATE_NORMAL)
 			updateConfigWithBatchTimeout(updatedConfig)
 			updateOrdererConfigFailed(network, orderer, syschannel, config, updatedConfig, peer, orderer)
 
-			//=== Step 20: ===
-			By("20) Config update on standard channel, both ConsensusType State & some other value is forbidden")
+			//=== Step 18: ===
+			By("18) Config update on standard channel, both ConsensusType State & some other value is forbidden")
 			config, updatedConfig = prepareTransition(network, peer, orderer, channel1,
 				"etcdraft", protosorderer.ConsensusType_STATE_MAINTENANCE,
 				"etcdraft", raftMetadata, protosorderer.ConsensusType_STATE_NORMAL)
@@ -807,9 +801,9 @@ func updateConfigWithBatchTimeout(updatedConfig *common.Config) {
 	Expect(err).NotTo(HaveOccurred())
 	toDur, err := time.ParseDuration(batchTimeoutValue.Timeout)
 	Expect(err).NotTo(HaveOccurred())
-	toDur = toDur + time.Duration(1000000)
+	toDur = toDur + time.Duration(100000000)
 	batchTimeoutValue.Timeout = toDur.String()
-
+	By(fmt.Sprintf("Increasing BatchTimeout to %s", batchTimeoutValue.Timeout))
 	updatedConfig.ChannelGroup.Groups["Orderer"].Values["BatchTimeout"] = &common.ConfigValue{
 		ModPolicy: "Admins",
 		Value:     protoutil.MarshalOrPanic(batchTimeoutValue),

orderer/common/msgprocessor/maintenancefilter.go

@@ -7,6 +7,8 @@ SPDX-License-Identifier: Apache-2.0
 package msgprocessor
 
 import (
+	"bytes"
+
 	"github.com/golang/protobuf/proto"
 	"github.com/hyperledger/fabric/common/channelconfig"
 	"github.com/hyperledger/fabric/common/configtx"
@@ -90,13 +92,22 @@ func (mf *MaintenanceFilter) inspect(configEnvelope *cb.ConfigEnvelope, ordererC
 		return nil
 	}
 
-	if nextOrdererConfig.ConsensusState() != ordererConfig.ConsensusState() ||
-		ordererConfig.ConsensusState() == orderer.ConsensusType_STATE_MAINTENANCE {
+	// Entry to- and exit from- maintenance-mode should not be accompanied by any other change.
+	if ordererConfig.ConsensusState() != nextOrdererConfig.ConsensusState() {
 		if err1Change := mf.ensureConsensusTypeChangeOnly(configEnvelope); err1Change != nil {
 			return err1Change
 		}
+		if ordererConfig.ConsensusType() != nextOrdererConfig.ConsensusType() {
+			return errors.Errorf("attempted to change ConsensusType.Type from %s to %s, but ConsensusType.State is changing from %s to %s",
+				ordererConfig.ConsensusType(), nextOrdererConfig.ConsensusType(), ordererConfig.ConsensusState(), nextOrdererConfig.ConsensusState())
+		}
+		if !bytes.Equal(nextOrdererConfig.ConsensusMetadata(), ordererConfig.ConsensusMetadata()) {
+			return errors.Errorf("attempted to change ConsensusType.Metadata, but ConsensusType.State is changing from %s to %s",
+				ordererConfig.ConsensusState(), nextOrdererConfig.ConsensusState())
+		}
 	}
 
+	// ConsensusType.Type can only change in maintenance-mode, and only from kafka to raft (for now).
 	if ordererConfig.ConsensusType() != nextOrdererConfig.ConsensusType() {
 		if ordererConfig.ConsensusState() == orderer.ConsensusType_STATE_NORMAL {
 			return errors.Errorf("attempted to change consensus type from %s to %s, but current config ConsensusType.State is not in maintenance mode",

orderer/common/msgprocessor/maintenancefilter_test.go

@@ -10,17 +10,15 @@ import (
 	"testing"
 
