# 身份模式配置和使用手册 ## 1. 共识算法适配 1. TBFT 身份模式:PermissionedWithCert, PermissionedWithKey,Public 2. HOTSTUFF 身份模式:PermissionedWithCert, PermissionedWithKey 3. RAFT 身份模式:PermissionedWithCert, PermissionedWithKey 4. DPOS 身份模式:Public ## 2. 链配置 ### 2.1. 相关配置详解 #### 2.1.1. PermissionedWithCert - auth_type:身份模式 permissionedWithCert:面向强权限控制场景,基于数字证书的用户标识体系、基于角色的权限控制体系。 * consensus:共识配置 - nodes:共识节点列表 - org_id:组织id - node_id:共识节点id列表,是由共识节点TLS证书里的公钥算出的唯一id * trust_roots:信任根配置列表 - org_id:组织id - root:组织CA证书所在路径列表 #### 2.1.2. PermissionedWithKey - auth_type:身份模式 permissionedWithKey:面向强权限控制场景,基于公钥的用户标识体系、基于角色的权限控制体系。 * consensus:共识配置 - nodes:共识节点列表 - org_id:组织id - node_id:共识节点id列表,是由共识节点公钥算出的唯一id * trust_roots:信任根配置列表 - org_id:组织id - root:组织管理员用户公钥所在路径列表 #### 2.1.3. Public - auth_type:身份模式 public:面向弱权限控制场景,基于公钥的用户标识体系、基于角色的权限控制体系。 * consensus:共识配置 - nodes:共识节点列表 **TBFT共识模式需要配置共识节点列表,DPOS共识模式不需要配置。** * trust_roots:信任根配置列表 **默认只使用列表下第一个配置** - org_id:public模式配置标识(需要填写public) ```yaml org_id: "public" ``` - root:链管理员公钥所在路径列表 ### 2.2. 示例 #### 2.2.1. PermissionedWithCert ```yaml chain_id: chain1 # 链标识 version: v1.0.0 # 链版本 sequence: 0 # 配置版本 auth_type: "permissionedWithCert" # 认证类型 crypto: hash: SHA256 # 合约支持类型的配置 contract: enable_sql_support: false # 虚拟机配置 vm: # 虚拟机支持列表 support_list: - "wasmer" - "gasm" - "evm" - "wxvm" # 交易、区块相关配置 block: tx_timestamp_verify: true # 是否需要开启交易时间戳校验 tx_timeout: 600 # 交易时间戳的过期时间(秒) block_tx_capacity: 100 # 区块中最大交易数 block_size: 10 # 区块最大限制,单位MB block_interval: 2000 # 出块间隔,单位:ms # core模块 core: tx_scheduler_timeout: 10 # [0, 60] 交易调度器从交易池拿到交易后, 进行调度的时间 tx_scheduler_validate_timeout: 10 # [0, 60] 交易调度器从区块中拿到交易后, 进行验证的超时时间 consensus_turbo_config: consensus_message_turbo: true # 是否开启共识报文压缩 retry_time: 500 # 根据交易ID列表从交易池获取交易的重试次数 retry_interval: 20 # 重试间隔,单位:ms #共识配置 consensus: # 共识类型(0-SOLO,1-TBFT,2-MBFT,3-HOTSTUFF,4-RAFT,5-DPOS) type: 1 # 共识节点列表,组织必须出现在trust_roots的org_id中,每个组织可配置多个共识节点,节点地址采用libp2p格式 nodes: - org_id: "wx-org1.chainmaker.org" node_id: - "QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4" - org_id: "wx-org2.chainmaker.org" node_id: - "QmeyNRs2DwWjcHTpcVHoUSaDAAif4VQZ2wQDQAUNDP33gH" - org_id: "wx-org3.chainmaker.org" node_id: - "QmXf6mnQDBR9aHauRmViKzSuZgpumkn7x6rNxw1oqqRr45" - org_id: "wx-org4.chainmaker.org" node_id: - "QmRRWXJpAVdhFsFtd9ah5F4LDQWFFBDVKpECAF8hssqj6H" ext_config: # 扩展字段,记录难度、奖励等其他类共识算法配置 - key: aa value: chain01_ext11 # 信任组织和根证书 trust_roots: - org_id: "wx-org1.chainmaker.org" root: - "../config/wx-org1/certs/ca/wx-org1.chainmaker.org/ca.crt" - org_id: "wx-org2.chainmaker.org" root: - "../config/wx-org2/certs/ca/wx-org2.chainmaker.org/ca.crt" - org_id: "wx-org3.chainmaker.org" root: - "../config/wx-org3/certs/ca/wx-org3.chainmaker.org/ca.crt" - org_id: "wx-org4.chainmaker.org" root: - "../config/wx-org4/certs/ca/wx-org4.chainmaker.org/ca.crt" # 权限配置(只能整体添加、修改、删除) resource_policies: - resource_name: CHAIN_CONFIG-NODE_ID_UPDATE policy: rule: SELF # 规则(ANY,MAJORITY...,全部大写,自动转大写) org_list: # 组织名称(组织名称,区分大小写) role_list: # 角色名称(role,自动转大写) - admin - resource_name: CHAIN_CONFIG-TRUST_ROOT_ADD policy: rule: MAJORITY org_list: role_list: - admin - resource_name: CHAIN_CONFIG-CERTS_FREEZE policy: rule: ANY org_list: role_list: - admin disabled_native_contract: # - CONTRACT_NAME # 通过指定系统合约名字来禁用系统合约 ``` #### 2.2.2. PermissionedWithKey ```yaml chain_id: chain1 # 链标识 version: v1.0.0 # 链版本 sequence: 0 # 配置版本 auth_type: "permissionedWithKey" # 认证类型 permissionedWithCert / permissionedWithKey / public crypto: hash: SHA256 # 合约支持类型的配置 contract: enable_sql_support: false # 交易、区块相关配置 block: tx_timestamp_verify: true # 是否需要开启交易时间戳校验 tx_timeout: 600 # 交易时间戳的过期时间(秒) block_tx_capacity: 100 # 区块中最大交易数 block_size: 10 # 区块最大限制,单位MB block_interval: 2000 # 出块间隔,单位:ms # core模块 core: tx_scheduler_timeout: 10 # [0, 60] 交易调度器从交易池拿到交易后, 进行调度的时间 tx_scheduler_validate_timeout: 10 # [0, 60] 交易调度器从区块中拿到交易后, 进行验证的超时时间 consensus_turbo_config: consensus_message_turbo: false # 是否开启共识报文压缩 retry_time: 500 # 根据交易ID列表从交易池获取交易的重试次数 retry_interval: 20 # 重试间隔,单位:ms #共识配置 consensus: # 共识类型(0-SOLO,1-TBFT,2-MBFT,3-HOTSTUFF,4-RAFT,5-DPOS) type: 1 # 共识节点列表,组织必须出现在trust_roots的org_id中,每个组织可配置多个共识节点,节点地址采用libp2p格式 nodes: - org_id: "wx-org1.chainmaker.org" node_id: - "QmZcFcJFYYoZ3FNNGL88QaszUZwFwuBdFqYh6yPzJURc3s" - org_id: "wx-org2.chainmaker.org" node_id: - "QmXwtuPemSgH5ypzoKvcLdCLbd9jZ25FbpNf7VPjHF3HMS" - org_id: "wx-org3.chainmaker.org" node_id: - "QmRmQLHJoqAYGkuLFaNY6HLzwtTNxr45UJsYpSjdKvBQw2" - org_id: "wx-org4.chainmaker.org" node_id: - "QmURUHTGsuzzjgh1Xg6s92G1Q3gK91A6JEZGPfYNWwJMiT" ext_config: # 扩展字段,记录难度、奖励等其他类共识算法配置 - key: aa value: chain01_ext11 # 信任组织和管理员公钥 trust_roots: - org_id: "wx-org1.chainmaker.org" root: - "../config-pk/permissioned-with-key/wx-org1/public-key/admin/wx-org1.chainmaker.org/admin.pem" - org_id: "wx-org2.chainmaker.org" root: - "../config-pk/permissioned-with-key/wx-org1/public-key/admin/wx-org2.chainmaker.org/admin.pem" - org_id: "wx-org3.chainmaker.org" root: - "../config-pk/permissioned-with-key/wx-org1/public-key/admin/wx-org3.chainmaker.org/admin.pem" - org_id: "wx-org4.chainmaker.org" root: - "../config-pk/permissioned-with-key/wx-org1/public-key/admin/wx-org4.chainmaker.org/admin.pem" # 权限配置(只能整体添加、修改、删除) resource_policies: - resource_name: CHAIN_CONFIG-NODE_ID_UPDATE policy: rule: SELF # 规则(ANY,MAJORITY...,全部大写,自动转大写) org_list: # 组织名称(组织名称,区分大小写) role_list: # 角色名称(role,自动转大写) - admin - resource_name: CHAIN_CONFIG-TRUST_ROOT_ADD policy: rule: MAJORITY org_list: role_list: - admin - resource_name: CHAIN_CONFIG-CERTS_FREEZE policy: rule: ANY org_list: role_list: - admin ``` #### 2.2.3. Public ```yaml chain_id: chain1 # 链标识 version: v1.0.0 # 链版本 sequence: 0 # 配置版本 auth_type: "public" # 认证类型 permissionedWithCert / permissionedWithKey / public crypto: hash: SHA256 # 合约支持类型的配置 contract: enable_sql_support: false # 交易、区块相关配置 block: tx_timestamp_verify: true # 是否需要开启交易时间戳校验 tx_timeout: 600 # 交易时间戳的过期时间(秒) block_tx_capacity: 100 # 区块中最大交易数 block_size: 10 # 区块最大限制,单位MB block_interval: 2000 # 出块间隔,单位:ms # core模块 core: tx_scheduler_timeout: 10 # [0, 60] 交易调度器从交易池拿到交易后, 进行调度的时间 tx_scheduler_validate_timeout: 10 # [0, 60] 交易调度器从区块中拿到交易后, 进行验证的超时时间 consensus_turbo_config: consensus_message_turbo: false # 是否开启共识报文压缩 retry_time: 500 # 根据交易ID列表从交易池获取交易的重试次数 retry_interval: 20 # 重试间隔,单位:ms #共识配置 consensus: # 共识类型(0-SOLO,1-TBFT,2-MBFT,3-HOTSTUFF,4-RAFT,5-DPOS) type: 5 ext_config: # 扩展字段,记录难度、奖励等其他类共识算法配置 - key: aa value: chain01_ext11 dpos_config: # DPoS #ERC20合约配置 - key: erc20.total value: "10000000" - key: erc20.owner value: "6CeSsjU5M62Ee3Gx9umUX6nXJoaBkWYufQdTZqEJM5di" - key: erc20.decimals value: "18" - key: erc20.account:DPOS_STAKE value: "10000000" #Stake合约配置 - key: stake.minSelfDelegation value: "2500000" - key: stake.epochValidatorNum value: "4" - key: stake.epochBlockNum value: "10" - key: stake.completionUnbondingEpochNum value: "1" - key: stake.candidate:6CeSsjU5M62Ee3Gx9umUX6nXJoaBkWYufQdTZqEJM5di value: "2500000" - key: stake.candidate:F5tJ4ca4vdbuyffpc1Szw3WHU3caGaTVAh52MRMS4qBt value: "2500000" - key: stake.candidate:FxfunVWGkKgYMjngxMtLkd4pUNYVNAHNAqiDqopg5zdw value: "2500000" - key: stake.candidate:DYt7DfcZnqKNpjgyJ6tU6GFixNfLMkkmnqdwB3NNiAP7 value: "2500000" - key: stake.nodeID:6CeSsjU5M62Ee3Gx9umUX6nXJoaBkWYufQdTZqEJM5di value: "QmZcFcJFYYoZ3FNNGL88QaszUZwFwuBdFqYh6yPzJURc3s" - key: stake.nodeID:F5tJ4ca4vdbuyffpc1Szw3WHU3caGaTVAh52MRMS4qBt value: "QmXwtuPemSgH5ypzoKvcLdCLbd9jZ25FbpNf7VPjHF3HMS" - key: stake.nodeID:FxfunVWGkKgYMjngxMtLkd4pUNYVNAHNAqiDqopg5zdw value: "QmRmQLHJoqAYGkuLFaNY6HLzwtTNxr45UJsYpSjdKvBQw2" - key: stake.nodeID:DYt7DfcZnqKNpjgyJ6tU6GFixNfLMkkmnqdwB3NNiAP7 value: "QmURUHTGsuzzjgh1Xg6s92G1Q3gK91A6JEZGPfYNWwJMiT" # 超级管理员 trust_roots: - org_id: "public" root: - "../config-pk/public/admin/admin1/admin1.pem" - "../config-pk/public/admin/admin2/admin2.pem" - "../config-pk/public/admin/admin3/admin3.pem" - "../config-pk/public/admin/admin4/admin4.pem" ``` ## 3. 