fabric 使用 fabric-ca 服务
- 准备部分
首先需要用户从github上download fabric-ca 的工程代码
cd $GOPATH/src/github.com/hyperledger git clone https://github.com/hyperledger/fabric-ca.git
然后对它进行编译,在编译时,会需要安装 goimports 命令,貌似目前关于golang的相关内容都被“东方神秘力量”所限制,请读者们自行科学上网。
cd fabric-ca make
在编译过程中,可能会在test 部分遇到错误,但是没有关系,因为用不到,我们只需要将 fabric-ca-client 编译出来即可。
- 部署环境
让我们还是以e2e_cli 做例子给大家介绍如何部署ca以及使用它来创建用户。
在启动fabric 服务的 network_setup.sh 脚本中,默认是使用 docker-compose-cli.yaml 配置文件启动 docker 镜像的,将 COMPOSE_FILE 变量修改为使用 docker-compose-e2e.yaml 配置文件启动docker 镜像
#COMPOSE_FILE=docker-compose-cli.yaml COMPOSE_FILE_COUCH=docker-compose-couch.yaml COMPOSE_FILE=docker-compose-e2e.yaml
在 hyperledger fabric 1.0.5 分布式部署 (五)介绍的 generateArtifacts.sh 脚本,在其 replacePrivateKey 函数中,会将 docker-compose-e2e-template.yaml 配置文件拷贝一个名叫 docker-compose-e2e.yaml 的文件,并且将 cryptogen 生成的相关私钥和证书信息替换 docker-compose-e2e.yaml 其中的内容。
所以我们还需要将 docker-compose-e2e-template.yaml 配置进行修改,修改后内容如下
version: '2' services: ca0: image: hyperledger/fabric-ca environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_NAME=ca-org1 - FABRIC_CA_SERVER_TLS_ENABLED=false - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/CA1_PRIVATE_KEY ports: - "7054:7054" command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org1.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/CA1_PRIVATE_KEY -b admin:adminpw -d' volumes: - ./crypto-config/peerOrganizations/org1.example.com/ca/:/etc/hyperledger/fabric-ca-server-config container_name: ca_peerOrg1 ca1: image: hyperledger/fabric-ca environment: - FABRIC_CA_HOME=/etc/hyperledger/fabric-ca-server - FABRIC_CA_SERVER_CA_NAME=ca-org2 - FABRIC_CA_SERVER_TLS_ENABLED=false - FABRIC_CA_SERVER_TLS_CERTFILE=/etc/hyperledger/fabric-ca-server-config/ca.org2.example.com-cert.pem - FABRIC_CA_SERVER_TLS_KEYFILE=/etc/hyperledger/fabric-ca-server-config/CA2_PRIVATE_KEY ports: - "8054:7054" command: sh -c 'fabric-ca-server start --ca.certfile /etc/hyperledger/fabric-ca-server-config/ca.org2.example.com-cert.pem --ca.keyfile /etc/hyperledger/fabric-ca-server-config/CA2_PRIVATE_KEY -b admin:adminpw -d' volumes: - ./crypto-config/peerOrganizations/org2.example.com/ca/:/etc/hyperledger/fabric-ca-server-config container_name: ca_peerOrg2 orderer.example.com: extends: file: base/docker-compose-base.yaml service: orderer.example.com container_name: orderer.example.com peer0.org1.example.com: container_name: peer0.org1.example.com extends: file: base/docker-compose-base.yaml service: peer0.org1.example.com peer1.org1.example.com: container_name: peer1.org1.example.com extends: file: base/docker-compose-base.yaml service: peer1.org1.example.com peer0.org2.example.com: container_name: peer0.org2.example.com extends: file: base/docker-compose-base.yaml service: peer0.org2.example.com peer1.org2.example.com: container_name: peer1.org2.example.com extends: file: base/docker-compose-base.yaml service: peer1.org2.example.com cli: container_name: cli image: hyperledger/fabric-tools tty: true environment: - GOPATH=/opt/gopath - CORE_VM_ENDPOINT=unix:///host/var/run/docker.sock - CORE_LOGGING_LEVEL=DEBUG - CORE_PEER_ID=cli - CORE_PEER_ADDRESS=peer0.org1.example.com:7051 - CORE_PEER_LOCALMSPID=Org1MSP - CORE_PEER_TLS_ENABLED=true - CORE_PEER_TLS_CERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.crt - CORE_PEER_TLS_KEY_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key - CORE_PEER_TLS_ROOTCERT_FILE=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt - CORE_PEER_MSPCONFIGPATH=/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp working_dir: /opt/gopath/src/github.com/hyperledger/fabric/peer command: /bin/bash -c './scripts/script.sh ${CHANNEL_NAME}; sleep $TIMEOUT' volumes: - /var/run/:/host/var/run/ - ../chaincode/go/:/opt/gopath/src/github.com/hyperledger/fabric/examples/chaincode/go - ./crypto-config:/opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ - ./scripts:/opt/gopath/src/github.com/hyperledger/fabric/peer/scripts/ - ./channel-artifacts:/opt/gopath/src/github.com/hyperledger/fabric/peer/channel-artifacts depends_on: - orderer.example.com - peer0.org1.example.com - peer1.org1.example.com - peer0.org2.example.com - peer1.org2.example.com
ca0 和 ca1 两个镜像的环境变量 FABRIC_CA_SERVER_TLS_ENABLED 必须要设置为 false ,否则后续连接ca server 时会报错以下错误
Error: POST failure [Post http://localhost:7054/enroll: malformed HTTP response "x15x03x01x00x02x02x16"]; not sending POST http://localhost:7054/enroll
用户可以像以前没有ca 服务一样,通过 network_setup.sh 脚本启动整个 fabric 服务
./network_setup.sh up mychannel 10000 couchdb ;
然后查看一下docker 镜像起来了哪些 docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 7da99a56c176 dev-peer0.org1.example.com-mycc-1.0-384f11f484b9302df90b453200cfb25174305fce8f53f4e94d45ee3b6cab0ce9 "chaincode -peer.a..." 2 hours ago Up 2 hours dev-peer0.org1.example.com-mycc-1.0 4a29b3322e06 dev-peer0.org2.example.com-mycc-1.0-15b571b3ce849066b7ec74497da3b27e54e0df1345daff3951b94245ce09c42b "chaincode -peer.a..." 2 hours ago Up 2 hours dev-peer0.org2.example.com-mycc-1.0 380421da2c99 hyperledger/fabric-tools "/bin/bash -c './s..." 2 hours ago Up 2 hours cli 98e1cb275d00 hyperledger/fabric-peer "peer node start" 2 hours ago Up 2 hours 0.0.0.0:9051->7051/tcp, 0.0.0.0:9052->7052/tcp, 0.0.0.0:9053->7053/tcp peer0.org2.example.com f17f8c1dfd7d hyperledger/fabric-peer "peer node start" 2 hours ago Up 2 hours 0.0.0.0:10051->7051/tcp, 0.0.0.0:10052->7052/tcp, 0.0.0.0:10053->7053/tcp peer1.org2.example.com 7f1fbc2539f1 hyperledger/fabric-peer "peer node start" 2 hours ago Up 2 hours 0.0.0.0:8051->7051/tcp, 0.0.0.0:8052->7052/tcp, 0.0.0.0:8053->7053/tcp peer1.org1.example.com 44edc4b5557b hyperledger/fabric-peer "peer node start" 2 hours ago Up 2 hours 0.0.0.0:7051-7053->7051-7053/tcp peer0.org1.example.com f0f688da1e7e hyperledger/fabric-couchdb "tini -- /docker-e..." 2 hours ago Up 2 hours 4369/tcp, 9100/tcp, 0.0.0.0:6984->5984/tcp couchdb1 48030f9de76c hyperledger/fabric-couchdb "tini -- /docker-e..." 2 hours ago Up 2 hours 4369/tcp, 9100/tcp, 0.0.0.0:5984->5984/tcp couchdb0 46acc883badc hyperledger/fabric-ca "sh -c 'fabric-ca-..." 