github.com/yacovm/fabric@v2.0.0-alpha.0.20191128145320-c5d4087dc723+incompatible/docs/source/policies/policies.md (about) 1 # Policies 2 3 **Audience**: Architects, application and smart contract developers, 4 administrators 5 6 In this topic, we'll cover: 7 8 * [What is a policy](#what-is-a-policy) 9 * [Why are policies needed](#why-are-policies-needed) 10 * [How are policies implemented throughout Fabric](#how-are-policies-implemented-throughout-fabric) 11 * [Fabric policy domains](#fabric-policy-domains) 12 * [How do you write a policy in Fabric](#how-do-you-write-a-policy-in-fabric) 13 * [Fabric chaincode lifecycle](#fabric-chaincode-lifecyle) 14 * [Overriding policy definitions](#overriding-policy-definitions) 15 16 ## What is a policy 17 18 At its most basic level, a policy is a set of rules that define the structure 19 for how decisions are made and specific outcomes are reached. To that end, 20 policies typically describe a **who** and a **what**, such as the access or 21 rights that an individual has over an **asset**. We can see that policies are 22 used throughout our daily lives to protect assets of value to us, from car 23 rentals, health, our homes, and many more. 24 25 For example, an insurance policy defines the conditions, terms, limits, and 26 expiration under which an insurance payout will be made. The policy is 27 agreed to by the policy holder and the insurance company, and defines the rights 28 and responsibilities of each party. 29 30 Whereas an insurance policy is put in place for risk management, in Hyperledger 31 Fabric, policies are the mechanism for infrastructure management. Fabric policies 32 represent how members come to agreement on accepting or rejecting changes to the 33 network, a channel, or a smart contract. Policies are agreed to by the consortium 34 members when a network is originally configured, but they can also be modified 35 as the network evolves. For example, they describe the criteria for adding or 36 removing members from a channel, change how blocks are formed, or specify the 37 number of organizations required to endorse a smart contract. All of these 38 actions are described by a policy which defines who can perform the action. 39 Simply put, everything you want to do on a Fabric network is controlled by a 40 policy. 41 42 ## Why are policies needed 43 44 Policies are one of the things that make Hyperledger Fabric different from other 45 blockchains like Ethereum or Bitcoin. In those systems, transactions can be 46 generated and validated by any node in the network. The policies that govern the 47 network are fixed at any point in time and can only to be changed using the same 48 process that governs the code. Because Fabric is a permissioned blockchain whose 49 users are recognized by the underlying infrastructure, those users have the 50 ability to decide on the governance of the network before it is launched, and 51 change the governance of a running network. 52 53 Policies allow members to decide which organizations can access or update a Fabric 54 network, and provide the mechanism to enforce those decisions. Policies contain 55 the lists of organizations that have access to a given resource, such as a 56 user or system chaincode. They also specify how many organizations need to agree 57 on a proposal to update a resource, such as a channel or smart contracts. Once 58 they are written, policies evaluate the collection of signatures attached to 59 transactions and proposals and validate if the signatures fulfill the governance 60 agreed to by the network. 61 62 ## How are policies implemented throughout Fabric 63 64 Policies are implemented at different levels of a Fabric network. Each policy 65 domain governs different aspects of how a network operates. 66 67  *A visual representation 68 of the Fabric policy hierarchy.* 69 70 ### System channel configuration 71 72 Every network begins with an ordering **system channel**. There must be exactly 73 one ordering system channel for an ordering service, and it is the first channel 74 to be created. The system channel also contains the organizations who are the 75 members of the ordering service (ordering organizations) and those that are 76 on the networks to transact (consortium organizations). 77 78 The policies in the ordering system channel configuration blocks govern the 79 consensus used by the ordering service and define how new blocks are created. 80 The system channel also governs which members of the consortium are allowed to 81 create new channels. 82 83 ### Application channel configuration 84 85 Application _channels_ are used to provide a private communication mechanism 86 between organizations in the consortium. 87 88 The policies in an application channel govern the ability to add or remove 89 members from the channel. Application channels also govern which organizations 90 are required to approve a chaincode before the chaincode is defined and 91 committed to a channel using the Fabric chaincode lifecyle. When an application 92 channel is initially created, it inherits all the ordering service parameters 93 from the orderer system channel by default. However, those parameters (and the 94 policies governing them) can be customized in each channel. 