节点配置 ### 3.1. 相关配置详解 #### 3.1.1. PermissionedWithCert - auth_type:身份模式 permissionedWithCert:面向强权限控制场景,基于数字证书的用户标识体系、基于角色的权限控制体系。 - node:节点配置 - priv_key_file:节点SIGN证书的私钥地址 - cert_file:节点SIGN证书的地址 - net:网络配置 - tls:TLS配置 - priv_key_file:节点TLS证书的私钥地址 - cert_file:节点TLS证书的地址 #### 3.1.2. PermissionedWithKey - auth_type:身份模式 permissionedWithKey:面向强权限控制场景,基于公钥的用户标识体系、基于角色的权限控制体系。 - node:节点配置 - priv_key_file:节点私钥地址 - cert_file:不需要配置 - net:网络配置 - tls:TLS配置 - priv_key_file:节点私钥地址 - cert_file:不需要配置 **注:node和net里需要配置同一个私钥的地址**。 #### 3.1.3. Public - auth_type:身份模式 public:面向弱权限控制场景,基于公钥的用户标识体系、基于角色的权限控制体系。 - node:节点配置 - priv_key_file:节点私钥地址 - cert_file:不需要配置 - net:网络配置 - tls:TLS配置 - priv_key_file:节点私钥地址 - cert_file:不需要配置 **注:node和net里需要配置同一个私钥的地址**。 ### 3.2. 示例 #### 3.2.1. PermissionedWithCert ```yaml auth_type: "permissionedWithCert" # permissionedWithCert / permissionedWithKey / public log: config_file: ../config/wx-org1/log.yml # config file of logger configuration. blockchain: - chainId: chain1 genesis: ../config/wx-org1/chainconfig/bc1.yml node: # 节点类型:full type: full org_id: wx-org1.chainmaker.org priv_key_file: ../config/wx-org1/certs/node/consensus1/consensus1.sign.key cert_file: ../config/wx-org1/certs/node/consensus1/consensus1.sign.crt signer_cache_size: 1000 cert_cache_size: 1000 net: provider: LibP2P listen_addr: /ip4/0.0.0.0/tcp/11301 seeds: - "/ip4/127.0.0.1/tcp/11301/p2p/QmcQHCuAXaFkbcsPUj7e37hXXfZ9DdN7bozseo5oX4qiC4" - "/ip4/127.0.0.1/tcp/11302/p2p/QmNdgWgD2QSu769yCwFCnwhVKhjWzyjA3PgSXL7ZJBrUoA" - "/ip4/127.0.0.1/tcp/11303/p2p/QmXf6mnQDBR9aHauRmViKzSuZgpumkn7x6rNxw1oqqRr45" - "/ip4/127.0.0.1/tcp/11304/p2p/QmRRWXJpAVdhFsFtd9ah5F4LDQWFFBDVKpECAF8hssqj6H" tls: enabled: true priv_key_file: ../config/wx-org1/certs/node/consensus1/consensus1.tls.key cert_file: ../config/wx-org1/certs/node/consensus1/consensus1.tls.crt txpool: max_txpool_size: 5120 # 普通交易池上限 max_config_txpool_size: 10 # config交易池的上限 full_notify_again_time: 30 # 交易池溢出后,再次通知的时间间隔(秒) rpc: provider: grpc port: 12301 tls: # TLS模式: # disable - 不启用TLS # oneway - 单向认证 # twoway - 双向认证 #mode: disable #mode: oneway mode: twoway priv_key_file: ../config/wx-org1/certs/node/consensus1/consensus1.tls.key cert_file: ../config/wx-org1/certs/node/consensus1/consensus1.tls.crt