github.com/yacovm/fabric@v2.0.0-alpha.0.20191128145320-c5d4087dc723+incompatible/docs/source/policies/policies.md (about)

     1  # Policies
     2  
     3  **Audience**: Architects, application and smart contract developers,
     4  administrators
     5  
     6  In this topic, we'll cover:
     7  
     8  * [What is a policy](#what-is-a-policy)
     9  * [Why are policies needed](#why-are-policies-needed)
    10  * [How are policies implemented throughout Fabric](#how-are-policies-implemented-throughout-fabric)
    11  * [Fabric policy domains](#fabric-policy-domains)
    12  * [How do you write a policy in Fabric](#how-do-you-write-a-policy-in-fabric)
    13  * [Fabric chaincode lifecycle](#fabric-chaincode-lifecyle)
    14  * [Overriding policy definitions](#overriding-policy-definitions)
    15  
    16  ## What is a policy
    17  
    18  At its most basic level, a policy is a set of rules that define the structure
    19  for how decisions are made and specific outcomes are reached. To that end,
    20  policies typically describe a **who** and a **what**, such as the access or
    21  rights that an individual has over an **asset**. We can see that policies are
    22  used throughout our daily lives to protect assets of value to us, from car
    23  rentals, health, our homes, and many more.
    24  
    25  For example, an insurance policy defines the conditions, terms, limits, and
    26  expiration under which an insurance payout will be made. The policy is
    27  agreed to by the policy holder and the insurance company, and defines the rights
    28  and responsibilities of each party.
    29  
    30  Whereas an insurance policy is put in place for risk management, in Hyperledger
    31  Fabric, policies are the mechanism for infrastructure management. Fabric policies
    32  represent how members come to agreement on accepting or rejecting changes to the
    33  network, a channel, or a smart contract. Policies are agreed to by the consortium
    34  members when a network is originally configured, but they can also be modified
    35  as the network evolves. For example, they describe the criteria for adding or
    36  removing members from a channel, change how blocks are formed, or specify the
    37  number of organizations required to endorse a smart contract. All of these
    38  actions are described by a policy which defines who can perform the action.
    39  Simply put, everything you want to do on a Fabric network is controlled by a
    40  policy.
    41  
    42  ## Why are policies needed
    43  
    44  Policies are one of the things that make Hyperledger Fabric different from other
    45  blockchains like Ethereum or Bitcoin. In those systems, transactions can be
    46  generated and validated by any node in the network. The policies that govern the
    47  network are fixed at any point in time and can only to be changed using the same
    48  process that governs the code. Because Fabric is a permissioned blockchain whose
    49  users are recognized by the underlying infrastructure, those users have the
    50  ability to decide on the governance of the network before it is launched, and
    51  change the governance of a running network.
    52  
    53  Policies allow members to decide which organizations can access or update a Fabric
    54  network, and provide the mechanism to enforce those decisions. Policies contain
    55  the lists of organizations that have access to a given resource, such as a
    56  user or system chaincode. They also specify how many organizations need to agree
    57  on a proposal to update a resource, such as a channel or smart contracts. Once
    58  they are written, policies evaluate the collection of signatures attached to
    59  transactions and proposals and validate if the signatures fulfill the governance
    60  agreed to by the network.
    61  
    62  ## How are policies implemented throughout Fabric
    63  
    64  Policies are implemented at different levels of a Fabric network. Each policy
    65  domain governs different aspects of how a network operates.
    66  
    67  ![policies.policies](./FabricPolicyHierarchy-2.png) *A visual representation
    68  of the Fabric policy hierarchy.*
    69  
    70  ### System channel configuration
    71  
    72  Every network begins with an ordering **system channel**. There must be exactly
    73  one ordering system channel for an ordering service, and it is the first channel
    74  to be created. The system channel also contains the organizations who are the
    75  members of the ordering service (ordering organizations) and those that are
    76  on the networks to transact (consortium organizations).
