multiple orderer organizations

Question

I have two organizations for ordering (type= Raft). one of them has two orderers and the second one has three orderers, in configtx.yaml there are Ordererorg1MSP and Ordererorg2MSP MSPs. my configtx.taml:

Organizations:
    - &Ordererorg1
        Name: Ordererorg1MSP
        ID: Ordererorg1MSP
        MSPDir: crypto-config/ordererOrganizations/org1.orderer.example.com/msp
        Policies:
            Readers:
                Type: Signature
                Rule: "OR('Ordererorg1MSP.member')"
            Writers:
                Type: Signature
                Rule: "OR('Ordererorg1MSP.member')"
            Admins:
                Type: Signature
                Rule: "OR('Ordererorg1MSP.admin')"
    - &Orgorg1
        Name: Orgorg1MSP
        ID: Orgorg1MSP
        MSPDir: crypto-config/peerOrganizations/org1.example.com/msp
        Policies:
            Readers:
                Type: Signature
                Rule: "OR('Orgorg1MSP.admin', 'Orgorg1MSP.peer', 'Orgorg1MSP.client')"
            Writers:
                Type: Signature
                Rule: "OR('Orgorg1MSP.admin', 'Orgorg1MSP.client')"
            Admins:
                Type: Signature
                Rule: "OR('Orgorg1MSP.admin')"
        AnchorPeers:
            - Host: peer1.org1.example.com
              Port: 2050
    - &Ordererorg2
        Name: Ordererorg2MSP
        ID: Ordererorg2MSP
        MSPDir: crypto-config/ordererOrganizations/org2.orderer.example.com/msp
        Policies:
            Readers:
                Type: Signature
                Rule: "OR('Ordererorg2MSP.member')"
            Writers:
                Type: Signature
                Rule: "OR('Ordererorg2MSP.member')"
            Admins:
                Type: Signature
                Rule: "OR('Ordererorg2MSP.admin')"
    - &Orgorg2
        Name: Orgorg2MSP
        ID: Orgorg2MSP
        MSPDir: crypto-config/peerOrganizations/org2.example.com/msp
        Policies:
            Readers:
                Type: Signature
                Rule: "OR('Orgorg2MSP.admin', 'Orgorg2MSP.peer', 'Orgorg2MSP.client')"
            Writers:
                Type: Signature
                Rule: "OR('Orgorg2MSP.admin', 'Orgorg2MSP.client')"
            Admins:
                Type: Signature
                Rule: "OR('Orgorg2MSP.admin')"
        AnchorPeers:
            - Host: peer1.org2.example.com
              Port: 2050
Capabilities:
    Channel: &ChannelCapabilities
        V1_4_3: true
        V1_3: false
        V1_1: false
    Orderer: &OrdererCapabilities
        V1_4_2: true
        V1_1: false
    Application: &ApplicationCapabilities
        V1_4_2: true
        V1_3: false
        V1_2: false
        V1_1: false
Application: &ApplicationDefaults
    Organizations:
    Policies:
        Readers:
            Type: ImplicitMeta
            Rule: "ANY Readers"
        Writers:
            Type: ImplicitMeta
            Rule: "ANY Writers"
        Admins:
            Type: ImplicitMeta
            Rule: "MAJORITY Admins"
    Capabilities:
        <<: *ApplicationCapabilities
Orderer: &OrdererDefaults
    OrdererType: etcdraft
    Addresses:
                - peer1.org1.orderer.example.com:7050
                - peer1.org2.orderer.example.com:7050
    BatchTimeout: 2s
    BatchSize:
        MaxMessageCount: 10
        AbsoluteMaxBytes: 99 MB
        PreferredMaxBytes: 512 KB
    EtcdRaft:
        Consenters:
                    - Host: peer1.org1.orderer.example.com
                      Port: 7050
                      ClientTLSCert: crypto-config/ordererOrganizations/org1.orderer.example.com/orderers/peer1.org1.orderer.example.com/tls/server.crt
                      ServerTLSCert: crypto-config/ordererOrganizations/org1.orderer.example.com/orderers/peer1.org1.orderer.example.com/tls/server.crt
                    - Host: peer1.org2.orderer.example.com
                      Port: 7050
                      ClientTLSCert: crypto-config/ordererOrganizations/org2.orderer.example.com/orderers/peer1.org2.orderer.example.com/tls/server.crt
                      ServerTLSCert: crypto-config/ordererOrganizations/org2.orderer.example.com/orderers/peer1.org2.orderer.example.com/tls/server.crt
    Organizations:
    Policies:
        Readers:
            Type: ImplicitMeta
            Rule: "ANY Readers"
        Writers:
            Type: ImplicitMeta
            Rule: "ANY Writers"
        Admins:
            Type: ImplicitMeta
            Rule: "MAJORITY Admins"
        BlockValidation:
            Type: ImplicitMeta
            Rule: "ANY Writers"

Channel: &ChannelDefaults
    Policies:
        Readers:
            Type: ImplicitMeta
            Rule: "ANY Readers"
        Writers:
            Type: ImplicitMeta
            Rule: "ANY Writers"
        Admins:
            Type: ImplicitMeta
            Rule: "MAJORITY Admins"
    Capabilities:
        <<: *ChannelCapabilities

