Search code examples
hyperledger-fabricidentitypeer

How do you join a peer to a channel using a peer identity in Hyperledger Fabric?


I'm struggling with identity management on a peer node using the newer OU approach to credentials. I'm close to having it working, but there's some concept or something that I'm missing.

Where I'm stuck is with trying to issue a peer channel join command on the peer.

I've tried this 2 ways:

  1. I've registered an identity as a peer and used its enrollment to create the local MSP on the node. With this identity, when I try to join the channel, I get the following error: "The identity is not an admin under this MSP"
  2. I've registered an identity as a admin and used its enrollment to create the local MSP on the node. With this identity, when I try to join the channel, it succeeds

However, running the peer node as an admin can't be the right answer. The documentation is clear:

  • An identity should be classified as a client if it transacts on the network.
  • An identity should be classified as an admin if it handles administrative tasks such as joining a peer to a channel or signing a channel configuration update transaction.
  • An identity should be classified as a peer if it endorses or commits transactions.
  • An identity should be classified as an orderer if belongs to an ordering node.

How can the peer node act as both a peer for "endorsing and committing transactions" and an admin for "handling administrative tasks"? What am I missing here? How do I setup a peer identity that has admin rights to its peer node?

I also want to make sure that the credentials stored on the peer only allow admin commands on that specific peer node and do not provide admin rights to the broader network.

Thanks in advance.


Solution

  • You should only use the Admin's MSP to run peer channel join, but your peer's CORE_PEER_ADDRESS.

    export CORE_PEER_MSPCONFIGPATH=$ADMINMSP
    export CORE_PEER_ADDRESS=$YOURPEERADDRES
    peer channel join -b /path/to/block

    The peer is already up using its own peer MSP, so it will not use the Admin's MSP to run on the network. It is just for this operation.

    You don't need to register a peer as an admin, but you must have an admin user to take care of these functionalities. It is strongly advised to not use the Org Admin MSP (Channel MSP) for any operation rather than on the channel configuration, so just enroll a new admin user and use it for admin operations. It is not necessary to store admin files on a peer, just have a convenient way to use the Admin MSP when it is needed.

    Regarding the confusion, in Fabric you can have an admin act as a peer but not the other way around.