    77  
    78  The policies in the ordering system channel configuration blocks govern the
    79  consensus used by the ordering service and define how new blocks are created.
    80  The system channel also governs which members of the consortium are allowed to
    81  create new channels.
    82  
    83  ### Application channel configuration
    84  
    85  Application _channels_ are used to provide a private communication mechanism
    86  between organizations in the consortium.
    87  
    88  The policies in an application channel govern the ability to add or remove
    89  members from the channel. Application channels also govern which organizations
    90  are required to approve a chaincode before the chaincode is defined and
    91  committed to a channel using the Fabric chaincode lifecyle. When an application
    92  channel is initially created, it inherits all the ordering service parameters
    93  from the orderer system channel by default. However, those parameters (and the
    94  policies governing them) can be customized in each channel.
    95  
    96  ### Access control lists (ACLs)
    97  
    98  Network administrators will be especially interested in the Fabric use of ACLs,
    99  which provide the ability to configure access to resources by associating those
   100  resources with existing policies. These "resources" could be functions on system
   101  chaincode (e.g., "GetBlockByNumber" on the "qscc" system chaincode) or other
   102  resources (e.g.,who can receive Block events). ACLs refer to policies
   103  defined in an application channel configuraton and extends them to control
   104  additional resources. The default set of Fabric ACLs is visible in the
   105  `configtx.yaml` file under the `Application: &ApplicationDefaults` section but
   106  they can and should be overridden in a production environment. The list of
   107  resources named in `configtx.yaml` is the complete set of all internal resources
   108  currently defined by Fabric.
   109  
   110  In that file, ACLs are expressed using the following format:
   111  
   112  ```
   113  # ACL policy for chaincode to chaincode invocation
   114  peer/ChaincodeToChaincode: /Channel/Application/Readers
   115  ```
   116  
   117  Where `peer/ChaincodeToChaincode` represents the resource being secured and
   118  `/Channel/Application/Readers` refers to the policy which must be satisfied for
   119  the associated transaction to be considered valid.
   120  
   121  For a deeper dive into ACLS, refer to the topic in the Operations Guide on [ACLs](../access_control.html).
   122  
   123  ### Smart contract endorsement policies
   124  
   125  Every smart contract inside a chaincode package has an endorsement policy that
   126  specifies how many peers belonging to different channel members need to execute
   127  and validate a transaction against a given smart contract in order for the
   128  transaction to be considered valid. Hence, the endorsement policies define the
   129  organizations (through their peers) who must “endorse” (i.e., approve of) the
   130  execution of a proposal.
   131  
   132  ### Modification policies
   133  
   134  There is one last type of policy that is crucial to how policies work in Fabric,
   135  the `Modification policy`. Modification policies specify the group of identities
   136  required to sign (approve) any configuration _update_. It is the policy that
   137  defines how the policy is updated. Thus, each channel configuration element
   138  includes a reference to a policy which governs its modification.
   139  
   140  ## The policy domains
   141  
   142  While Fabric policies are flexible and can be configured to meet the needs of a
   143  network, the policy structure naturally leads to a division between the domains
   144  governed by either the Ordering Service organizations or the members of the
   145  consortium. In the following diagram you can see how the default policies
   146  implement control over the Fabric policy domains below.
   147  
   148  ![policies.policies](./FabricPolicyHierarchy-4.png) *A more detailed look at the
   149  policy domains governed by the Orderer organizations and consortium organizations.*
   150  
   151  A fully functional Fabric network can feature many organizations with different
   152  responsibilities. The domains provide the ability to extend different privileges
   153  and roles to different organizations by allowing the founders of the ordering
   154  service the ability to establish the initial rules and membership of the
   155  consortium. They also allow the organizations that join the consortium to create
   156  private application channels, govern their own business logic, and restrict
   157  access to the data that is put on the network.