95 96 ### Access control lists (ACLs) 97 98 Network administrators will be especially interested in the Fabric use of ACLs, 99 which provide the ability to configure access to resources by associating those 100 resources with existing policies. These "resources" could be functions on system 101 chaincode (e.g., "GetBlockByNumber" on the "qscc" system chaincode) or other 102 resources (e.g.,who can receive Block events). ACLs refer to policies 103 defined in an application channel configuraton and extends them to control 104 additional resources. The default set of Fabric ACLs is visible in the 105 `configtx.yaml` file under the `Application: &ApplicationDefaults` section but 106 they can and should be overridden in a production environment. The list of 107 resources named in `configtx.yaml` is the complete set of all internal resources 108 currently defined by Fabric. 109 110 In that file, ACLs are expressed using the following format: 111 112 ``` 113 # ACL policy for chaincode to chaincode invocation 114 peer/ChaincodeToChaincode: /Channel/Application/Readers 115 ``` 116 117 Where `peer/ChaincodeToChaincode` represents the resource being secured and 118 `/Channel/Application/Readers` refers to the policy which must be satisfied for 119 the associated transaction to be considered valid. 120 121 For a deeper dive into ACLS, refer to the topic in the Operations Guide on [ACLs](../access_control.html). 122 123 ### Smart contract endorsement policies 124 125 Every smart contract inside a chaincode package has an endorsement policy that 126 specifies how many peers belonging to different channel members need to execute 127 and validate a transaction against a given smart contract in order for the 128 transaction to be considered valid. Hence, the endorsement policies define the 129 organizations (through their peers) who must “endorse” (i.e., approve of) the 130 execution of a proposal. 131 132 ### Modification policies 133 134 There is one last type of policy that is crucial to how policies work in Fabric, 135 the `Modification policy`. Modification policies specify the group of identities 136 required to sign (approve) any configuration _update_. It is the policy that 137 defines how the policy is updated. Thus, each channel configuration element 138 includes a reference to a policy which governs its modification. 139 140 ## The policy domains 141 142 While Fabric policies are flexible and can be configured to meet the needs of a 143 network, the policy structure naturally leads to a division between the domains 144 governed by either the Ordering Service organizations or the members of the 145 consortium. In the following diagram you can see how the default policies 146 implement control over the Fabric policy domains below. 147 148  *A more detailed look at the 149 policy domains governed by the Orderer organizations and consortium organizations.* 150 151 A fully functional Fabric network can feature many organizations with different 152 responsibilities. The domains provide the ability to extend different privileges 153 and roles to different organizations by allowing the founders of the ordering 154 service the ability to establish the initial rules and membership of the 155 consortium. They also allow the organizations that join the consortium to create 156 private application channels, govern their own business logic, and restrict 157 access to the data that is put on the network. 158 159 The system channel configuration and a portion of each application channel 160 configuration provides the ordering organizations control over which organizations 161 are members of the consortium, how blocks are delivered to channels, and the 162 consensus mechanism used by the nodes of the ordering service. 163 164 The system channel configuration provides members of the consortium the ability 165 to create channels. Application channels and ACLs are the mechanism that 166 consortium organizations use to add or remove members from a channel and restrict 167 access to data and smart contracts on a channel. 168 169 ## How do you write a policy in Fabric 170 171 If you want to change anything in Fabric, the policy associated with the resource 172 describes **who** needs to approve it, either with an explicit sign off from 173 individuals, or an implicit sign off by a group. In the insurance domain, an 174 explicit sign off could be a single member of the homeowners insurance agents 175 group. And an implicit sign off would be analogous to requiring approval from a 176 majority of the managerial members of the homeowners insurance group. This is 177 particularly useful because the members of that group can change over time 178 without requiring that the policy be updated. In Hyperledger Fabric, explicit 179 sign offs in policies are expressed using the `Signature` syntax and implicit 180 sign offs use the `ImplicitMeta` syntax. 