[FAB-7322] configtxgen set default res mod_policy

In v1.0, chaincode instantiation was always controlled by a policy which required a single signature. By default, we wish for chaincode instantiation to require a quorum of administrators to sign off, but doing so may break existing workflows. This CR adds a field to configtx.yaml which specifies the default mod_policy to use throughout the resources tree. If set to a single signature policy like /Channel/Application/Writers, then the old workflow of a single signer is still possible. If set to a multi-sig policy like /Channel/Application/Admins, then the user's workflow will need to be changed to accomodate the additional signing requirements. Change-Id: I021801f1540ee5ee25d110682852564650421dbd Signed-off-by: Jason Yellick <jyellick@us.ibm.com>
hyperledger · Dec 6, 2017 · d0eb668 · d0eb668
1 parent 500d3de
commit d0eb668
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 4 deletions.
diff --git a/common/tools/configtxgen/encoder/encoder.go b/common/tools/configtxgen/encoder/encoder.go
@@ -370,22 +370,26 @@ func NewChannelCreateConfigUpdate(channelID string, orderingSystemChannelGroup *
 
 	// If this channel uses the new lifecycle config, specify the seed data
 	if agc.Capabilities().LifecycleViaConfig() {
+		defaultModPolicy := policies.ChannelApplicationAdmins
+		if conf.Application.Resources != nil {
+			defaultModPolicy = conf.Application.Resources.DefaultModPolicy
+		}
 		updt.IsolatedData = map[string][]byte{
 			pb.RSCCSeedDataKey: utils.MarshalOrPanic(&cb.Config{
 				Type: int32(cb.ConfigType_RESOURCE),
 				ChannelGroup: &cb.ConfigGroup{
 					Groups: map[string]*cb.ConfigGroup{
 						resourcesconfig.ChaincodesGroupKey: &cb.ConfigGroup{
-							ModPolicy: policies.ChannelApplicationAdmins,
+							ModPolicy: defaultModPolicy,
 						},
 						resourcesconfig.PeerPoliciesGroupKey: &cb.ConfigGroup{
-							ModPolicy: policies.ChannelApplicationAdmins,
+							ModPolicy: defaultModPolicy,
 						},
 						resourcesconfig.APIsGroupKey: &cb.ConfigGroup{
-							ModPolicy: policies.ChannelApplicationAdmins,
+							ModPolicy: defaultModPolicy,
 						},
 					},
-					ModPolicy: policies.ChannelApplicationAdmins,
+					ModPolicy: defaultModPolicy,
 				},
 			}),
 		}

diff --git a/common/tools/configtxgen/localconfig/config.go b/common/tools/configtxgen/localconfig/config.go
@@ -13,6 +13,7 @@ import (
 	"time"
 
 	"github.com/hyperledger/fabric/common/flogging"
+	"github.com/hyperledger/fabric/common/policies"
 	"github.com/hyperledger/fabric/common/viperutil"
 	logging "github.com/op/go-logging"
 
@@ -93,6 +94,7 @@ type TopLevel struct {
 	Application   *Application               `yaml:"Application"`
 	Orderer       *Orderer                   `yaml:"Orderer"`
 	Capabilities  map[string]map[string]bool `yaml:"Capabilities"`
+	Resources     *Resources                 `yaml:"Resources"`
 }
 
 // Profile encodes orderer/application configuration combinations for the configtxgen tool.
@@ -113,6 +115,12 @@ type Consortium struct {
 type Application struct {
 	Organizations []*Organization `yaml:"Organizations"`
 	Capabilities  map[string]bool `yaml:"Capabilities"`
+	Resources     *Resources      `yaml:"Resources"`
+}
+
+// Resouces encodes the application-level resources configuration needed to seed the resource tree
+type Resources struct {
+	DefaultModPolicy string
 }
 
 // Organization encodes the organization-level configuration needed in config transactions.
@@ -268,6 +276,9 @@ func (p *Profile) completeInitialization(configDir string) {
 		for _, org := range p.Application.Organizations {
 			org.completeInitialization(configDir)
 		}
+		if p.Application.Resources != nil {
+			p.Application.Resources.completeInitialization()
+		}
 	}
 
 	if p.Consortiums != nil {
@@ -284,6 +295,17 @@ func (p *Profile) completeInitialization(configDir string) {
 	}
 }
 
+func (r *Resources) completeInitialization() {
+	for {
+		switch {
+		case r.DefaultModPolicy == "":
+			r.DefaultModPolicy = policies.ChannelApplicationAdmins
+		default:
+			return
+		}
+	}
+}
+
 func (org *Organization) completeInitialization(configDir string) {
 	// set the MSP type; if none is specified we assume BCCSP
 	if org.MSPType == "" {

diff --git a/examples/e2e_cli/configtx.yaml b/examples/e2e_cli/configtx.yaml
@@ -37,6 +37,8 @@ Profiles:
                 - *Org2
             Capabilities:
                 <<: *ApplicationCapabilities
+            Resources:
+                DefaultModPolicy: /Channel/Application/Writers
 
 ################################################################################
 #

diff --git a/sampleconfig/configtx.yaml b/sampleconfig/configtx.yaml
@@ -357,3 +357,16 @@ Capabilities:
         # modification of which would cause imcompatibilities.  Users should
         # leave this flag set to true.
         V1_1: true
+
+################################################################################
+#
+#   SECTION: Resources
+#
+#   - This section defines the peer resources for a fabric network.  These
+#   resources include chaincode definitions, as well as policies for how those
+#   resources can be modified.  Note, this section is only applicable if the V1_1
+#   application capability is enabled.
+#
+################################################################################
+Resources:
+    DefaultModPolicy: /Channel/Application/Admins