 	"github.com/hyperledger/fabric/common/capabilities"
-	"github.com/hyperledger/fabric/internal/configtxlator/update"
-
-	"github.com/hyperledger/fabric/protos/orderer/etcdraft"
-
 	"github.com/hyperledger/fabric/common/channelconfig"
 	mockconfig "github.com/hyperledger/fabric/common/mocks/config"
 	"github.com/hyperledger/fabric/internal/configtxgen/configtxgentest"
 	"github.com/hyperledger/fabric/internal/configtxgen/encoder"
 	"github.com/hyperledger/fabric/internal/configtxgen/localconfig"
+	"github.com/hyperledger/fabric/internal/configtxlator/update"
 	"github.com/hyperledger/fabric/protos/common"
 	"github.com/hyperledger/fabric/protos/orderer"
+	"github.com/hyperledger/fabric/protos/orderer/etcdraft"
 	"github.com/hyperledger/fabric/protoutil"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -180,7 +178,7 @@ func TestMaintenanceInspectEntry(t *testing.T) {
 		configTx := makeConfigEnvelope(t, current, next)
 		err := mf.Apply(configTx)
 		assert.EqualError(t, err,
-			"config transaction inspection failed: attempted to change consensus type from kafka to etcdraft, but current config ConsensusType.State is not in maintenance mode")
+			"config transaction inspection failed: attempted to change ConsensusType.Type from kafka to etcdraft, but ConsensusType.State is changing from STATE_NORMAL to STATE_MAINTENANCE")
 	})
 
 	t.Run("Bad: change consensus type not in maintenance", func(t *testing.T) {
@@ -233,7 +231,7 @@ func TestMaintenanceInspectChange(t *testing.T) {
 		configTx := makeConfigEnvelope(t, current, next)
 		err := mf.Apply(configTx)
 		assert.EqualError(t, err,
-			"config transaction inspection failed: attempted to change consensus type from kafka to etcdraft, but next config ConsensusType.State is not in maintenance mode")
+			"config transaction inspection failed: attempted to change ConsensusType.Type from kafka to etcdraft, but ConsensusType.State is changing from STATE_MAINTENANCE to STATE_NORMAL")
 	})
 
 	t.Run("Bad: etcdraft metadata", func(t *testing.T) {
@@ -272,11 +270,32 @@ func TestMaintenanceInspectExit(t *testing.T) {
 		configTx := makeConfigEnvelope(t, current, next)
 		err := mf.Apply(configTx)
 		assert.EqualError(t, err,
-			"config transaction inspection failed: attempted to change consensus type from etcdraft to kafka, but next config ConsensusType.State is not in maintenance mode")
+			"config transaction inspection failed: attempted to change ConsensusType.Type from etcdraft to kafka, but ConsensusType.State is changing from STATE_MAINTENANCE to STATE_NORMAL")
+	})
+
+	t.Run("Bad: exit with extra group", func(t *testing.T) {
+		next := consensusTypeInfo{ordererType: "etcdraft", metadata: validMetadata, state: orderer.ConsensusType_STATE_NORMAL}
+		configTx := makeConfigEnvelopeWithExtraStuff(t, current, next, 1)
+		err := mf.Apply(configTx)
+		assert.EqualError(t, err, "config transaction inspection failed: config update contains changes to more than one group")
+	})
+
+	t.Run("Bad: exit with extra value", func(t *testing.T) {
+		next := consensusTypeInfo{ordererType: "etcdraft", metadata: validMetadata, state: orderer.ConsensusType_STATE_NORMAL}
+		configTx := makeConfigEnvelopeWithExtraStuff(t, current, next, 2)
+		err := mf.Apply(configTx)
+		assert.EqualError(t, err, "config transaction inspection failed: config update contains changes to values in group Channel")
+	})
+
+	t.Run("Bad: exit with extra orderer value", func(t *testing.T) {
+		next := consensusTypeInfo{ordererType: "etcdraft", metadata: validMetadata, state: orderer.ConsensusType_STATE_NORMAL}
+		configTx := makeConfigEnvelopeWithExtraStuff(t, current, next, 3)
+		err := mf.Apply(configTx)
+		assert.EqualError(t, err, "config transaction inspection failed: config update contain more then just the ConsensusType value in the Orderer group")
 	})
 }
 
