Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add logging for identity, policy, and signature troubleshooting #3006

Merged
merged 1 commit into from
Nov 29, 2021

Conversation

denyeart
Copy link
Contributor

@denyeart denyeart commented Nov 1, 2021

Most identity, policy, and signature issues return a fairly generic error
message to the user, e.g. "not authorized".
This is often intentional so as to not disclose information to malicious users that
may be probing for information about the system.

This commit adds logging on the orderer and peer side so that identity issues
can more easily be troubleshooted by users setting up sample networks,
and by administrators and SREs in production networks.

For any identity, policy, or signature error, the failed policy and passed identity is now logged in a warning message.
Additionally, the identity of every signature that is verified can be seen if tracing is enabled.

The new logging can help with the following types of issue resolution:
User cert and MSP membership errors
Determine which user is unauthorized to perform an action
Determine which MSPs and user signatures are included in a config transaction that was invalidated
Determine which peers participated in an endorsement invalidation
Determine which peer signature doesn't match the others in a proposal response

Signed-off-by: David Enyeart enyeart@us.ibm.com

@denyeart denyeart requested a review from a team as a code owner November 1, 2021 12:15
@denyeart denyeart force-pushed the cred_troubleshooting branch from 3a54468 to 024693b Compare November 1, 2021 12:29
core/common/validation/statebased/validator_keylevel.go Outdated Show resolved Hide resolved
msp/identities.go Show resolved Hide resolved
protoutil/signeddata.go Show resolved Hide resolved
protoutil/testdata/peer-expired.pem Show resolved Hide resolved
@denyeart denyeart force-pushed the cred_troubleshooting branch from 024693b to 8804c3f Compare November 1, 2021 13:23
@denyeart denyeart force-pushed the cred_troubleshooting branch from 8804c3f to 5a539c5 Compare November 9, 2021 05:50
Most identity, policy, and signature issues return a fairly generic error
message to the user, e.g. "not authorized".
This is often intentional so as to not disclose information to malicious users that
may be probing for information about the system.

This commit adds logging on the orderer and peer side so that identity issues
can more easily be troubleshooted by users setting up sample networks,
and by administrators and SREs in production networks.

For any identity, policy, or signature error, the identity is now logged in a warning message.
Additionally, the identity of every signature that is verified can be seen if tracing is enabled.

The new logging can help with the following types of issue resolution:
User cert and MSP membership errors
Determine which user is unauthorized to perform an action
Determine which MSPs and user signatures are included in a config transaction that was invalidated
Determine which peers participated in an endorsement invalidation
Determine which peer signature doesn't match the others in a proposal response

Signed-off-by: David Enyeart <enyeart@us.ibm.com>
@denyeart denyeart force-pushed the cred_troubleshooting branch from 5a539c5 to 3cf1e05 Compare November 9, 2021 05:57
@denyeart
Copy link
Contributor Author

denyeart commented Nov 9, 2021

@ale-linux I think it is ready for final review now...

@ale-linux ale-linux merged commit b0de139 into hyperledger:main Nov 29, 2021
denyeart added a commit to denyeart/fabric that referenced this pull request Dec 13, 2021
PR hyperledger#3006 added warnings for principal check failures to assist with troubleshooting.
The discovery warning was too much however since even in normal scenarios
discovery endorser service checks the peer against the various channel principals.
This change reverts to the prior code without the warning.

Resolves hyperledger/fabric-gateway#349.

Signed-off-by: David Enyeart <enyeart@us.ibm.com>
ale-linux pushed a commit that referenced this pull request Dec 13, 2021
PR #3006 added warnings for principal check failures to assist with troubleshooting.
The discovery warning was too much however since even in normal scenarios
discovery endorser service checks the peer against the various channel principals.
This change reverts to the prior code without the warning.

Resolves hyperledger/fabric-gateway#349.

