Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to invoke transaction that interacts with a PDC using fabric-gateway #3328

Closed
davidkel opened this issue Apr 13, 2022 · 1 comment
Closed

Unable to invoke transaction that interacts with a PDC using fabric-gateway #3328

davidkel opened this issue Apr 13, 2022 · 1 comment

Comments

@davidkel
Copy link
Contributor

I have a simple chaincode setup which writes to a single PDC. The collections config is defined as follows

[
    {
      "name": "CollectionOne",
      "policy": "OR('Org1MSP.member')",
      "requiredPeerCount": 0,
      "maxPeerCount": 1,
      "blockToLive": 0,
      "memberOnlyRead": false
    }
]

And the chaincode method is

    async createPrivateAsset(ctx, uuid) {
        const collection = "CollectionOne"
        const privateAsset = {};
        const transientData = ctx.stub.getTransient();
        privateAsset.content = transientData.get('content').toString('utf8');
        await ctx.stub.putPrivateData(collection, uuid, Buffer.from(JSON.stringify(privateAsset)));
    }

using the 2.2 node sdk I can submit a transaction and it get's committed without issue. However when I perform the same using the fabric-gateway it performs the initial endorse without any problem but then returns the following error message

EndorseError: 9 FAILED_PRECONDITION: no combination of peers can be derived which satisfy the endorsement policy: no peer combination can satisfy the endorsement policy

turning on gateway debug doesn't provide any further detail in the peer logs

2022-04-13 10:07:25.361 UTC 009f DEBU [gateway] func1 -> Found local endorser pkiid=3a3ced39e536baae3c8f68dff67499073d918894a63ee36f8d2f18475976064c
2022-04-13 10:07:25.361 UTC 00a0 DEBU [gateway] planFromFirstEndorser -> Sending to first endorser: MSPID=Org1MSP endpoint=peer0.org1.example.com:7051
2022-04-13 10:07:25.368 UTC 00a1 INFO [endorser] callChaincode -> finished chaincode: fixed-asset duration: 16ms channel=mychannel txID=22c60fa0
2022-04-13 10:07:25.379 UTC 00a8 ERRO [gateway] endorsementPlan -> PeersForEndorsement failed. error="no peer combination can satisfy the endorsement policy" errorVerbose="no peer combination can satisfy the endorsement policy\ngithub.com/hyperledger/fabric/discovery/endorsement.(*endorsementAnalyzer).computeEndorsementResponse\n\t/go/src/github.com/hyperledger/fabric/discovery/endorsement/endorsement.go:174\ngithub.com/hyperledger/fabric/discovery/endorsement.(*endorsementAnalyzer).PeersForEndorsement\n\t/go/src/github.com/hyperledger/fabric/discovery/endorsement/endorsement.go:101\ngithub.com/hyperledger/fabric/internal/pkg/gateway.(*registry).endorsementPlan\n\t/go/src/github.com/hyperledger/fabric/internal/pkg/gateway/registry.go:55\ngithub.com/hyperledger/fabric/internal/pkg/gateway.(*Server).planFromFirstEndorser\n\t/go/src/github.com/hyperledger/fabric/internal/pkg/gateway/api.go:351\ngithub.com/hyperledger/fabric/internal/pkg/gateway.(*Server).Endorse\n\t/go/src/github.com/hyperledger/fabric/internal/pkg/gateway/api.go:172\ngithub.com/hyperledger/fabric-protos-go/gateway._Gateway_Endorse_Handler.func1\n\t/go/src/github.com/hyperledger/fabric/vendor/github.com/hyperledger/fabric-protos-go/gateway/gateway.pb.go:1110\ngithub.com/hyperledger/fabric/internal/peer/node.unaryGrpcLimiter.func1\n\t/go/src/github.com/hyperledger/fabric/internal/peer/node/grpc_limiters.go:49\ngithub.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1.1.1\n\t/go/src/github.com/hyperledger/fabric/vendor/github.com/grpc-ecosystem/go-grpc-middleware/chain.go:25\ngithub.com/hyperledger/fabric/common/grpclogging.UnaryServerInterceptor.func1\n\t/go/src/github.com/hyperledger/fabric/common/grpclogging/server.go:92\ngithub.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1.1.1\n\t/go/src/github.com/hyperledger/fabric/vendor/github.com/grpc-ecosystem/go-grpc-middleware/chain.go:25\ngithub.com/hyperledger/fabric/common/grpcmetrics.UnaryServerInterceptor.func1\n\t/go/src/github.com/hyperledger/fabric/common/grpcmetrics/interceptor.go:31\ngithub.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1.1.1\n\t/go/src/github.com/hyperledger/fabric/vendor/github.com/grpc-ecosystem/go-grpc-middleware/chain.go:25\ngithub.com/grpc-ecosystem/go-grpc-middleware.ChainUnaryServer.func1\n\t/go/src/github.com/hyperledger/fabric/vendor/github.com/grpc-ecosystem/go-grpc-middleware/chain.go:34\ngithub.com/hyperledger/fabric-protos-go/gateway._Gateway_Endorse_Handler\n\t/go/src/github.com/hyperledger/fabric/vendor/github.com/hyperledger/fabric-protos-go/gateway/gateway.pb.go:1112\ngoogle.golang.org/grpc.(*Server).processUnaryRPC\n\t/go/src/github.com/hyperledger/fabric/vendor/google.golang.org/grpc/server.go:1180\ngoogle.golang.org/grpc.(*Server).handleStream\n\t/go/src/github.com/hyperledger/fabric/vendor/google.golang.org/grpc/server.go:1503\ngoogle.golang.org/grpc.(*Server).serveStreams.func1.2\n\t/go/src/github.com/hyperledger/fabric/vendor/google.golang.org/grpc/server.go:843\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1581" channel=mychannel ChaincodeInterest="chaincodes: <\n  name: \"fixed-asset\"\n  collection_names: \"CollectionOne\"\n>\n"

