Add logging for identity, policy, and signature troubleshooting #3006
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
denyeart
force-pushed
the
cred_troubleshooting
branch
from
3a54468
to
024693b
Compare
ale-linux
reviewed
Nov 1, 2021
denyeart
force-pushed
the
cred_troubleshooting
branch
from
024693b
to
8804c3f
Compare
denyeart
force-pushed
the
cred_troubleshooting
branch
from
8804c3f
to
5a539c5
Compare
Most identity, policy, and signature issues return a fairly generic error message to the user, e.g. "not authorized". This is often intentional so as to not disclose information to malicious users that may be probing for information about the system. This commit adds logging on the orderer and peer side so that identity issues can more easily be troubleshooted by users setting up sample networks, and by administrators and SREs in production networks. For any identity, policy, or signature error, the identity is now logged in a warning message. Additionally, the identity of every signature that is verified can be seen if tracing is enabled. The new logging can help with the following types of issue resolution: User cert and MSP membership errors Determine which user is unauthorized to perform an action Determine which MSPs and user signatures are included in a config transaction that was invalidated Determine which peers participated in an endorsement invalidation Determine which peer signature doesn't match the others in a proposal response Signed-off-by: David Enyeart <enyeart@us.ibm.com>
denyeart
force-pushed
the
cred_troubleshooting
branch
from
5a539c5
to
3cf1e05
Compare
|
@ale-linux I think it is ready for final review now... |
ale-linux
approved these changes
Nov 29, 2021
denyeart
added a commit
to denyeart/fabric
that referenced
this pull request
Dec 13, 2021
PR hyperledger#3006 added warnings for principal check failures to assist with troubleshooting. The discovery warning was too much however since even in normal scenarios discovery endorser service checks the peer against the various channel principals. This change reverts to the prior code without the warning. Resolves hyperledger/fabric-gateway#349. Signed-off-by: David Enyeart <enyeart@us.ibm.com>
ale-linux
pushed a commit
that referenced
this pull request
Dec 13, 2021
PR #3006 added warnings for principal check failures to assist with troubleshooting. The discovery warning was too much however since even in normal scenarios discovery endorser service checks the peer against the various channel principals. This change reverts to the prior code without the warning. Resolves hyperledger/fabric-gateway#349. Signed-off-by: David Enyeart <enyeart@us.ibm.com>
mergify bot
pushed a commit
that referenced
this pull request
Dec 13, 2021
PR #3006 added warnings for principal check failures to assist with troubleshooting. The discovery warning was too much however since even in normal scenarios discovery endorser service checks the peer against the various channel principals. This change reverts to the prior code without the warning. Resolves hyperledger/fabric-gateway#349. Signed-off-by: David Enyeart <enyeart@us.ibm.com> (cherry picked from commit 0b0c35c)
denyeart
added a commit
that referenced
this pull request
Dec 13, 2021
PR #3006 added warnings for principal check failures to assist with troubleshooting. The discovery warning was too much however since even in normal scenarios discovery endorser service checks the peer against the various channel principals. This change reverts to the prior code without the warning. Resolves hyperledger/fabric-gateway#349. Signed-off-by: David Enyeart <enyeart@us.ibm.com> (cherry picked from commit 0b0c35c)
denyeart
added a commit
to denyeart/fabric
that referenced
this pull request
Jun 16, 2022
…ase-2.2) Backport hyperledger#3006 Most identity, policy, and signature issues return a fairly generic error message to the user, e.g. "not authorized". This is often intentional so as to not disclose information to malicious users that may be probing for information about the system. This commit adds logging on the orderer and peer side so that identity issues can more easily be troubleshooted by users setting up sample networks, and by administrators and SREs in production networks. For any identity, policy, or signature error, the failed policy and passed identity is now logged in a warning message. Additionally, the identity of every signature that is verified can be seen if tracing is enabled. The new logging can help with the following types of issue resolution: User cert and MSP membership errors Determine which user is unauthorized to perform an action Determine which MSPs and user signatures are included in a config transaction that was invalidated Determine which peers participated in an endorsement invalidation Determine which peer signature doesn't match the others in a proposal response Signed-off-by: David Enyeart <enyeart@us.ibm.com>
denyeart
added a commit
to denyeart/fabric
that referenced
this pull request
Jun 16, 2022
…ase-2.2) Backport hyperledger#3006 Most identity, policy, and signature issues return a fairly generic error message to the user, e.g. "not authorized". This is often intentional so as to not disclose information to malicious users that may be probing for information about the system. This commit adds logging on the orderer and peer side so that identity issues can more easily be troubleshooted by users setting up sample networks, and by administrators and SREs in production networks. For any identity, policy, or signature error, the failed policy and passed identity is now logged in a warning message. Additionally, the identity of every signature that is verified can be seen if tracing is enabled. The new logging can help with the following types of issue resolution: User cert and MSP membership errors Determine which user is unauthorized to perform an action Determine which MSPs and user signatures are included in a config transaction that was invalidated Determine which peers participated in an endorsement invalidation Determine which peer signature doesn't match the others in a proposal response Signed-off-by: David Enyeart <enyeart@us.ibm.com>
andrew-coleman
pushed a commit
that referenced
this pull request
Jun 16, 2022
…ase-2.2) (#3483) Backport #3006 Most identity, policy, and signature issues return a fairly generic error message to the user, e.g. "not authorized". This is often intentional so as to not disclose information to malicious users that may be probing for information about the system. This commit adds logging on the orderer and peer side so that identity issues can more easily be troubleshooted by users setting up sample networks, and by administrators and SREs in production networks. For any identity, policy, or signature error, the failed policy and passed identity is now logged in a warning message. Additionally, the identity of every signature that is verified can be seen if tracing is enabled. The new logging can help with the following types of issue resolution: User cert and MSP membership errors Determine which user is unauthorized to perform an action Determine which MSPs and user signatures are included in a config transaction that was invalidated Determine which peers participated in an endorsement invalidation Determine which peer signature doesn't match the others in a proposal response Signed-off-by: David Enyeart <enyeart@us.ibm.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Most identity, policy, and signature issues return a fairly generic error
message to the user, e.g. "not authorized".
This is often intentional so as to not disclose information to malicious users that
may be probing for information about the system.
This commit adds logging on the orderer and peer side so that identity issues
can more easily be troubleshooted by users setting up sample networks,
and by administrators and SREs in production networks.
For any identity, policy, or signature error, the failed policy and passed identity is now logged in a warning message.
Additionally, the identity of every signature that is verified can be seen if tracing is enabled.
The new logging can help with the following types of issue resolution:
User cert and MSP membership errors
Determine which user is unauthorized to perform an action
Determine which MSPs and user signatures are included in a config transaction that was invalidated
Determine which peers participated in an endorsement invalidation
Determine which peer signature doesn't match the others in a proposal response
Signed-off-by: David Enyeart enyeart@us.ibm.com