Profiles:
    Channel:
        Consortium: SampleConsortium
        <<: *ChannelDefaults
        Application:
            <<: *ApplicationDefaults
            Organizations:
                    - *Orgorg1
                    - *Orgorg2
            Capabilities:
                <<: *ApplicationCapabilities

    OrdererGenesis:
        <<: *ChannelDefaults
        Orderer:
            <<: *OrdererDefaults

            Organizations:
                - *Ordererorg1
                - *Ordererorg2
            Capabilities:
                <<: *OrdererCapabilities
        Application:
            <<: *ApplicationDefaults
            Organizations:
                - <<: *Ordererorg1
                - <<: *Ordererorg2
        Consortiums:
            SampleConsortium:
                Organizations:
                    - *Orgorg1
                    - *Orgorg2

when I want to create channel, I face error and the DEBUG logs says:

2020-05-04 12:12:50.452 UTC [cauthdsl] func1 -> DEBU 7b9 0xc0007edbe0 gate 1588594370452563334 evaluation starts
2020-05-04 12:12:50.452 UTC [cauthdsl] func2 -> DEBU 7ba 0xc0007edbe0 signed by 0 principal evaluation starts (used [false])
2020-05-04 12:12:50.452 UTC [cauthdsl] func2 -> DEBU 7bb 0xc0007edbe0 principal evaluation fails
2020-05-04 12:12:50.452 UTC [cauthdsl] func1 -> DEBU 7bc 0xc0007edbe0 gate 1588594370452563334 evaluation fails
2020-05-04 12:12:50.452 UTC [policies] Evaluate -> DEBU 7bd Signature set did not satisfy policy /Channel/Orderer/Ordererorg2MSP/Readers
2020-05-04 12:12:50.452 UTC [policies] Evaluate -> DEBU 7be == Done Evaluating *cauthdsl.policy Policy /Channel/Orderer/Ordererorg2MSP/Readers
2020-05-04 12:12:50.452 UTC [policies] Evaluate -> DEBU 7bf == Evaluating *cauthdsl.policy Policy /Channel/Orderer/Ordererorg1MSP/Readers ==
2020-05-04 12:12:50.452 UTC [cauthdsl] deduplicate -> ERRO 7c0 Principal deserialization failure (MSP OrdererMSP is unknown) for identity 0
2020-05-04 12:12:50.452 UTC [cauthdsl] func1 -> DEBU 7c1 0xc0007fe250 gate 1588594370452661614 evaluation starts
2020-05-04 12:12:50.452 UTC [cauthdsl] func2 -> DEBU 7c2 0xc0007fe250 signed by 0 principal evaluation starts (used [false])
2020-05-04 12:12:50.452 UTC [cauthdsl] func2 -> DEBU 7c3 0xc0007fe250 principal evaluation fails
2020-05-04 12:12:50.452 UTC [cauthdsl] func1 -> DEBU 7c4 0xc0007fe250 gate 1588594370452661614 evaluation fails
2020-05-04 12:12:50.452 UTC [policies] Evaluate -> DEBU 7c5 Signature set did not satisfy policy /Channel/Orderer/Ordererorg1MSP/Readers
2020-05-04 12:12:50.452 UTC [policies] Evaluate -> DEBU 7c6 == Done Evaluating *cauthdsl.policy Policy /Channel/Orderer/Ordererorg1MSP/Readers
2020-05-04 12:12:50.452 UTC [policies] func1 -> DEBU 7c7 Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ Ordererorg1MSP/Readers Ordererorg2MSP/Readers ]
2020-05-04 12:12:50.452 UTC [policies] Evaluate -> DEBU 7c8 Signature set did not satisfy policy /Channel/Orderer/Readers
2020-05-04 12:12:50.452 UTC [policies] Evaluate -> DEBU 7c9 == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Orderer/Readers
2020-05-04 12:12:50.452 UTC [policies] func1 -> DEBU 7ca Evaluation Failed: Only 0 policies were satisfied, but needed 1 of [ Application/Readers Consortiums/Readers Orderer/Readers ]
2020-05-04 12:12:50.452 UTC [policies] Evaluate -> DEBU 7cb Signature set did not satisfy policy /Channel/Readers
2020-05-04 12:12:50.452 UTC [policies] Evaluate -> DEBU 7cc == Done Evaluating *policies.implicitMetaPolicy Policy /Channel/Readers
2020-05-04 12:12:50.452 UTC [orderer.common.msgprocessor] Apply -> DEBU 7cd SigFilter evaluation failed: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied, policyName: /Channel/Readers, ConsensusState: STATE_NORMAL
2020-05-04 12:12:50.452 UTC [common.deliver] deliverBlocks -> WARN 7ce [channel: greenwebgenesis] Client authorization revoked for deliver request from 10.0.1.36:33346: implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Readers' sub-policies to be satisfied: permission denied

I guess in each fabric network, we can only have one ordering organization under the MSP of OrdererMSP. is it correct?

can someone please help me on this?

metadata · Accepted Answer

In the logs you are getting Principal deserialization failure (MSP OrdererMSP is unknown) but in configtx.yaml file, you aren't using OrdererMSP hence check the value of ORDERER_GENERAL_LOCALMSPID in docker file.

multiple orderer organizations

Answers (2)

Related Questions