181 182 ### Signature policies 183 184 `Signature` policies define specific types of users who must sign in order for a 185 policy to be satisfied such as `Org1.Peer OR Org2.Peer`. These policies are 186 considered the most versatile because they allow for the construction of 187 extremely specific rules like: “An admin of org A and 2 other admins, or 5 of 6 188 organization admins”. The syntax supports arbitrary combinations of `AND`, `OR` 189 and `NOutOf`. For example, a policy can be easily expressed by using `AND 190 (Org1, Org2)` which means that a signature from at least one member in Org1 AND 191 one member in Org2 is required for the policy to be satisfied. 192 193 ### ImplicitMeta policies 194 195 `ImplicitMeta` policies are only valid in the context of channel configuration 196 which is based on a tiered hierarchy of policies in a configuration tree. ImplicitMeta 197 policies aggregate the result of policies deeper in the configuration tree that 198 are ultimately defined by Signature policies. They are `Implicit` because they 199 are constructed implicitly based on the current organizations in the 200 channel configuration, and they are `Meta` because their evaluation is not 201 against specific MSP principals, but rather against other sub-policies below 202 them in the configuration tree. 203 204 The following diagram illustrates the tiered policy structure for an application 205 channel and shows how the `ImplicitMeta` channel configuration admins policy, 206 named `/Channel/Admins`, is resolved when the sub-policies named `Admins` below it 207 in the configuration hierarchy are satisfied where each check mark represents that 208 the conditions of the sub-policy were satisfied. 209 210  211 212 As you can see in the diagram above, `ImplicitMeta` policies, Type = 3, use a 213 different syntax, `"<ANY|ALL|MAJORITY> <SubPolicyName>"`, for example: 214 ``` 215 `MAJORITY sub policy: Admins` 216 ``` 217 The diagram shows a sub-policy `Admins`, which refers to all the `Admins` policy 218 below it in the configuration tree. You can create your own sub-policies 219 and name them whatever you want and then define them in each of your 220 organizations. 221 222 As mentioned above, a key benefit of an `ImplicitMeta` policy such as `MAJORITY 223 Admins` is that when you add a new admin organization to the channel, you do not 224 have to update the channel policy. Therefore `ImplicitMeta` policies are 225 considered to be more flexible as the consortium members change. The consortium 226 on the orderer can change as new members are added or an existing member leaves 227 with the consortium members agreeing to the changes, but no policy updates are 228 required. Recall that `ImplicitMeta` policies ultimately resolve the 229 `Signature` sub-policies underneath them in the configuration tree as the 230 diagram shows. 231 232 You can also define an application level implicit policy to operate across 233 organizations, in a channel for example, and either require that ANY of them 234 are satisfied, that ALL are satisfied, or that a MAJORITY are satisfied. This 235 format lends itself to much better, more natural defaults, so that each 236 organization can decide what it means for a valid endorsement. 237 238 Further granularity and control can be achieved if you include [`NodeOUs`](msp.html#organizational-units) in your 239 organization definition. Organization Units (OUs) are defined in the Fabric CA 240 client configuration file and can be associated with an identity when it is 241 created. In Fabric, `NodeOUs` provide a way to classify identities in a digital 242 certificate hierarchy. For instance, an organization having specific `NodeOUs` 243 enabled could require that a 'peer' sign for it to be a valid endorsement, 244 whereas an organization without any might simply require that any member can 245 sign. 246 247 ## An example: channel configuration policy 248 249 Understanding policies begins with examining the `configtx.yaml` where the 250 channel policies are defined. We can use the `configtx.yaml` file in the BYFN 251 (first-network) tutorial to see examples of both policy syntax types. Navigate to the [fabric-samples/first-network](https://github.com/hyperledger/fabric-samples/blob/master/first-network/configtx.yaml) 252 directory and examine the configtx.yaml file for BYFN. 253 254 The first section of the file defines the Organizations of the network. Inside each 255 organization definition are the default policies for that organization, `Readers, Writers, 256 Admins, and Endorsement`, although you can name your policies anything you want. 257 Each policy has a `Type` which describes how the policy is expressed (`Signature` 258 or `ImplicitMeta`) and a `Rule`. 