   158  
   159  The system channel configuration and a portion of each application channel
   160  configuration provides the ordering organizations control over which organizations
   161  are members of the consortium, how blocks are delivered to channels, and the
   162  consensus mechanism used by the nodes of the ordering service.
   163  
   164  The system channel configuration provides members of the consortium the ability
   165  to create channels. Application channels and ACLs are the mechanism that
   166  consortium organizations use to add or remove members from a channel and restrict
   167  access to data and smart contracts on a channel.
   168  
   169  ## How do you write a policy in Fabric
   170  
   171  If you want to change anything in Fabric, the policy associated with the resource
   172  describes **who** needs to approve it, either with an explicit sign off from
   173  individuals, or an implicit sign off by a group. In the insurance domain, an
   174  explicit sign off could be a single member of the homeowners insurance agents
   175  group. And an implicit sign off would be analogous to requiring approval from a
   176  majority of the managerial members of the homeowners insurance group. This is
   177  particularly useful because the members of that group can change over time
   178  without requiring that the policy be updated. In Hyperledger Fabric, explicit
   179  sign offs in policies are expressed using the `Signature` syntax and implicit
   180  sign offs use the `ImplicitMeta` syntax.
   181  
   182  ### Signature policies
   183  
   184  `Signature` policies define specific types of users who must sign in order for a
   185  policy to be satisfied such as `Org1.Peer OR Org2.Peer`. These policies are
   186  considered the most versatile because they allow for the construction of
   187  extremely specific rules like: “An admin of org A and 2 other admins, or 5 of 6
   188  organization admins”. The syntax supports arbitrary combinations of `AND`, `OR`
   189  and `NOutOf`. For example, a policy can be easily expressed by using `AND
   190  (Org1, Org2)` which means that a signature from at least one member in Org1 AND
   191  one member in Org2 is required for the policy to be satisfied.
   192  
   193  ### ImplicitMeta policies
   194  
   195  `ImplicitMeta` policies are only valid in the context of channel configuration
   196  which is based on a tiered hierarchy of policies in a configuration tree. ImplicitMeta
   197  policies aggregate the result of policies deeper in the configuration tree that
   198  are ultimately defined by Signature policies. They are `Implicit` because they
   199  are constructed implicitly based on the current organizations in the
   200  channel configuration, and they are `Meta` because their evaluation is not
   201  against specific MSP principals, but rather against other sub-policies below
   202  them in the configuration tree.
   203  
   204  The following diagram illustrates the tiered policy structure for an application
   205  channel and shows how the `ImplicitMeta` channel configuration admins policy,
   206  named `/Channel/Admins`, is resolved when the sub-policies named `Admins` below it
   207  in the configuration hierarchy are satisfied where each check mark represents that
   208  the conditions of the sub-policy were satisfied.
   209  
   210  ![policies.policies](./FabricPolicyHierarchy-6.png)
   211  
   212  As you can see in the diagram above, `ImplicitMeta` policies, Type = 3, use a
   213  different syntax, `"<ANY|ALL|MAJORITY> <SubPolicyName>"`, for example:
   214  ```
   215  `MAJORITY sub policy: Admins`
   216  ```
   217  The diagram shows a sub-policy `Admins`, which refers to all the `Admins` policy
   218  below it in the configuration tree. You can create your own sub-policies
   219  and name them whatever you want and then define them in each of your
   220  organizations.
   221  
   222  As mentioned above, a key benefit of an `ImplicitMeta` policy such as `MAJORITY
   223  Admins` is that when you add a new admin organization to the channel, you do not
   224  have to update the channel policy. Therefore `ImplicitMeta` policies are
   225  considered to be more flexible as the consortium members change. The consortium
   226  on the orderer can change as new members are added or an existing member leaves
   227  with the consortium members agreeing to the changes, but no policy updates are
   228  required. Recall that `ImplicitMeta` policies ultimately resolve the
   229  `Signature` sub-policies underneath them in the configuration tree as the
   230  diagram shows.
