问题
From the Docs of Hyperledger-Fabric
"In Endorsement Policy , Currently, two roles are supported: member and admin."
What are these members and Admins. Is they are equal to Peers ?. In Orgs crypto-config folder there are Admin certs and User certs , is these are the certificates that are used to Sign the Endorsement?.
Say I gave an endorsement policy that admin of org1 has to sign , then i enrolled into the network by using "Jim" credentials , then upon submitting transaction how does the admin signs that Endorsement Policy?
回答1:
As per my understanding, the Roles" Admin & Member" considered in the Endorsement policy are as the ones mentioned against the Organization section "Role.Admin" and "Role.Member" in the channel configuration. And not the roles of the individual users of the Organization.
Please refer to the answer to this post also When I generate MSP for some organization, I can confirm Admin and User. What does this mean?
If an organization has Admin Role in a channel, then while it signs the transaction received from the clients of that channel, it would use the Admin Certificate to sign the proposal. [ I do not have information reg. which of the certificates mentioned in the msp folder of the peer/org are used to sign. Documentation is not clear in these areas ]
Also its my understanding that as of v1.0.5, the Endorsement policy works only with the membership "Role.Member" [ May be this understanding is also wrong. You could setup the Channel and EPs with AND conditions and check. Or check with 1.1.preview]
Our experiments were with the JavaSDK. It would be better to go through the link Transaction flow of Fabric Doc Also, take a look at the configtx.yaml file located at fabric/sampleconfig/configtx.yaml in the fabric.git repository.
回答2:
Remember that endorsement policy is not "human" signature workflow. The goal of endorsement policy to set the rules about the number of peers / orgs which must reach agreement on the execution of a chaincode given a set of inputs. Signatures are used as a means to ensure that the response was not tampered with and used to identity which org/peer actually responded.
So not only do you need some number of peers to sign endorsement responses, they must actually sign identical responses as well.
You generally will not have the case where a peer will not "sign" the endorsement response (unless you have a malicious peer where someone has actually written there own version of the peer code). Things which can occur:
- peer is not available (note it's possible for an org to run multiple peers for availability as well)
- peer produces a different result than other peers
- the actual chaincode logic results in a rejected proposal
来源:https://stackoverflow.com/questions/48108709/what-are-members-and-admins-in-endorsement-policy-of-hyperledger-fabric