259 260 The BYFN example below shows the `Org1` organization definition in the system 261 channel, where the policy `Type` is `Signature` and the Endorsement policy rule 262 is defined as `"OR('Org1MSP.peer')"` which means that peer that is a member of 263 `Org1MSP` is required to sign. It is these Signature policies that become the 264 sub-policies that the ImplicitMeta policies point to. 265 266 <details> 267 <summary> 268 **Click here to see an example of an organization defined with signature policies** 269 </summary> 270 271 ``` 272 - &Org1 273 # DefaultOrg defines the organization which is used in the sampleconfig 274 # of the fabric.git development environment 275 Name: Org1MSP 276 277 # ID to load the MSP definition as 278 ID: Org1MSP 279 280 MSPDir: crypto-config/peerOrganizations/org1.example.com/msp 281 282 # Policies defines the set of policies at this level of the config tree 283 # For organization policies, their canonical path is usually 284 # /Channel/<Application|Orderer>/<OrgName>/<PolicyName> 285 Policies: 286 Readers: 287 Type: Signature 288 Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')" 289 Writers: 290 Type: Signature 291 Rule: "OR('Org1MSP.admin', 'Org1MSP.client')" 292 Admins: 293 Type: Signature 294 Rule: "OR('Org1MSP.admin')" 295 Endorsement: 296 Type: Signature 297 Rule: "OR('Org1MSP.peer')" 298 ``` 299 </details> 300 301 The next example shows the `ImplicitMeta` policy type used in the `Orderer` 302 section of the `configtx.yaml` file which defines the default 303 behavior of the orderer and also contains the associated policies `Readers`, 304 `Writers`, and `Admins`. Again, these ImplicitMeta policies are evaluated based 305 on their underlying Signature sub-policies which we saw in the snippet above. 306 307 <details> 308 <summary> 309 **Click here to see an example of ImplicitMeta policies** 310 </summary> 311 ``` 312 313 ################################################################################ 314 # 315 # SECTION: Orderer 316 # 317 # - This section defines the values to encode into a config transaction or 318 # genesis block for orderer related parameters 319 # 320 ################################################################################ 321 Orderer: &OrdererDefaults 322 323 # Organizations is the list of orgs which are defined as participants on 324 # the orderer side of the network 325 Organizations: 326 327 # Policies defines the set of policies at this level of the config tree 328 # For Orderer policies, their canonical path is 329 # /Channel/Orderer/<PolicyName> 330 Policies: 331 Readers: 332 Type: ImplicitMeta 333 Rule: "ANY Readers" 334 Writers: 335 Type: ImplicitMeta 336 Rule: "ANY Writers" 337 Admins: 338 Type: ImplicitMeta 339 Rule: "MAJORITY Admins" 340 # BlockValidation specifies what signatures must be included in the block 341 # from the orderer for the peer to validate it. 342 BlockValidation: 343 Type: ImplicitMeta 344 Rule: "ANY Writers" 345 346 ``` 347 </details> 348 349 ## Fabric chaincode lifecycle 350 351 In the Fabric Alpha 2.0 release, a new chaincode lifecycle process was introduced, 352 whereby a more democratic process is used to govern chaincode on the network. 353 The new process allows multiple organizations to vote on how a chaincode will 354 be operated before it can be used on a channel. This is significant because it is 355 the combination of this new lifecycle process and the policies that are 356 specified during that process that dictate the security across the network. More details on 357 the flow are available in the [Chaincode for Operators](../chaincode4noah.html) 358 tutorial, but for purposes of this topic you should understand how policies are 359 used in this flow. The new flow includes two steps where policies are specified: 360 when chaincode is **approved** by organization members, and when it is **committed** 361 to the channel. 362 363 The `Application` section of the `configtx.yaml` file includes the default 364 chaincode lifecycle endorsement policy. In a production environment you would 365 customize this definition for your own use case. 366 367 ``` 368 ################################################################################ 369 # 370 # SECTION: Application 371 # 372 # - This section defines the values to encode into a config transaction or 373 # genesis block for application related parameters 374 # 375 ################################################################################ 376 Application: &ApplicationDefaults 377 378 # Organizations is the list of orgs which are defined as participants on 379 # the application side of the network 380 Organizations: 381 382 # Policies defines the set of policies at this level of the config tree 383 # For Application policies, their canonical path is 384 # /Channel/Application/<PolicyName> 385 Policies: 386 Readers: 387 Type: ImplicitMeta 388 Rule: "ANY Readers" 389 Writers: 390 Type: ImplicitMeta 391 Rule: "ANY Writers" 392 Admins: 393 Type: ImplicitMeta 394 Rule: "MAJORITY Admins" 395 LifecycleEndorsement: 396 Type: ImplicitMeta 397 Rule: "MAJORITY Endorsement" 398 Endorsement: 399 Type: ImplicitMeta 400 Rule: "MAJORITY Endorsement" 401 ``` 402 403 - The `LifecycleEndorsement` policy governs who needs to _approve a chaincode 404 definition_. 405 - The `Endorsement` policy is the _default endorsement policy for 406 a chaincode_. More on this below. 407 408 ## Chaincode endorsement policies 409 410 The endorsement policy is specified for a **chaincode** when it is approved 411 and committed to the channel using the Fabric chaincode lifecycle (that is, one 412 endorsement policy covers all of the state associated with a chaincode). The 413 endorsement policy can be specified either by reference to an endorsement policy 414 defined in the channel configuration or by explicitly specifying a Signature policy. 415 416 If an endorsement policy is not explicitly specified during the approval step, 417 the default `Endorsement` policy `"MAJORITY Endorsement"` is used which means 418 that a majority of the peers belonging to the different channel members 419 (organizations) need to execute and validate a transaction against the chaincode 420 in order for the transaction to be considered valid. This default policy allows 421 organizations that join the channel to become automatically added to the chaincode 422 endorsement policy. If you don't want to use the default endorsement 423 policy, use the Signature policy format to specify a more complex endorsement 424 policy (such as requiring that a chaincode be endorsed by one organization, and 425 then one of the other organizations on the channel). 426 427 Signature policies also allow you to include `principals` which are simply a way 428 of matching an identity to a role. Principals are just like user IDs or group 429 IDs, but they are more versatile because they can include a wide range of 430 properties of an actor’s identity, such as the actor’s organization, 431 organizational unit, role or even the actor’s specific identity. When we talk 432 about principals, they are the properties which determine their permissions. 433 Principals are described as 'MSP.ROLE', where `MSP` represents the required MSP 434 ID (the organization), and `ROLE` represents one of the four accepted roles: 435 Member, Admin, Client, and Peer. A role is associated to an identity when a user 436 enrolls with a CA. You can customize the list of roles available on your Fabric 437 CA. 438 439 Some examples of valid principals are: 440 * 'Org0.Admin': an administrator of the Org0 MSP 441 * 'Org1.Member': a member of the Org1 MSP 442 * 'Org1.Client': a client of the Org1 MSP 443 * 'Org1.Peer': a peer of the Org1 MSP 444 * 'OrdererOrg.Orderer': an orderer in the OrdererOrg MSP 445 446 There are cases where it may be necessary for a particular state 447 (a particular key-value pair, in other words) to have a different endorsement 448 policy. This **state-based endorsement** allows the default chaincode-level 449 endorsement policies to be overridden by a different policy for the specified 450 keys. 451 452 For a deeper dive on how to write an endorsement policy refer to the topic on 453 [Endorsement policies](../endorsement-policies.html) in the Operations Guide. 454 455 **Note:** Policies work differently depending on which version of Fabric you are 456 using: 457 - In Fabric releases prior to the 2.0 Alpha release, chaincode endorsement 458 policies can be updated during chaincode instantiation or 459 by using the chaincode lifecycle commands. If not specified at instantiation 460 time, the endorsement policy defaults to “any member of the organizations in the 461 channel”. For example, a channel with “Org1” and “Org2” would have a default 462 endorsement policy of “OR(‘Org1.member’, ‘Org2.member’)”. 463 - Starting with the Alpha 2.0 release, Fabric introduced a new chaincode 464 lifecycle process that allows multiple organizations to agree on how a 465 chaincode will be operated before it can be used on a channel. The new process 466 requires that organizations agree to the parameters that define a chaincode, 467 such as name, version, and the chaincode endorsement policy. 468 469 ## Overriding policy definitions 470 471 Hyperledger Fabric includes default policies which are useful for getting started, 472 developing, and testing your blockchain, but they are meant to be customized 473 in a production environment. You should be aware of the default policies 474 in the `configtx.yaml` file. Channel configuration policies can be extended 475 with arbitrary verbs, beyond the default `Readers, Writers, Admins` in 476 `configtx.yaml`. The orderer system and application channels are overridden by 477 issuing a config update when you override the default policies by editing the 478 `configtx.yaml` for the orderer system channel or the `configtx.yaml` for a 479 specific channel. 480 481 See the topic on 482 [Updating a channel configuration](../config_update.html#updating-a-channel-configuration) 483 for more information. 484 485 <!--- Licensed under Creative Commons Attribution 4.0 International License 486 https://creativecommons.org/licenses/by/4.0/) -->