   231  
   232  You can also define an application level implicit policy to operate across
   233  organizations, in a channel for example, and either require that ANY of them
   234  are satisfied, that ALL are satisfied, or that a MAJORITY are satisfied. This
   235  format lends itself to much better, more natural defaults, so that each
   236  organization can decide what it means for a valid endorsement.
   237  
   238  Further granularity and control can be achieved if you include [`NodeOUs`](msp.html#organizational-units) in your
   239  organization definition. Organization Units (OUs) are defined in the Fabric CA
   240  client configuration file and can be associated with an identity when it is
   241  created. In Fabric, `NodeOUs` provide a way to classify identities in a digital
   242  certificate hierarchy. For instance, an organization having specific `NodeOUs`
   243  enabled could require that a 'peer' sign for it to be a valid endorsement,
   244  whereas an organization without any might simply require that any member can
   245  sign.
   246  
   247  ## An example: channel configuration policy
   248  
   249  Understanding policies begins with examining the `configtx.yaml` where the
   250  channel policies are defined. We can use the `configtx.yaml` file in the BYFN
   251  (first-network) tutorial to see examples of both policy syntax types. Navigate to the [fabric-samples/first-network](https://github.com/hyperledger/fabric-samples/blob/master/first-network/configtx.yaml)
   252  directory and examine the configtx.yaml file for BYFN.
   253  
   254  The first section of the file defines the Organizations of the network. Inside each
   255  organization definition are the default policies for that organization, `Readers, Writers,
   256  Admins, and Endorsement`, although you can name your policies anything you want.
   257  Each policy has a `Type` which describes how the policy is expressed (`Signature`
   258  or `ImplicitMeta`) and a `Rule`.
   259  
   260  The BYFN example below shows the `Org1` organization definition in the system
   261  channel, where the policy `Type` is `Signature` and the Endorsement policy rule
   262  is defined as `"OR('Org1MSP.peer')"` which  means that peer that is a member of
   263  `Org1MSP` is required to sign. It is these Signature policies that become the
   264  sub-policies that the ImplicitMeta policies point to.  
   265  
   266  <details>
   267    <summary>
   268      **Click here to see an example of an organization defined with signature policies**
   269    </summary>
   270  
   271  ```
   272   - &Org1
   273          # DefaultOrg defines the organization which is used in the sampleconfig
   274          # of the fabric.git development environment
   275          Name: Org1MSP
   276  
   277          # ID to load the MSP definition as
   278          ID: Org1MSP
   279  
   280          MSPDir: crypto-config/peerOrganizations/org1.example.com/msp
   281  
   282          # Policies defines the set of policies at this level of the config tree
   283          # For organization policies, their canonical path is usually
   284          #   /Channel/<Application|Orderer>/<OrgName>/<PolicyName>
   285          Policies:
   286              Readers:
   287                  Type: Signature
   288                  Rule: "OR('Org1MSP.admin', 'Org1MSP.peer', 'Org1MSP.client')"
   289              Writers:
   290                  Type: Signature
   291                  Rule: "OR('Org1MSP.admin', 'Org1MSP.client')"
   292              Admins:
   293                  Type: Signature
   294                  Rule: "OR('Org1MSP.admin')"
   295              Endorsement:
   296                  Type: Signature
   297                  Rule: "OR('Org1MSP.peer')"
   298  ```
   299  </details>
   300  
   301  The next example shows the `ImplicitMeta` policy type used in the `Orderer`
   302  section of the `configtx.yaml` file which defines the default
   303  behavior of the orderer and also contains the associated policies `Readers`,
   304  `Writers`, and `Admins`. Again, these ImplicitMeta policies are evaluated based
   305  on their underlying Signature sub-policies which we saw in the snippet above.