A workaround is to explicitly set the endorsement policy in the collections-config file as follows

[
    {
      "name": "CollectionOne",
      "policy": "OR('Org1MSP.member')",
      "requiredPeerCount": 0,
      "maxPeerCount": 1,
      "blockToLive": 0,
      "memberOnlyRead": false,
      "endorsementPolicy": {
        "signaturePolicy": "OR('Org1MSP.member')"
      }
    }
]

endorsementPolicy is optional however so should work without having to specify
@davidkel
Copy link
Contributor Author

davidkel commented May 6, 2022
edited
Loading

The gateway is doing the right thing here, it's the node sdk 2.2 use that wasn't. Because the endorsement policy was the default one and it was a 2 org network, the node sdk is by default sending to both orgs and thus able to satisfy the endorsement policy but means that it's sending potentially sensitive data to an org that shouldn't. The gateway is protecting against this (as the data is passed in the transient field) which results in the message seen (although if possible it would be nice for the gateway to say why it couldn't satisfy, ie it won't send to an org that shouldn't see the info).

The above collections-config should be used and in fact suggests that collections-config should be explicit about the required endorsement policy otherwise the chaincode endorsement policy may not be what is required.

@davidkel davidkel closed this as completed May 6, 2022
andrew-coleman added a commit to andrew-coleman/fabric that referenced this issue May 24, 2022
@andrew-coleman
Improved gateway error for transient data failure
f02b66c 
When transient data is passed to the gateway in a transaction submit, the gateway is more cautious about which orgs it will select to endorse.  It alters the ChaincodeInterest to only allow orgs that are in the distribution policy for the PDCs written to by the chaincode.
This commit doesn’t change the behaviour, but gives a more helpful error message if this layer of protection caused the submit to fail due to the lack of endorsing orgs.
This will help to diagnose issues such as hyperledger#3328 which took a long time to resolve because of the generic error message.

Signed-off-by: andrew-coleman <andrew_coleman@uk.ibm.com>
@andrew-coleman andrew-coleman mentioned this issue May 24, 2022
Merged
denyeart pushed a commit that referenced this issue May 25, 2022
@andrew-coleman @denyeart
Improved gateway error for transient data failure
807c6de 
When transient data is passed to the gateway in a transaction submit, the gateway is more cautious about which orgs it will select to endorse.  It alters the ChaincodeInterest to only allow orgs that are in the distribution policy for the PDCs written to by the chaincode.
This commit doesn’t change the behaviour, but gives a more helpful error message if this layer of protection caused the submit to fail due to the lack of endorsing orgs.
This will help to diagnose issues such as #3328 which took a long time to resolve because of the generic error message.

Signed-off-by: andrew-coleman <andrew_coleman@uk.ibm.com>
mergify bot pushed a commit that referenced this issue May 25, 2022
@andrew-coleman @mergify
Improved gateway error for transient data failure
bda60a4 
When transient data is passed to the gateway in a transaction submit, the gateway is more cautious about which orgs it will select to endorse.  It alters the ChaincodeInterest to only allow orgs that are in the distribution policy for the PDCs written to by the chaincode.
This commit doesn’t change the behaviour, but gives a more helpful error message if this layer of protection caused the submit to fail due to the lack of endorsing orgs.
This will help to diagnose issues such as #3328 which took a long time to resolve because of the generic error message.

Signed-off-by: andrew-coleman <andrew_coleman@uk.ibm.com>
(cherry picked from commit 807c6de)
denyeart pushed a commit that referenced this issue May 25, 2022
@andrew-coleman @denyeart
Improved gateway error for transient data failure
60638b5 
When transient data is passed to the gateway in a transaction submit, the gateway is more cautious about which orgs it will select to endorse.  It alters the ChaincodeInterest to only allow orgs that are in the distribution policy for the PDCs written to by the chaincode.
This commit doesn’t change the behaviour, but gives a more helpful error message if this layer of protection caused the submit to fail due to the lack of endorsing orgs.
This will help to diagnose issues such as #3328 which took a long time to resolve because of the generic error message.

Signed-off-by: andrew-coleman <andrew_coleman@uk.ibm.com>
(cherry picked from commit 807c6de)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@davidkel