2 hours ago Up 2 hours 0.0.0.0:8054->7054/tcp ca_peerOrg2 e67e62547da0 hyperledger/fabric-ca "sh -c 'fabric-ca-..." 2 hours ago Up 2 hours 0.0.0.0:7054->7054/tcp ca_peerOrg1 92b9a19e7a4b hyperledger/fabric-orderer "orderer" 2 hours ago Up 2 hours 0.0.0.0:7050->7050/tcp orderer.example.com 005c18e53da3 hyperledger/fabric-couchdb "tini -- /docker-e..." 2 hours ago Up 2 hours 4369/tcp, 9100/tcp, 0.0.0.0:7984->5984/tcp couchdb2 ecb4de206d3e hyperledger/fabric-couchdb "tini -- /docker-e..." 2 hours ago Up 2 hours 4369/tcp, 9100/tcp, 0.0.0.0:8984->5984/tcp couchdb3
用户可以看到分别启动了两个 ca server 服务,并且分别对应 Org1MSP 、 Org2MSP 两个机构。
让我们重写切换一下路径,并且设置一下环境变量,让后续生成的相关文件落在该目录
cd /opt/gopath/src/github.com/hyperledger/fabric-ca/bin
mkdir -p /root/ca
export FABRIC_CA_CLIENT_HOME=/root/ca
然后使用 fabric-ca-client 去连接 ca server。
注意 admin:adminpw 代表的是ca server 的管理员用户名和密码,7054 端口对应的是配置了 Org1MSP 的ca server,8054 端口则是配置了 Org2MSP 的ca server。
执行以下命令后,将会在 /root/ca 目录上主动创建 fabric-ca-client-config.yaml 文件和 msp 目录
./fabric-ca-client enroll -u http://admin:adminpw@localhost:7054
向ca server 注册一个新的用户,名字叫 test, 密码为 test123
./fabric-ca-client register --id.name test --id.type user --id.affiliation org1.department1 --id.attrs 'hf.Revoker=true,foo=bar' --id.secret 'test123'
然后生成 test 用户的相关私钥和证书
./fabric-ca-client enroll -u http://test:test123@localhost:7054 -M $FABRIC_CA_CLIENT_HOME/testmsp --tls.certfiles "/opt/gopath/src/github.com/hyperledger/fabric/examples/e2e_cli/crypto-config/peerOrganizations/org1.example.com/ca/ca.org1.example.com-cert.pem"
为了后续使用,我们还要再做一些辅助动作
mkdir /root/ca/testmsp/admincerts cp /root/ca/testmsp/signcerts/cert.pem /root/ca/testmsp/admincerts/
- 是原生的用户查询数据
在之前的博客中,作者向读者演示如何查询fabric 中的数据,都是通过docker-compose 启动一个临时的cli 镜像来执行peer 命令,那么按照客户端和服务端的连接关系,peer 命令应该在任何机器上执行都是可行的。
在作者查阅了相关的配置文件和脚本后,整理出以下关键环境变量,主要是设计该客户端在连接 peer 节点时,应该采用哪些证书和私钥进行加密通讯。
以下命令将设置client 连接 peer0.org1.example.com:7051 服务,并且使用 peer0.org1.example.com 节点的私钥和证书。
export CORE_PEER_TLS_ROOTCERT_FILE="/opt/gopath/src/github.com/hyperledger/fabric/examples/e2e_cli/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/ca.crt" ; export CORE_PEER_LOCALMSPID="Org1MSP" ; export CORE_PEER_TLS_ENABLED=true ; export CORE_PEER_MSPCONFIGPATH="/opt/gopath/src/github.com/hyperledger/fabric/examples/e2e_cli/crypto-config/peerOrganizations/org1.example.com/users/Admin@org1.example.com/msp" ; export CORE_PEER_ADDRESS="peer0.org1.example.com:7051" ; # CORE_PEER_TLS_KEY_FILE 变量貌似用不上 # export CORE_PEER_TLS_KEY_FILE="/opt/gopath/src/github.com/hyperledger/fabric/examples/e2e_cli/crypto-config/peerOrganizations/org1.example.com/peers/peer0.org1.example.com/tls/server.key" ;