   306  
   307  <details>
   308    <summary>
   309      **Click here to see an example of ImplicitMeta policies**
   310    </summary>
   311  ```
   312  
   313  ################################################################################
   314  #
   315  #   SECTION: Orderer
   316  #
   317  #   - This section defines the values to encode into a config transaction or
   318  #   genesis block for orderer related parameters
   319  #
   320  ################################################################################
   321  Orderer: &OrdererDefaults
   322  
   323  # Organizations is the list of orgs which are defined as participants on
   324  # the orderer side of the network
   325  Organizations:
   326  
   327  # Policies defines the set of policies at this level of the config tree
   328  # For Orderer policies, their canonical path is
   329  #   /Channel/Orderer/<PolicyName>
   330  Policies:
   331  Readers:
   332      Type: ImplicitMeta
   333      Rule: "ANY Readers"
   334  Writers:
   335      Type: ImplicitMeta
   336      Rule: "ANY Writers"
   337  Admins:
   338      Type: ImplicitMeta
   339      Rule: "MAJORITY Admins"
   340  # BlockValidation specifies what signatures must be included in the block
   341  # from the orderer for the peer to validate it.
   342  BlockValidation:
   343      Type: ImplicitMeta
   344      Rule: "ANY Writers"
   345  
   346  ```
   347  </details>
   348  
   349  ## Fabric chaincode lifecycle
   350  
   351  In the Fabric Alpha 2.0 release, a new chaincode lifecycle process was introduced,
   352  whereby a more democratic process is used to govern chaincode on the network.
   353  The new process allows multiple organizations to vote on how a chaincode will
   354  be operated before it can be used on a channel. This is significant because it is
   355  the combination of this new lifecycle process and the policies that are
   356  specified during that process that dictate the security across the network. More details on
   357  the flow are available in the [Chaincode for Operators](../chaincode4noah.html)
   358  tutorial, but for purposes of this topic you should understand how policies are
   359  used in this flow. The new flow includes two steps where policies are specified:
   360  when chaincode is **approved**  by organization members, and when it is **committed**
   361  to the channel.
   362  
   363  The `Application` section of  the `configtx.yaml` file includes the default
   364  chaincode lifecycle endorsement policy. In a production environment you would
   365  customize this definition for your own use case.
   366  
   367  ```
   368  ################################################################################
   369  #
   370  #   SECTION: Application
   371  #
   372  #   - This section defines the values to encode into a config transaction or
   373  #   genesis block for application related parameters
   374  #
   375  ################################################################################
   376  Application: &ApplicationDefaults
   377  
   378      # Organizations is the list of orgs which are defined as participants on
   379      # the application side of the network
   380      Organizations:
   381  
   382      # Policies defines the set of policies at this level of the config tree
   383      # For Application policies, their canonical path is
   384      #   /Channel/Application/<PolicyName>
   385      Policies:
   386          Readers:
   387              Type: ImplicitMeta
   388              Rule: "ANY Readers"
   389          Writers:
   390              Type: ImplicitMeta
   391              Rule: "ANY Writers"
   392          Admins:
   393              Type: ImplicitMeta
   394              Rule: "MAJORITY Admins"
   395          LifecycleEndorsement:
   396              Type: ImplicitMeta
   397              Rule: "MAJORITY Endorsement"
   398          Endorsement:
   399              Type: ImplicitMeta
   400              Rule: "MAJORITY Endorsement"
   401  ```
   402  
   403  - The `LifecycleEndorsement` policy governs who needs to _approve a chaincode
   404  definition_.
   405  - The `Endorsement` policy is the _default endorsement policy for
   406  a chaincode_. More on this below.
   407  
   408  ## Chaincode endorsement policies
   409  
   410  The endorsement policy is specified for a **chaincode** when it is approved
   411  and committed to the channel using the Fabric chaincode lifecycle (that is, one
   412  endorsement policy covers all of the state associated with a chaincode). The
   413  endorsement policy can be specified either by reference to an endorsement policy
   414  defined in the channel configuration or by explicitly specifying a Signature policy.