-func TestMaintenanceEnsureSingleExtra(t *testing.T) {
+func TestMaintenanceExtra(t *testing.T) {
 	msActive := &mockSystemChannelFilterSupport{
 		OrdererConfigVal: &mockconfig.Orderer{
 			CapabilitiesVal:       &mockconfig.OrdererCapabilities{ConsensusTypeMigrationVal: true},
@@ -286,31 +305,32 @@ func TestMaintenanceEnsureSingleExtra(t *testing.T) {
 	}
 	mf := NewMaintenanceFilter(msActive)
 	require.NotNil(t, mf)
-	current := consensusTypeInfo{ordererType: "kafka", metadata: []byte{}, state: orderer.ConsensusType_STATE_NORMAL}
+	current := consensusTypeInfo{ordererType: "kafka", metadata: nil, state: orderer.ConsensusType_STATE_MAINTENANCE}
+	validMetadata := protoutil.MarshalOrPanic(&etcdraft.ConfigMetadata{})
 
-	t.Run("Bad: with extra group", func(t *testing.T) {
-		next := consensusTypeInfo{ordererType: "kafka", metadata: []byte{}, state: orderer.ConsensusType_STATE_MAINTENANCE}
+	t.Run("Good: with extra group", func(t *testing.T) {
+		next := consensusTypeInfo{ordererType: "etcdraft", metadata: validMetadata, state: orderer.ConsensusType_STATE_MAINTENANCE}
 		configTx := makeConfigEnvelopeWithExtraStuff(t, current, next, 1)
 		err := mf.Apply(configTx)
-		assert.EqualError(t, err, "config transaction inspection failed: config update contains changes to more than one group")
+		assert.NoError(t, err)
 	})
 
-	t.Run("Bad: with extra value", func(t *testing.T) {
-		next := consensusTypeInfo{ordererType: "kafka", metadata: []byte{}, state: orderer.ConsensusType_STATE_MAINTENANCE}
+	t.Run("Good: with extra value", func(t *testing.T) {
+		next := consensusTypeInfo{ordererType: "etcdraft", metadata: validMetadata, state: orderer.ConsensusType_STATE_MAINTENANCE}
 		configTx := makeConfigEnvelopeWithExtraStuff(t, current, next, 2)
 		err := mf.Apply(configTx)
-		assert.EqualError(t, err, "config transaction inspection failed: config update contains changes to values in group Channel")
+		assert.NoError(t, err)
 	})
 
-	t.Run("Bad: with extra orderer value", func(t *testing.T) {
-		next := consensusTypeInfo{ordererType: "kafka", metadata: []byte{}, state: orderer.ConsensusType_STATE_MAINTENANCE}
+	t.Run("Good: with extra orderer value", func(t *testing.T) {
+		next := consensusTypeInfo{ordererType: "etcdraft", metadata: validMetadata, state: orderer.ConsensusType_STATE_MAINTENANCE}
 		configTx := makeConfigEnvelopeWithExtraStuff(t, current, next, 3)
 		err := mf.Apply(configTx)
-		assert.EqualError(t, err, "config transaction inspection failed: config update contain more then just the ConsensusType value in the Orderer group")
+		assert.NoError(t, err)
 	})
 }
 
-func TestMaintenanceEnsureSingleMissing(t *testing.T) {
+func TestMaintenanceMissingConsensusType(t *testing.T) {
 	msActive := &mockSystemChannelFilterSupport{
 		OrdererConfigVal: &mockconfig.Orderer{
 			CapabilitiesVal:       &mockconfig.OrdererCapabilities{ConsensusTypeMigrationVal: true},
@@ -320,10 +340,12 @@ func TestMaintenanceEnsureSingleMissing(t *testing.T) {
 	}
 	mf := NewMaintenanceFilter(msActive)
 	require.NotNil(t, mf)
-	current := consensusTypeInfo{ordererType: "kafka", metadata: []byte{}, state: orderer.ConsensusType_STATE_MAINTENANCE}
-	configTx := makeConfigEnvelopeWithExtraStuff(t, current, current, 1)
-	err := mf.Apply(configTx)
-	assert.EqualError(t, err, "config transaction inspection failed: update does not contain the Orderer group")
+	current := consensusTypeInfo{ordererType: "kafka", metadata: nil, state: orderer.ConsensusType_STATE_MAINTENANCE}
+	for i := 1; i < 4; i++ {
+		configTx := makeConfigEnvelopeWithExtraStuff(t, current, current, i)
+		err := mf.Apply(configTx)
+		assert.NoError(t, err)
+	}
 }
 
 type consensusTypeInfo struct {