[FAB-9254] Specify policies in configtx.yaml

Jason Yellick · Jason Yellick · commit f519714c8f79 · 2018-04-03T14:20:45.000-04:00
This CR adds the ability to specify policies in configtx.yaml.  It is
one half of two required for users to specify their own policies.  The
second half is in FAB-9255 (submitted together) which takes these
additional config file options and encodes them into channel config.

Change-Id: I7ba264a7554d4e3656bf13f2191bd871ba401e21
Signed-off-by: Jason Yellick &lt;jyellick@us.ibm.com&gt;
diff --git a/common/tools/configtxgen/localconfig/config.go b/common/tools/configtxgen/localconfig/config.go
@@ -95,6 +95,13 @@ type Profile struct {
 	Orderer      *Orderer               `yaml:"Orderer"`
 	Consortiums  map[string]*Consortium `yaml:"Consortiums"`
 	Capabilities map[string]bool        `yaml:"Capabilities"`
+	Policies     map[string]*Policy     `yaml:"Policies"`
+}
+
+// Policy encodes a channel config policy
+type Policy struct {
+	Type string `yaml:"Type"`
+	Rule string `yaml:"Rule"`
 }
 
 // Consortium represents a group of organizations which may create channels with eachother
@@ -104,9 +111,10 @@ type Consortium struct {
 
 // Application encodes the application-level configuration needed in config transactions.
 type Application struct {
-	Organizations []*Organization `yaml:"Organizations"`
-	Capabilities  map[string]bool `yaml:"Capabilities"`
-	Resources     *Resources      `yaml:"Resources"`
+	Organizations []*Organization    `yaml:"Organizations"`
+	Capabilities  map[string]bool    `yaml:"Capabilities"`
+	Resources     *Resources         `yaml:"Resources"`
+	Policies      map[string]*Policy `yaml:"Policies"`
 }
 
 // Resouces encodes the application-level resources configuration needed to seed the resource tree
@@ -116,16 +124,21 @@ type Resources struct {
 
 // Organization encodes the organization-level configuration needed in config transactions.
 type Organization struct {
-	Name           string `yaml:"Name"`
-	ID             string `yaml:"ID"`
-	MSPDir         string `yaml:"MSPDir"`
-	MSPType        string `yaml:"MSPType"`
-	AdminPrincipal string `yaml:"AdminPrincipal"`
+	Name     string             `yaml:"Name"`
+	ID       string             `yaml:"ID"`
+	MSPDir   string             `yaml:"MSPDir"`
+	MSPType  string             `yaml:"MSPType"`
+	Policies map[string]*Policy `yaml:"Policies"`
 
 	// Note: Viper deserialization does not seem to care for
 	// embedding of types, so we use one organization struct
 	// for both orderers and applications.
 	AnchorPeers []*AnchorPeer `yaml:"AnchorPeers"`
+
+	// AdminPrincipal is deprecated and may be removed in a future release
+	// it was used for modifying the default policy generation, but policies
+	// may now be specified explicitly so it is redundant and unnecessary
+	AdminPrincipal string `yaml:"AdminPrincipal"`
 }
 
 // AnchorPeer encodes the necessary fields to identify an anchor peer.
@@ -137,14 +150,15 @@ type AnchorPeer struct {
 // Orderer contains configuration which is used for the
 // bootstrapping of an orderer by the provisional bootstrapper.
 type Orderer struct {
-	OrdererType   string          `yaml:"OrdererType"`
-	Addresses     []string        `yaml:"Addresses"`
-	BatchTimeout  time.Duration   `yaml:"BatchTimeout"`
-	BatchSize     BatchSize       `yaml:"BatchSize"`
-	Kafka         Kafka           `yaml:"Kafka"`
-	Organizations []*Organization `yaml:"Organizations"`
-	MaxChannels   uint64          `yaml:"MaxChannels"`
-	Capabilities  map[string]bool `yaml:"Capabilities"`
+	OrdererType   string             `yaml:"OrdererType"`
+	Addresses     []string           `yaml:"Addresses"`
+	BatchTimeout  time.Duration      `yaml:"BatchTimeout"`
+	BatchSize     BatchSize          `yaml:"BatchSize"`
+	Kafka         Kafka              `yaml:"Kafka"`
+	Organizations []*Organization    `yaml:"Organizations"`
+	MaxChannels   uint64             `yaml:"MaxChannels"`
+	Capabilities  map[string]bool    `yaml:"Capabilities"`
+	Policies      map[string]*Policy `yaml:"Policies"`
 }
 
 // BatchSize contains configuration affecting the size of batches.
diff --git a/sampleconfig/configtx.yaml b/sampleconfig/configtx.yaml
@@ -79,17 +79,26 @@ Profiles:
             <<: *OrdererDefaults
             Organizations:
                 - <<: *SampleOrg
-                  AdminPrincipal: Role.MEMBER
+                  Policies:
+                      Admins:
+                          Type: Signature
+                          Rule: "OR('SampleOrg.member')"
         Application:
             <<: *ApplicationDefaults
             Organizations:
                 - <<: *SampleOrg
-                  AdminPrincipal: Role.MEMBER
+                  Policies:
+                      Admins:
+                          Type: Signature
+                          Rule: "OR('SampleOrg.member')"
         Consortiums:
             SampleConsortium:
                 Organizations:
                     - <<: *SampleOrg
-                      AdminPrincipal: Role.MEMBER
+                      Policies:
+                          Admins:
+                              Type: Signature
+                              Rule: "OR('SampleOrg.member')"
 