   415  
   416  If an endorsement policy is not explicitly specified during the approval step,
   417  the default `Endorsement` policy `"MAJORITY Endorsement"` is used which means
   418  that a majority of the peers belonging to the different channel members
   419  (organizations) need to execute and validate a transaction against the chaincode
   420  in order for the transaction to be considered valid.  This default policy allows
   421  organizations that join the channel to become automatically added to the chaincode
   422  endorsement policy. If you don't want to use the default endorsement
   423  policy, use the Signature policy format to specify a more complex endorsement
   424  policy (such as requiring that a chaincode be endorsed by one organization, and
   425  then one of the other organizations on the channel).
   426  
   427  Signature policies also allow you to include `principals` which are simply a way
   428  of matching an identity to a role. Principals are just like user IDs or group
   429  IDs, but they are more versatile because they can include a wide range of
   430  properties of an actor’s identity, such as the actor’s organization,
   431  organizational unit, role or even the actor’s specific identity. When we talk
   432  about principals, they are the properties which determine their permissions.
   433  Principals are described as 'MSP.ROLE', where `MSP` represents the required MSP
   434  ID (the organization),  and `ROLE` represents one of the four accepted roles:
   435  Member, Admin, Client, and Peer. A role is associated to an identity when a user
   436  enrolls with a CA. You can customize the list of roles available on your Fabric
   437  CA.
   438  
   439  Some examples of valid principals are:
   440  * 'Org0.Admin': an administrator of the Org0 MSP
   441  * 'Org1.Member': a member of the Org1 MSP
   442  * 'Org1.Client': a client of the Org1 MSP
   443  * 'Org1.Peer': a peer of the Org1 MSP
   444  * 'OrdererOrg.Orderer': an orderer in the OrdererOrg MSP
   445  
   446  There are cases where it may be necessary for a particular state
   447  (a particular key-value pair, in other words) to have a different endorsement
   448  policy. This **state-based endorsement** allows the default chaincode-level
   449  endorsement policies to be overridden by a different policy for the specified
   450  keys.
   451  
   452  For a deeper dive on how to write an endorsement policy refer to the topic on
   453  [Endorsement policies](../endorsement-policies.html) in the Operations Guide.
   454  
   455  **Note:**  Policies work differently depending on which version of Fabric you are
   456    using:
   457  - In Fabric releases prior to the 2.0 Alpha release, chaincode endorsement
   458    policies can be updated during chaincode instantiation or
   459    by using the chaincode lifecycle commands. If not specified at instantiation
   460    time, the endorsement policy defaults to “any member of the organizations in the
   461    channel”. For example, a channel with “Org1” and “Org2” would have a default
   462    endorsement policy of “OR(‘Org1.member’, ‘Org2.member’)”.
   463  - Starting with the Alpha 2.0 release, Fabric introduced a new chaincode
   464    lifecycle process that allows multiple organizations to agree on how a
   465    chaincode will be operated before it can be used on a channel.  The new process
   466    requires that organizations agree to the parameters that define a chaincode,
   467    such as name, version, and the chaincode endorsement policy.
   468  
   469  ## Overriding policy definitions
   470  
   471  Hyperledger Fabric includes default policies which are useful for getting started,
   472  developing, and testing your blockchain, but they are meant to be customized
   473  in a production environment. You should be aware of the default policies
   474  in the `configtx.yaml` file. Channel configuration policies can be extended
   475  with arbitrary verbs, beyond the default `Readers, Writers, Admins` in
   476  `configtx.yaml`. The orderer system and application channels are overridden by
   477  issuing a config update when you override the default policies by editing the
   478  `configtx.yaml` for the orderer system channel or the `configtx.yaml` for a
   479  specific channel.
   480  
   481  See the topic on
   482  [Updating a channel configuration](../config_update.html#updating-a-channel-configuration)
   483  for more information.
   484  
   485  <!--- Licensed under Creative Commons Attribution 4.0 International License
   486  https://creativecommons.org/licenses/by/4.0/) -->