I am trying out Composer rest server multiuser mode -
This is my setup:
I have 3 NetworkAdmin users alice,bob and charles
Through these admins i have issued identities to jdoe,dave (for alice
and bob) each with their ACLs as participants .
So alice is an admin with participant/identity - jdoe
bob is an admin with a participant/identity - dave
charles is an admin .
The setup is similar to Using two business cards in the same composer rest server configuration
-> I start the rest server for alice with multiuser mode enabled and add identity jdoe to its wallet . Now when i try to do a rest operation it says :
"message": "Error trying login and get user Context. Error: Error trying to enroll user or load channel configuration. Error: Enrollment failed with errors [[{\"code\":20,\"message\":\"Authorization failure\"}]]"
-> Same for bob - if i try to add dave it gives the same error .
-> Also if i try to add identities dave and jdoe to charles` wallet it gives same error
However the multiuser mode works in the following scenario
1) Through alice who is an admin i create a participant 'restadmin' who is also a NetworkAdmin
composer participant add -c alice#trade-network -d '{"$class":"org.hyperledger.composer.system.NetworkAdmin", "participantId":"restadmin"}'
composer identity issue -c alice#trade-network -f cards/restadmin.card -u restadmin -a "resource:org.hyperledger.composer.system.NetworkAdmin#restadmin"
composer card import -f cards/restadmin.card
composer network ping -c restadmin#trade-network
2) Now i create another participant Jam through alice
composer participant add -c alice#trade-network -d '{"$class":"org.example.trading.Trader","tradeId":"trader4", "RepfirstName":"Jam","ReplastName":"J"}'
composer identity issue -c alice#trade-network -f cards/jam.card -u jam -a "resource:org.cdc.MortalityCard.State#state4-ny"
composer card import -f cards/jam.card
composer card export -f cards/jam_exp.card -c jam#trade-network ; rm cards/jam.card
3)Now it works , This is hilarious i have no idea why it didnt work i nthe previous scenario ., now it works only if the identity is set as Jam as default . it doesnt work with jdoe or dave
No idea why . suggestion ?
the difference is in scenario 2, you've exported the cards with credentials (cert/key) - in scenario 1 they're trying to enrol again (because you've only got the secret in the card, no credentials set).
When the Identity is issued by the Fabric Certificate of Authority (CA) server a one-time secret is created (ie part of the Card that is created). When the card is used (eg connect or ping the business network using the card) for the first time, the secret is exchanged for Certificates/Keys (credentials) and then the one-time secret is invalidated. for scenario 1, you need to export it (eg via the Command line with composer card export -c jdoe# -f jdoe-plus-cert.card ) and then import that new .card file in the REST API wallet (eg /Import endpoint) and then it would also work for you in the REST API.
Related
I have installed influxdb. But in the server every user can login when ther type inlux.
Why is it like that? Is not it a security problem. And how can I solve it?
I want to login with spesific admin user and its admin password.
The "why"
Different databases have used reasonings with minor differences over the years, but basically, it goes like this:
In its most simple install, <insert DBMS here> should just run - for integration tests, simple evaluation purposes etc. We could generate a root/admin/superhoncho user password, but more often than not, this is not going to be changed, and that is a Bad Thing™.
And since nobody sane would run a database in production without authentication and authorisation enabled, providing easy access in the default installation is not a problem anyway, is it?
I tend to agree with this reasoning, though I am off the opinion that in the case the DBMS has authentication and authorisation disabled per default, it should bind to localhost by default, too. You make your DBMS accessible to the outside world, and be it only your company's network? You surely have thought about the implications!
The "how"
Authentication
I am going to use docker to illustrate it and it is quite obvious what you have to do in a non-docker environment.
First, we pull the influxdb docker image and create a default config file in one go:
$ docker run --rm influxdb influxd config > influxdb.conf
Unable to find image 'influxdb:latest' locally
latest: Pulling from library/influxdb
...
Digest: sha256:0aa7fea5336b5e5cc1c80e16062865821ec772e06519c138947ef5ebd9b34907
Status: Downloaded newer image for influxdb:latest
Merging with configuration at: /etc/influxdb/influxdb.conf
Now we change the authentication parameter in the [http] section of our influxdb.conf to true:
...
[http]
auth-enabled = true
...
Next, we start our InfluxDB using this modified config file:
$ docker run -d --name influxdb -p 8086:8086 \
-v $PWD/influxdb.conf:/etc/influxdb/influxdb.conf:ro \
influxdb -config /etc/influxdb/influxdb.conf
1987f962c331d2404a2564bb752d971553b13181dbbbb1e38cf50d345b3191c4
(The hash sum you get will be different.)
Now, we connect to our influxdb and create the admin user
$ docker exec -it influxdb influx
Connected to http://localhost:8086 version 1.7.8
InfluxDB shell version: 1.7.8
> create user admin with password 'secret' with all privileges;
From this point on, credentials are needed for pretty much everything
> show users
ERR: unable to parse authentication credentials
Warning: It is possible this error is due to not setting a database.