Signed-off-by: David Enyeart <enyeart@us.ibm.com>
mergify bot pushed a commit that referenced this pull request Dec 13, 2021
PR #3006 added warnings for principal check failures to assist with troubleshooting.
The discovery warning was too much however since even in normal scenarios
discovery endorser service checks the peer against the various channel principals.
This change reverts to the prior code without the warning.

Resolves hyperledger/fabric-gateway#349.

Signed-off-by: David Enyeart <enyeart@us.ibm.com>
(cherry picked from commit 0b0c35c)
denyeart added a commit that referenced this pull request Dec 13, 2021
PR #3006 added warnings for principal check failures to assist with troubleshooting.
The discovery warning was too much however since even in normal scenarios
discovery endorser service checks the peer against the various channel principals.
This change reverts to the prior code without the warning.

Resolves hyperledger/fabric-gateway#349.

Signed-off-by: David Enyeart <enyeart@us.ibm.com>
(cherry picked from commit 0b0c35c)
denyeart added a commit to denyeart/fabric that referenced this pull request Jun 16, 2022
…ase-2.2)

Backport hyperledger#3006

Most identity, policy, and signature issues return a fairly generic error
message to the user, e.g. "not authorized".
This is often intentional so as to not disclose information to malicious users that
may be probing for information about the system.

This commit adds logging on the orderer and peer side so that identity issues
can more easily be troubleshooted by users setting up sample networks,
and by administrators and SREs in production networks.

For any identity, policy, or signature error, the failed policy and passed identity is now logged in a warning message.
Additionally, the identity of every signature that is verified can be seen if tracing is enabled.

The new logging can help with the following types of issue resolution:
User cert and MSP membership errors
Determine which user is unauthorized to perform an action
Determine which MSPs and user signatures are included in a config transaction that was invalidated
Determine which peers participated in an endorsement invalidation
Determine which peer signature doesn't match the others in a proposal response

Signed-off-by: David Enyeart <enyeart@us.ibm.com>
denyeart added a commit to denyeart/fabric that referenced this pull request Jun 16, 2022
…ase-2.2)

Backport hyperledger#3006

Most identity, policy, and signature issues return a fairly generic error
message to the user, e.g. "not authorized".
This is often intentional so as to not disclose information to malicious users that
may be probing for information about the system.

This commit adds logging on the orderer and peer side so that identity issues
can more easily be troubleshooted by users setting up sample networks,
and by administrators and SREs in production networks.

For any identity, policy, or signature error, the failed policy and passed identity is now logged in a warning message.
Additionally, the identity of every signature that is verified can be seen if tracing is enabled.

The new logging can help with the following types of issue resolution:
User cert and MSP membership errors
Determine which user is unauthorized to perform an action
Determine which MSPs and user signatures are included in a config transaction that was invalidated
Determine which peers participated in an endorsement invalidation
Determine which peer signature doesn't match the others in a proposal response

Signed-off-by: David Enyeart <enyeart@us.ibm.com>
andrew-coleman pushed a commit that referenced this pull request Jun 16, 2022
…ase-2.2) (#3483)

Backport #3006

Most identity, policy, and signature issues return a fairly generic error
message to the user, e.g. "not authorized".
This is often intentional so as to not disclose information to malicious users that
may be probing for information about the system.

This commit adds logging on the orderer and peer side so that identity issues
can more easily be troubleshooted by users setting up sample networks,
and by administrators and SREs in production networks.

For any identity, policy, or signature error, the failed policy and passed identity is now logged in a warning message.
Additionally, the identity of every signature that is verified can be seen if tracing is enabled.

The new logging can help with the following types of issue resolution:
User cert and MSP membership errors
Determine which user is unauthorized to perform an action
Determine which MSPs and user signatures are included in a config transaction that was invalidated
Determine which peers participated in an endorsement invalidation
Determine which peer signature doesn't match the others in a proposal response

Signed-off-by: David Enyeart <enyeart@us.ibm.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants