Add logging for identity, policy, and signature troubleshooting (2.2) #3483
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
andrew-coleman
previously approved these changes
Jun 16, 2022
…ase-2.2) Backport hyperledger#3006 Most identity, policy, and signature issues return a fairly generic error message to the user, e.g. "not authorized". This is often intentional so as to not disclose information to malicious users that may be probing for information about the system. This commit adds logging on the orderer and peer side so that identity issues can more easily be troubleshooted by users setting up sample networks, and by administrators and SREs in production networks. For any identity, policy, or signature error, the failed policy and passed identity is now logged in a warning message. Additionally, the identity of every signature that is verified can be seen if tracing is enabled. The new logging can help with the following types of issue resolution: User cert and MSP membership errors Determine which user is unauthorized to perform an action Determine which MSPs and user signatures are included in a config transaction that was invalidated Determine which peers participated in an endorsement invalidation Determine which peer signature doesn't match the others in a proposal response Signed-off-by: David Enyeart <enyeart@us.ibm.com>
denyeart
force-pushed
the
policy_logging_rel22
branch
from
8ee40c8
to
7638644
Compare
andrew-coleman
approved these changes
Jun 16, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport #3006
Most identity, policy, and signature issues return a fairly generic error
message to the user, e.g. "not authorized".
This is often intentional so as to not disclose information to malicious users that
may be probing for information about the system.
This commit adds logging on the orderer and peer side so that identity issues
can more easily be troubleshooted by users setting up sample networks,
and by administrators and SREs in production networks.
For any identity, policy, or signature error, the failed policy and passed identity is now logged in a warning message.
Additionally, the identity of every signature that is verified can be seen if tracing is enabled.
The new logging can help with the following types of issue resolution:
User cert and MSP membership errors
Determine which user is unauthorized to perform an action
Determine which MSPs and user signatures are included in a config transaction that was invalidated
Determine which peers participated in an endorsement invalidation
Determine which peer signature doesn't match the others in a proposal response
Signed-off-by: David Enyeart enyeart@us.ibm.com