monitor: enabled: false port: 14321 pprof: enabled: false port: 24321 storage: store_path: ../data/org1/ledgerData1 blockdb_config: provider: leveldb leveldb_config: store_path: ../data/org1/blocks write_buffer_size: 1024 block_write_buffer_size: 1024 statedb_config: provider: leveldb leveldb_config: store_path: ../data/org1/state historydb_config: provider: leveldb leveldb_config: store_path: ../data/org1/history resultdb_config: provider: leveldb leveldb_config: store_path: ../data/org1/result disable_contract_eventdb: true #是否禁止合约事件存储功能,默认为true,如果设置为false,需要配置mysql contract_eventdb_config: provider: sql #如果开启contract event db 功能,需要指定provider为sql sqldb_config: sqldb_type: mysql #contract event db 只支持mysql dsn: root:password@tcp(127.0.0.1:3306)/ #mysql的连接信息,包括用户名、密码、ip、port等,示例:root:admin@tcp(127.0.0.1:3306)/ debug: # 是否开启CLI功能,过度期间使用 is_cli_open: true is_http_open: false ``` #### 3.2.2. PermissionedWithKey ```yaml auth_type: "permissionedWithKey" # permissionedWithCert / permissionedWithKey / public log: config_file: ../config-pk/permissioned-with-key/wx-org1/log.yml # config file of logger configuration. blockchain: - chainId: chain1 genesis: ../config-pk/permissioned-with-key/wx-org1/chainconfig/bc1.yml node: # 节点类型:full type: full org_id: wx-org1.chainmaker.org priv_key_file: ../config-pk/permissioned-with-key/wx-org1/public-key/node/consensus1/consensus1.key signer_cache_size: 1000 cert_cache_size: 1000 net: provider: liquid listen_addr: /ip4/0.0.0.0/tcp/11351 seeds: - "/ip4/127.0.0.1/tcp/11351/p2p/QmZcFcJFYYoZ3FNNGL88QaszUZwFwuBdFqYh6yPzJURc3s" - "/ip4/127.0.0.1/tcp/11352/p2p/QmXwtuPemSgH5ypzoKvcLdCLbd9jZ25FbpNf7VPjHF3HMS" - "/ip4/127.0.0.1/tcp/11353/p2p/QmRmQLHJoqAYGkuLFaNY6HLzwtTNxr45UJsYpSjdKvBQw2" - "/ip4/127.0.0.1/tcp/11354/p2p/QmURUHTGsuzzjgh1Xg6s92G1Q3gK91A6JEZGPfYNWwJMiT" tls: enabled: true priv_key_file: ../config-pk/permissioned-with-key/wx-org1/public-key/node/consensus1/consensus1.key txpool: max_txpool_size: 5120 # 普通交易池上限 max_config_txpool_size: 10 # config交易池的上限 full_notify_again_time: 30 # 交易池溢出后,再次通知的时间间隔(秒) rpc: provider: grpc port: 12301 tls: # TLS模式: # disable - 不启用TLS # oneway - 单向认证 # twoway - 双向认证 #mode: disable #mode: oneway mode: disable monitor: enabled: false port: 14321 pprof: enabled: false port: 24321 storage: store_path: ../data/org1/ledgerData1 blockdb_config: provider: leveldb leveldb_config: store_path: ../data/org1/blocks statedb_config: provider: leveldb leveldb_config: store_path: ../data/org1/state historydb_config: provider: leveldb leveldb_config: store_path: ../data/org1/history resultdb_config: provider: leveldb leveldb_config: store_path: ../data/org1/result disable_contract_eventdb: true #是否禁止合约事件存储功能,默认为true,如果设置为false,需要配置mysql contract_eventdb_config: provider: sql #如果开启contract event db 功能,需要指定provider为sql sqldb_config: sqldb_type: mysql #contract event db 只支持mysql dsn: root:password@tcp(127.0.0.1:3306)/ #mysql的连接信息,包括用户名、密码、ip、port等,示例:root:admin@tcp(127.0.0.1:3306)/ debug: # 是否开启CLI功能,过度期间使用 is_cli_open: true is_http_open: false ``` #### 3.2.3. Public ```yaml auth_type: "public" # permissionedWithCert / permissionedWithKey / public log: config_file: ../config-pk/public/node/node1/log.yml # config file of logger configuration. blockchain: - chainId: chain1 genesis: ../config-pk/public/node/node1/chainconfig/bc1.yml node: # 节点类型:full type: full org_id: wx-org1.chainmaker.org priv_key_file: ../config-pk/public/node/node1/node1.key signer_cache_size: 1000 cert_cache_size: 1000 net: provider: LibP2P listen_addr: /ip4/0.0.0.0/tcp/11351 seeds: - "/ip4/127.0.0.1/tcp/11351/p2p/QmZcFcJFYYoZ3FNNGL88QaszUZwFwuBdFqYh6yPzJURc3s" - "/ip4/127.0.0.1/tcp/11352/p2p/QmXwtuPemSgH5ypzoKvcLdCLbd9jZ25FbpNf7VPjHF3HMS" - "/ip4/127.0.0.1/tcp/11353/p2p/QmRmQLHJoqAYGkuLFaNY6HLzwtTNxr45UJsYpSjdKvBQw2" - "/ip4/127.0.0.1/tcp/11354/p2p/QmURUHTGsuzzjgh1Xg6s92G1Q3gK91A6JEZGPfYNWwJMiT" tls: enabled: true priv_key_file: ../config-pk/public/node/node1/node1.key txpool: max_txpool_size: 5120 # 普通交易池上限 max_config_txpool_size: 10 # config交易池的上限 full_notify_again_time: 30 # 交易池溢出后,再次通知的时间间隔(秒) rpc: provider: grpc port: 12301 tls: # TLS模式: # disable - 不启用TLS # oneway - 单向认证 # twoway - 双向认证 #mode: disable #mode: oneway mode: disable monitor: enabled: false port: 14321 pprof: enabled: false port: 24321 storage: store_path: ../data/node1/ledgerData1 blockdb_config: provider: leveldb leveldb_config: store_path: ../data/node1/blocks statedb_config: provider: leveldb leveldb_config: store_path: ../data/node1/state historydb_config: provider: leveldb leveldb_config: store_path: ../data/node1/history resultdb_config: provider: leveldb leveldb_config: store_path: ../data/node1/result disable_contract_eventdb: true #是否禁止合约事件存储功能,默认为true,如果设置为false,需要配置mysql contract_eventdb_config: provider: sql #如果开启contract event db 功能,需要指定provider为sql sqldb_config: sqldb_type: mysql #contract event db 只支持mysql dsn: root:password@tcp(127.0.0.1:3306)/ #mysql的连接信息,包括用户名、密码、ip、port等,示例:root:admin@tcp(127.0.0.1:3306)/ debug: # 是否开启CLI功能,过度期间使用 is_cli_open: true is_http_open: false ```