宿主的peer 可执行程序在 /opt/gopath/src/github.com/hyperledger/fabric/release/linux-amd64/bin 目录,切换到该目录后执行
./peer chaincode query -C mychannel -n mycc -c '{"Args":["query","a"]}'
- 使用新创建的test 用户进行测试
如果用户希望使用刚才 fabric-ca-client 命令创建的test 用户,则只需要修改 CORE_PEER_MSPCONFIGPATH 环境变量即可
export CORE_PEER_MSPCONFIGPATH="/root/ca/testmsp" ;
再次使用peer 执行查询命令,查询正常。
./peer chaincode query -C mychannel -n mycc -c '{"Args":["query","a"]}'
同理,如果需要peer 执行 invoke 命令,则像过去一样执行就ok 了
./peer chaincode invoke -o orderer.example.com:7050 --tls true --cafile /opt/gopath/src/github.com/hyperledger/fabric/examples/e2e_cli/crypto-config/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem -C mychannel -n mycc -c '{"Args":["invoke","a","b","20"]}'
- 权限思考
不知道读者在看到这里时,是否有反思过,fabric 区块链是如何做到读、写权限分开的。
在环境变量设置上,是使用了peer 节点的私钥和证书,此时peer 的命令可以直接从区块链中读取数据。
而在执行 invoke 命令时,则需要加上 --tls 和 --cafile 参数,并且还需要指定 orderer 的私钥。
所以按照作者的理解,fabric 区块链的数据写入,必须要同时拥有 orderer 的私钥和 peer 节点的私钥、证书,而读取,则只要拥有peer 节点的私钥和证书即可。
- 在chaincode 中获取用户的名字
根据 http://www.cnblogs.com/studyzy/p/7482451.html 博客的介绍,我们可以编写一段测试的chaincode 来获得执行peer 命令的用户名
chaincode 代码
package main import ( "github.com/hyperledger/fabric/core/chaincode/shim" pb "github.com/hyperledger/fabric/protos/peer" "fmt" "encoding/pem" "crypto/x509" "bytes" ) type SimpleChaincode struct { } func main() { err := shim.Start(new(SimpleChaincode)) if err != nil { fmt.Printf("Error starting Simple chaincode: %s", err) } } func (t *SimpleChaincode) Init(stub shim.ChaincodeStubInterface) pb.Response { return shim.Success(nil) } func (t *SimpleChaincode) Invoke(stub shim.ChaincodeStubInterface) pb.Response { function, args := stub.GetFunctionAndParameters() fmt.Println("invoke is running " + function) if function == "cert" {//自定义函数名称 return t.testCertificate(stub, args)//定义调用的函数 } return shim.Error("Received unknown function invocation") } func (t *SimpleChaincode) testCertificate(stub shim.ChaincodeStubInterface, args []string) pb.Response{ creatorByte,_:= stub.GetCreator() certStart := bytes.IndexAny(creatorByte, "-----")// Devin:I don't know why sometimes -----BEGIN is invalid, so I use ----- if certStart == -1 { fmt.Errorf("No certificate found") } certText := creatorByte[certStart:] bl, _ := pem.Decode(certText) if bl == nil { fmt.Errorf("Could not decode the PEM structure") } fmt.Println(string(certText)) cert, err := x509.ParseCertificate(bl.Bytes) if err != nil { fmt.Errorf("ParseCertificate failed") } fmt.Println(cert) uname:=cert.Subject.CommonName fmt.Println("Name:"+uname) return shim.Success([]byte("Called testCertificate "+uname)) }
如果使用原生的配置执行
./peer chaincode query -C mychannel -n mycc --logging-level CRITICAL -c '{"Args":["cert"]}'
输出
Query Result: Called testCertificate Admin@org1.example.com
如果使用test 用户执行,则会输出
Query Result: Called testCertificate test
参考博客:
http://www.cnblogs.com/studyzy/p/7482451.html