I am new to Hyperledger fabric and blockchain.I am trying to build a simple application as part of a POC and completed the Getting Started tutorial for building the first network. I am very confused about user creation and assigning roles for a specific organization. As I understand, I need to use the docker-compose-e2e.yaml, which starts a fabric-ca container to create a public key (certificate) and a private key . Could someone please provide me some instruction or point me to the documentation, on how to create a user, assign a role in an org, get the private and public key, install it on a blockchain network and use it in a chaincode.
Strongly advise that you read and follow the Build Your First Network tutorial in its entirety.
In that tutorial, the users and orgs are created via a configuration file (crypto-config.yaml) which feed the cryptogen command to generate the required key material for orgs and users, etc. This is suitable for a static deployment.
Use of fabric-ca to generate certificates for users etc that can be added via the SDKs is a bit more advanced topic. There's a tutorial in the Fabric CA User's Guide. This also requires that the MSP used in the fabric network be the Fabric-CA, not the default MSP, which uses the file-based config.
Related
Background
I have a virtual machine running a code using Google SDK for diffrent products (like Google PubSub). According to Google documentation, my machine should have an environment variable called GOOGLE_APPLICATION_CREDENTIALS and its values should be pointing to a clear text file that holding the service account of the application.
I have done it and it's working for me.
The Problem
It sounds like an unsafe practice to store such a key, in plain text, inside a virtual machine. If the machine has been hacked, this key will be one of the first targets of the attacker.
I was expected to find a solution to "hide" this key file or just encrypt it with a key that my application will be able to read.
I found some code examples (C#), that allow the programmer to pass the credentials manually to the SDK functions. But, it's not a standard way to do it and it's being changed from one product to another (seems impossible in some products).
What is the best practice to do it?
Have a good read at the following:
https://cloud.google.com/docs/authentication/production
This describes a concept called "Application Default Credentials". The concept here is that a Compute Engine (a virtual machine) has a default service account (that you can configure) associated with it. Applications running on the Compute Engine can thus make requests from that Compute Engine to other GCP services and the requests to those services will implicitly appear to come from the service account configured against the Compute Engine.
The key phrase in the article is:
If the environment variable GOOGLE_APPLICATION_CREDENTIALS isn't set, ADC uses the default service account that Compute Engine, Google Kubernetes Engine, App Engine, Cloud Run, and Cloud Functions provide.
I am new at google cloud and this is my first experience with this platform. ( Before I was using Azure )
So I am working on a c# project and the project has a requirement to save images online and for that, I created cloud storage.
not for using the services, I find our that I have to download a service account credential file and set the path of that file in the environment variable.
Which is good and working file
RxStorageClient = StorageClient.Create();
But the problem is that. my whole project is a collection of 27 different projects and that all are in the same solution and there are multi-cloud storage account involved also I want to use them with docker.
So I was wondering. is there any alternative to this service account system? like API key or connection string like Azure provides?
Because I saw this initialization function have some other options to authenticate. but didn't saw any example
RxStorageClient = StorageClient.Create();
Can anyone please provide a proper example to connect with cloud storage services without this service account file system
You can do this instead of relying on the environment variable by downloading credential files for each project you need to access.
So for example, if you have three projects that you want to access storage on, then you'd need code paths that initialize the StorageClient with the appropriate service account key from each of those projects.
StorageClient.Create() can take an optional GoogleCredential() object to authorize it (if you don't specify, it grabs the default application credentials, which, one way to set is that GOOGLE_APPLICATION_CREDENTIALS env var).
So on GoogleCredential, check out the FromFile(String) static call, where the String is the path to the service account JSON file.
There are no examples. Service accounts are absolutely required, even if hidden from view, to deal with Google Cloud products. They're part of the IAM system for authenticating and authorizing various pieces of software for use with various products. I strongly suggest that you become familiar with the mechanisms of providing a service account to a given program. For code running outside of Google Cloud compute and serverless products, the current preferred solution involves using environment variables to point to files that contain credentials. For code running Google (like Cloud Run, Compute Engine, Cloud Functions), it's possible to provide service accounts by configuration so that the code doesn't need to do anything special.
When you create a hyperledger fabric network, you define organizations, orderers and peers in crypto-config.yaml and configtx.yaml.