     # SampleDevModeKafka defines a configuration that differs from the
     # SampleDevModeSolo one only in that it uses the Kafka-based orderer.
@@ -100,17 +109,26 @@ Profiles:
             OrdererType: kafka
             Organizations:
                 - <<: *SampleOrg
-                  AdminPrincipal: Role.MEMBER
+                  Policies:
+                      Admins:
+                          Type: Signature
+                          Rule: "OR('SampleOrg.member')"
         Application:
             <<: *ApplicationDefaults
             Organizations:
                 - <<: *SampleOrg
-                  AdminPrincipal: Role.MEMBER
+                  Policies:
+                      Admins:
+                          Type: Signature
+                          Rule: "OR('SampleOrg.member')"
         Consortiums:
             SampleConsortium:
                 Organizations:
                     - <<: *SampleOrg
-                      AdminPrincipal: Role.MEMBER
+                      Policies:
+                          Admins:
+                              Type: Signature
+                              Rule: "OR('SampleOrg.member')"
 
     # SampleSingleMSPChannel defines a channel with only the sample org as a
     # member. It is designed to be used in conjunction with SampleSingleMSPSolo
@@ -149,11 +167,25 @@ Organizations:
         # MSPDir is the filesystem path which contains the MSP configuration.
         MSPDir: msp
 
-        # AdminPrincipal dictates the type of principal used for an
-        # organization's Admins policy. Today, only the values of Role.ADMIN and
-        # Role.MEMBER are accepted, which indicates a principal of role type
-        # ADMIN and role type MEMBER respectively.
-        AdminPrincipal: Role.ADMIN
+        # Policies defines the set of policies at this level of the config tree
+        # For organization policies, their canonical path is usually
+        #   /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
+        Policies:
+            Readers:
+                Type: Signature
+                Rule: "OR('SampleOrg.member')"
+                # If your MSP is configured with the new NodeOUs, you might
+                # want to use a more specific rule like the following:
+                # Rule: "OR('SampleOrg.admin', 'SampleOrg.peer')"
+            Writers:
+                Type: Signature
+                Rule: "OR('SampleOrg.member')"
+                # If your MSP is configured with the new NodeOUs, you might
+                # want to use a more specific rule like the following:
+                # Rule: "OR('SampleOrg.admin', 'SampleOrg.client'')"
+            Admins:
+                Type: Signature
+                Rule: "OR('SampleOrg.admin')"
 
         # AnchorPeers defines the location of peers which can be used for
         # cross-org gossip communication. Note, this value is only encoded in
@@ -171,6 +203,23 @@ Organizations:
 #
 ################################################################################
 Channel: &ChannelDefaults
+    # Policies defines the set of policies at this level of the config tree
+    # For Channel policies, their canonical path is
+    #   /Channel/<PolicyName>
+    Policies:
+        # Who may invoke the 'Deliver' API
+        Readers:
+            Type: ImplicitMeta
+            Rule: "ANY Readers"
+        # Who may invoke the 'Broadcast' API
+        Writers:
+            Type: ImplicitMeta
+            Rule: "ANY Writers"
+        # By default, who may modify elements at this config level
+        Admins:
+            Type: ImplicitMeta
+            Rule: "MAJORITY Admins"
+
 
     # Capabilities describes the channel level capabilities, see the
     # dedicated Capabilities section elsewhere in this file for a full
@@ -238,13 +287,31 @@ Orderer: &OrdererDefaults
     # network.
     Organizations:
 
+    # Policies defines the set of policies at this level of the config tree
+    # For Orderer policies, their canonical path is
+    #   /Channel/Orderer/<PolicyName>
+    Policies:
+        Readers:
+            Type: ImplicitMeta
+            Rule: "ANY Readers"
+        Writers:
+            Type: ImplicitMeta
+            Rule: "ANY Writers"
+        Admins:
+            Type: ImplicitMeta
+            Rule: "MAJORITY Admins"
+        # BlockValidation specifies what signatures must be included in the block
+        # from the orderer for the peer to validate it.
+        BlockValidation:
+            Type: ImplicitMeta
+            Rule: "ANY Writers"
+
     # Capabilities describes the orderer level capabilities, see the
     # dedicated Capabilities section elsewhere in this file for a full
     # description
     Capabilities:
         <<: *OrdererCapabilities
 
-
 ################################################################################
 #
 #   APPLICATION
@@ -259,6 +326,20 @@ Application: &ApplicationDefaults
     # network.
     Organizations:
 
+    # Policies defines the set of policies at this level of the config tree
+    # For Application policies, their canonical path is
+    #   /Channel/Application/<PolicyName>
+    Policies:
+        Readers:
+            Type: ImplicitMeta
+            Rule: "ANY Readers"
+        Writers:
+            Type: ImplicitMeta
+            Rule: "ANY Writers"
+        Admins:
+            Type: ImplicitMeta
+            Rule: "MAJORITY Admins"
+
     # Capabilities describes the application level capabilities, see the
     # dedicated Capabilities section elsewhere in this file for a full
     # description
