[FAB-4373] Fix orderer system channel Admins

Jason Yellick · Jason Yellick · commit c2d38987e6d5 · 2017-06-05T23:23:17.000-04:00
The default /Channel/Admins policy requires the MAJORITY of sub Admins
policies to be satisfied, for the /Channel/Admins to be satisfied.
Usually this means both of /Channel/Orderer/Admins and
/Channel/Application/Admins.  However, on the ordering system channel,
this means both of /Channel/Orderer/Admins and
/Channel/Consortiums/Admins.  Because the Consortiums group does not
have an Admins policy defined, the /Channel/Admins policy can never
evaluate to true.

This CR defines an Admins policy at the /Channel/Consortiums/Admins
level which accepts all signature sets.  This causes the /Channel/Admins
policy to become equivalent to the /Channel/Orderer/Admins in the
ordering system channel case.  The /Channel/Consortiums/Admins policy is
not used for any other purpose, so the accept all definition has no
other implications.

Change-Id: Ib8a247743f52d9d4bc5b5c80d8351a91647d3f6c
Signed-off-by: Jason Yellick &lt;jyellick@us.ibm.com&gt;
diff --git a/common/configtx/tool/provisional/provisional.go b/common/configtx/tool/provisional/provisional.go
@@ -19,6 +19,7 @@ package provisional
 import (
 	"fmt"
 
+	"github.com/hyperledger/fabric/common/cauthdsl"
 	"github.com/hyperledger/fabric/common/config"
 	configvaluesmsp "github.com/hyperledger/fabric/common/config/msp"
 	"github.com/hyperledger/fabric/common/configtx"
@@ -31,6 +32,7 @@ import (
 	cb "github.com/hyperledger/fabric/protos/common"
 	ab "github.com/hyperledger/fabric/protos/orderer"
 	pb "github.com/hyperledger/fabric/protos/peer"
+	"github.com/hyperledger/fabric/protos/utils"
 	logging "github.com/op/go-logging"
 )
 
@@ -180,6 +182,20 @@ func New(conf *genesisconfig.Profile) Generator {
 	if conf.Consortiums != nil {
 		tcg := config.TemplateConsortiumsGroup()
 		tcg.Groups[config.ConsortiumsGroupKey].ModPolicy = OrdererAdminsPolicy
+
+		// Fix for https://jira.hyperledger.org/browse/FAB-4373
+		// Note, AcceptAllPolicy in this context, does not grant any unrestricted
+		// access, but allows the /Channel/Admins policy to evaluate to true
+		// for the ordering system channel while set to MAJORITY with the addition
+		// to the successful evaluation of the /Channel/Orderer/Admins policy (which
+		// is not AcceptAll
+		tcg.Groups[config.ConsortiumsGroupKey].Policies[configvaluesmsp.AdminsPolicyKey] = &cb.ConfigPolicy{
+			Policy: &cb.Policy{
+				Type:   int32(cb.Policy_SIGNATURE),
+				Policy: utils.MarshalOrPanic(cauthdsl.AcceptAllPolicy),
+			},
+		}
+
 		bs.consortiumsGroups = append(bs.consortiumsGroups, tcg)
 
 		for consortiumName, consortium := range conf.Consortiums {