But how do you add a new organization or a new peer to an existing organization in a network that is already setup? Run cryptogen and configtxgen pointing to config files that contain only the new organizations/peers? Re-generate everything?
The whole point of using cryptogen is to help user to settle the crypto material for peer and organizations defined in the crypto-config.yaml file. However one can simply leverage openssl to generate keys and certificates of organization root CA, next generate user certificates and arrange them into the folder similar to what cryptogen is producing and startup your network. Therefore adding a new peer will stand up to simply generating a new set of keys and certificate signed by the root CA. Finally you can simply start new peer and join it to the channel by providing genesis block, which could be fetched from ordering service.
Now, the configtxgen tool helps you to configure your Hyperledger Fabric network it terms of which organizations will form a consortium and will have rights to join the channel. Extending this configuration is a bit more involved process than simply adding a new peer, in order to complete you will have to leverage the configtxlator tool, more details and example of how to use it you can find in the following tutorial. In high level, you will have to read current channel configuration, parse it into the json format, update with new participants, compute the delta and generate configuration update transaction and the last step is to submit the update to the ordering service so it will take effect. Once you will accomplished config update you will be able to add new peers from new organization to the channel.
You can achieve this by generating the crypto material (using cryptogen extends) for the new peer, spawning the new peer and joining that peer to the existing channel on the network to sync-up.
You can find the complete guide at
Extending Hyperledger Fabric Network: Adding a new peer
I am using http://hyperledger-fabric-doc.readthedocs.io/en/latest/getting_started.html for Hyperledger Fabric setup in Ubuntu VM. As per tutorial (fabric-samples/first-network) which have two organizations with two peers have been created. I wanted to add new organization or new peer in already existing Organization dynamically. Kindly help me know the steps to add dynamically.
It isn't to the point of being "dynamic" just yet. However, the reconfiguration is done using the configtxlator tool to read the genesis block and modify it's contents, then submit it as a new transaction that updates the network/channel configuration. Please see the tutorial on configtxlator here.
New version i.e the testing version of hrperledger fabric v1.1-preview gives this feature of adding new org dynamically. Main role in this is of configtxlator, jq and configtxgen. They have given fabric-samples/first-network new example which fo this work. Download the pdf of hyperledger fabric and go to chaper 11 i.e page 59 https://media.readthedocs.org/pdf/hyperledger-fabric/latest/hyperledger-fabric.pdf you will get good documentation of how it is done. Hope this helped you.
IBM has a step-by-step guide showing in details how to use configxlator, as adding a new Org section in config JSON is not so trivial and there are additional steps, such as signing the update config block.
I has a question related to network setup of additional peer in Hyperledger Fabric.
I want to add 2 more peers to existing peer to form a network ,but all available document is all about connection peer together by using Docker. In my case I already have multiple servers. so I just directly install peers to 3 different Servers separately ,but how can I connect that 3 peer up and running together. I cannot find any document related to this.
Hopp you can guide.
To install Fabric directly to Server is recommend or not?
Below is Screenshot of one peer. it's up and running fine. but How to connect 3 peers together directly on different Server without using Docker.
I have follow this link: https://github.com/hyperledger/fabric/blob/master/docs/Setup/Network-setup.md
but I still can't find the way since it used docker.
any file that can modify to make it such as core.yaml ..etc
enter image description here
When using Hyperledger Fabric version 0.6, there is not a straightforward way to connect multiple peers on different servers without using Docker. As you noted, the Setting Up a Network section covers how to use Docker Compose to link peers together. One of the primary uses of a Hyperledger Fabric version 0.6 network is to learn how to develop chaincode. The focus isn't so much on dynamically allowing peers to join a network.
There are a few options for creating a blockchain network for Hyperledger Fabric version 0.6.
Published Docker images
Setting up a development environment
An instance of the Blockchain service on Bluemix can be created.
Hyperledger Fabric 1.0 (currently under development) aims to make it easier for different entities to join a blockchain network. An early preview of related concepts were covered during a Connect-A-Thon event. There is also an article about this event.
Yes. We can create a blockchain network without docker using Hyperledger Fabric v0.6. We have been done it in practice. For sure, we have to use docker to deploy chaincode.
For Hyperledger Fabric v0.6, both with docker or without it, we can not add more peers to existing network.