Please set a database with the command "use <database>".
> auth
username: admin
password:
> show users
user admin
---- -----
admin true
Authorization
Simple mnemonic: "Users are granted permissions per database." So, in order to grant something to a user, that user must first exist:
> create user berkancetin with password 'supersecret';
> create database foobar
> grant read on foobar to berkancetin
> show users
user admin
---- -----
admin true
berkancetin false
> show grants for "berkancetin"
database privilege
-------- ---------
foobar READ
Further reading (!!!)
Ignore at your own risk. You. Have. Been. Warned.
InfluxDB authentication
InfluxDB docs on Authorization
I am new to hyperledger sawtooth,I am working on setting up sawtooth in aws using putty but validator and rest api failing to run.
Edited:The above problem is resolved.
I run all the commands of Xo transaction family on Aws using putty,but I am
getting this error
sudo xo show my-game
Error: No such game: my-game
The REST API failed. You can look in files /var/log/sawtooth/rest_api-debug.log /var/log/sawtooth/rest_api-error.log
For more details on AWS and Sawtooth, see the app developer's guide (v1.2.1).
EDIT: To answer you question about playing...
You have to both create players and create a game before you can start playing XO (tic-tac-toe). For example, to create players bob and alice, type:
sawtooth keygen bob
sawtooth keygen alice
To create a game called mygame as player jack, type:
xo create mygame --username jack
For more details, again see the docs (latest version).
Alright, I need to develop a simple application in an IBM Blockchain(starter plan). But I can't get it done, after almost 1 month of trial and error and thousands of tutorials.
So, my case is really simple(I guess):
I have a models.cto file:
namespace com.test.models
/**
* A company asset.
*/
asset Company identified by company_id {
o String company_id
o String document_key
o String document_value
o String name
o String telephone
o String email
}
/**
* A person_in_charge asset.
*/
asset PersonInCharge identified by person_in_charge_id {
o String person_in_charge_id
o String company_id
o String name
o String document_key
o String document_value
o String email
o String language
o String created_date_time
}
I tried to make it as participant instead. I tried to make transaction and then do something with .js file but there are only use cases and tutorials about complex examples using assets, participants, etc. I just want to insert "PersonInCharge" and "Company" separately and query (each Company or by id whatever) also separately.
I was able to made a example using Swagger api generator, but it didn't worked as expected, even thought it created all the methods I wanted, like this:
For summarize, I wanted to deploy my chaincode in a peer, inside of a channel at IBM Blockchain. I did deployed a marble example and it did worked perfectly.
Really self describing error, not with a general message:
I am following a "how to" guide for develop locally and deploy to IBM. Therefore, I am creating a bna file composer archive create -t dir -n . and then creating a card with the downloaded connection settings(from IBM) and else using this tutorial Deploying a business network on Starter Plan
and I am failing at this step: composer network start -c adminCard -n bna-blockchain -V 0.0.1 -A admin -C ./credentials/admin-pub.pem -f delete_me.card. perhaps beucause I'm not being able to instantiate my chaincode on IBM Blockchain.
Sorry if it looks confunsing, just ask me if you have any questions about my issue.
Thanks in advance and any help would be awesome!
Before starting the network, you need to install it:
composer network install -c adminCard -a vehicle-manufacture-network.bna
I took a break in the development and came back after a month. In that time, I had help of a person inside IBM who could help me to get it done.
And I'm here so point out, some failures too.
The IBM guy(I won't say his name, of course) itself said that the service to upload a chaincode(channels/chaincode/Install chaincode) is broken and does not work well.
Also, I asked an easy to answer question in the IBM Blockchain paid forum but had no help at all(they did not even answer the question), even after almost 3 months. And you can't find a tutorial(besides marbles samples) that works from start to end.
Sorry if it looks like I'm raging for nothing in here, but I had a really hard time to put it all together to work 100%.
I will not show how to create a model file or transactional scripts(because there are a plenty of it on examples) but the commands you need to execute in order to run the chaincode on IBM and generate a loopback API. With that said...
Let's go to what's important: the code
First things first, Environment settings:
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial
IMPORTANT: IBM Blockchain(until now 2019-03-23) won't run under virtualized machines like virtual box or hyperv because of a couple npm dependencies. But a hardware virtual machine(HVM) like amazon ones will do just fine.
STEPS
Install node and npm(follow the versions strictly as listed)
node -v
v8.15.1
npm -v
6.4.1
curl -O https://hyperledger.github.io/composer/unstable/prereqs-ubuntu.sh
chmod u+x prereqs-ubuntu.sh
./prereqs-ubuntu.sh
npm install -g --unsafe-perm composer-cli#0.20.5
npm install -g --unsafe-perm composer-rest-server#0.20.5
composer-rest-server -v
v0.20.5
composer -v
v0.20.5
Create a project using hyperledger composer-playground. Export it and navigate through the root directory of the project you just downloaded(the project can be developed locally too).
Download the connection settings file at IBM Blockchain(Overview/Connection Profile/Download) and name it as connection-profile.json. Find the node registrar, you'll use it to create the cards.
Run npm install. If anything goes wrong while installing the dependencies, check if you're using exactly the same versions that I am using. If you're not, uninstall it all and start again from the beginning.
tricky zone
composer card create -f ca.card -p connection-profile.json -u admin -s *your-password*
composer card import -f ca.card -c ca
composer identity request --card ca --path ./credentials -u admin -s *your-password*
You'll see that the credentials folder were generated. Inside this folder, find
the file admin-pub.pem (credentials/admin-pub.pem) copy the whole content of it, and then upload it to IBM Blockchain(Members/Certificates/Add Certificate). You'll be prompted to restart peers, click "yes"
After the peers come back online, in the same Certificates tab, find the certificate you just add, in the ACTION column click at the menu, and then choose the option "Sync Certificate".
composer archive create -t dir -n .
composer card create -f adminCard.card -p connection-profile.json -u admin -c ./credentials/admin-pub.pem -k ./credentials/admin-priv.pem --role PeerAdmin --role ChannelAdmin
composer card import -f ./adminCard.card -c adminCard
composer network install -c adminCard -a bna-name#version.bna
composer network start -c adminCard -n *bna-name* -V *bna-version* -A admin -C ./credentials/admin-pub.pem -f delete_me.card (Output: Successfully created business network card: Filename: delete_me.card)
composer card create -n *bna-name* -p connection-profile.json -u admin -c ./credentials/admin-pub.pem -k ./credentials/admin-priv.pem (Output file: admin#*bna-name*.card)
composer card import -f ./admin#*bna-name*.card (Card file: ./admin#*bna-name*.card Card name: admin#*bna-name*)
Now you'll generate the rest api using (automatically generated using swagger)
composer-rest-server -c admin#*bna-name* -n never -w true -p 8080
Enjoy!
I can transact with the network, and create new assets and participants but if I true to issue an identity based on the participant I get.
Error: fabric-ca request register failed with errors
[[{"code":0,"message":"Registration of '4770' failed in affiliation
validation: : scode: 401, local code: 44, local msg: Caller does not
have authority to act on affiliation 'org1', remote code: 20, remote msg: Authorization failure"}]]
Where do I begin to debug this issue. I am using the IBM Enterprise Blockchain system for doing deployment.
composer identity issue defaults to the org1 affiliation if no affiliation is supplied on the command. To specify your own affiliation you need to add the option -o affiliation=xyz (where xyz is a valid affiliation defined in your fabric ca server). For example
composer identity issue -c admin#network -u newuser -a org.example.mynetwork.Person#P1 -o affiliation=myaffiliation
Note that being able to provide an affiliation in playground is not possible.
I've been looking at https://github.com/rfdickerson/watson-translation-demo which attempts to show how to do authentication using Facebook OAuth on iOS and with a NodeJS Backend.
The iOS code is straightforward :
let token: String = FBSDKAccessToken.currentAccessToken().tokenString
let fbAccess = FacebookAuthenticationStrategy(
tokenURL: "https://watsonsdkdemo.mybluemix.net/language-translation-service/api/v1/token",
fbToken: token)
translateService = LanguageTranslation(authStrategy: fbAccess)
The problem is that the server/app.js has
var creds = appEnv.getServiceCreds(/facebook-authentication/) || {}
and the manifest.yml has
- services:
- facebook-authentication
But when you cf push the scripts to your Bluemix account you get:
FAILED
Could not find service facebook-authentication to bind to xxxxxxx
The problem is nowhere does the author describe what the 'facebook-authentication" service is.
In the server deployment instructions they have
$ cf login
$ cf create-service speech_to_text standard speech-to-text-service
$ cf create-service text_to_speech standard text-to-speech-service
$ cf create-service language_translation standard language-translation-service
$ cf env
$ cd server
$ cf push
Nothing stating what the facebook-authentication service is.
I apologize that the instructions are incomplete. facebook-authentication is supposed to be a user-provided service. You can create it using the cf create-user-provided-service command:
cf create-user-provided-service facebook-authentication -p "APP_SECRET_GOES_HERE"
The idea is that when you register a Facebook application, they give you an App Secret. Since that secret should not be embedded in the source code, you can set it in the environment variables VCAP by creating a custom service that provides that information for you.
Note, I did not finish actually using the app secret to check the legitimacy of the credentials. Although this is a small security vulnerability for man-in-the-middle-attacks, the facebook token checking still works because in the Facebook App settings I made it so that using the App secret is not required. For now, just create the user service and set the value to anything you would like.
Hope this helps!