You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[FAB-12507] Doc clarifications for private data config
Improve doc for private data dissemination configuration.
Change-Id: I71fe3158739a9a518be7fe7d8b50df57b9024eb5
Signed-off-by: David Enyeart <enyeart@us.ibm.com>
Copy file name to clipboardExpand all lines: docs/source/private-data-arch.rst
+49-39Lines changed: 49 additions & 39 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,18 +1,19 @@
1
1
Private Data
2
2
============
3
3
4
-
.. note:: This topic assumes an understand of the conceptual material in the
4
+
.. note:: This topic assumes an understanding of the conceptual material in the
5
5
`documentation on private data <private-data/private-data.html>`_.
6
6
7
7
Private data collection definition
8
8
----------------------------------
9
9
10
10
A collection definition contains one or more collections, each having a policy
11
11
definition listing the organizations in the collection, as well as properties
12
-
used to control endorsement and, optionally, whether the data will be purged.
12
+
used to control dissemination of private data at endorsement time and,
13
+
optionally, whether the data will be purged.
13
14
14
15
The collection definition gets deployed to the channel at the time of chaincode
15
-
instantiation. If using the peer CLI to instantiate the chaincode, the
16
+
instantiation (or upgrade). If using the peer CLI to instantiate the chaincode, the
16
17
collection definition file is passed to the chaincode instantiation
17
18
using the ``--collections-config`` flag. If using a client SDK, check the `SDK
18
19
documentation <https://fabric-sdk-node.github.io/>`_ for information on providing the collection
@@ -33,24 +34,28 @@ Collection definitions are composed of five properties:
33
34
distribution policy, but the endorsement policy might call for any three
34
35
of the organizations to endorse.
35
36
36
-
* ``requiredPeerCount``: Minimum number of peers that the endorsing peer must
37
-
successfully disseminate private data to before the peer signs the
38
-
endorsement and returns the proposal response back to the client. When
37
+
* ``requiredPeerCount``: Minimum number of peers (across authorized organizations)
38
+
that each endorsing peer must successfully disseminate private data to before the
39
+
peer signs the endorsement and returns the proposal response back to the client.
40
+
Requiring dissemination as a condition of endorsement will ensure that private data
41
+
is available in the network even if the endorsing peer(s) become unavailable. When
39
42
``requiredPeerCount`` is ``0``, it means that no distribution is **required**,
40
43
but there may be some distribution if ``maxPeerCount`` is greater than zero. A
41
44
``requiredPeerCount`` of ``0`` would typically not be recommended, as it could
42
-
lead to loss of private data. Typically you would want to require at least some
43
-
distribution of the private data at endorsement time to ensure redundancy of the
44
-
private data on multiple peers in the network.
45
-
46
-
* ``maxPeerCount``: For data redundancy purposes, the number of other peers
47
-
that the current endorsing peer will attempt to distribute the data to. If an
48
-
endorsing peer becomes unavailable between endorsement time and commit time,
49
-
other peers that are collection members but who did not yet receive the private
50
-
data, will be able to pull the private data from the peers the private data was
51
-
disseminated to. If this value is set to ``0``, the private data is not
52
-
disseminated at endorsement time, forcing private data pulls on all authorized
53
-
peers.
45
+
lead to loss of private data in the network if the endorsing peer(s) becomes unavailable.
46
+
Typically you would want to require at least some distribution of the private
47
+
data at endorsement time to ensure redundancy of the private data on multiple
48
+
peers in the network.
49
+
50
+
* ``maxPeerCount``: For data redundancy purposes, the maximum number of other
51
+
peers (across authorized organizations) that each endorsing peer will attempt
52
+
to distribute the private data to. If an endorsing peer becomes unavailable between
53
+
endorsement time and commit time, other peers that are collection members but who
54
+
did not yet receive the private data at endorsement time, will be able to pull
55
+
the private data from peers the private data was disseminated to. If this value
56
+
is set to ``0``, the private data is not disseminated at endorsement time,
57
+
forcing private data pulls against endorsing peers on all authorized peers at
58
+
commit time.
54
59
55
60
* ``blockToLive``: Represents how long the data should live on the private
56
61
database in terms of blocks. The data will live for this specified number of
@@ -89,18 +94,40 @@ to a subset of organizations in the channel (in this case ``Org1`` ). In a real
89
94
scenario, there would be many organizations in the channel, with two or more
90
95
organizations in each collection sharing private data between them.
91
96
97
+
Endorsement
98
+
~~~~~~~~~~~
99
+
100
+
Since private data is not included in the transactions that get submitted to
101
+
the ordering service, and therefore not included in the blocks that get distributed
102
+
to all peers in a channel, the endorsing peer plays an important role in
103
+
disseminating private data to other peers of authorized organizations. This ensures
104
+
the availability of private data in the channel's collection, even if endorsing
105
+
peers become unavailable after their endorsement. To assist with this dissemination,
106
+
the ``maxPeerCount`` and ``requiredPeerCount`` properties in the collection definition
107
+
control the degree of dissemination at endorsement time.
108
+
109
+
If the endorsing peer cannot successfully disseminate the private data to at least
110
+
the ``requiredPeerCount``, it will return an error back to the client. The endorsing
111
+
peer will attempt to disseminate the private data to peers of different organizations,
112
+
in an effort to ensure that each authorized organization has a copy of the private
113
+
data. Since transactions are not committed at chaincode execution time, the endorsing
114
+
peer and recipient peers store a copy of the private data in a local ``transient store``
115
+
alongside their blockchain until the transaction is committed.
116
+
92
117
How private data is committed
93
118
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
94
119
95
120
When authorized peers do not have a copy of the private data in their transient
96
-
data store they will attempt to pull the private data from another authorized
121
+
data store at commit time (either because they were not an endorsing peer or because
122
+
they did not receive the private data via dissemination at endorsement time),
123
+
they will attempt to pull the private data from another authorized
97
124
peer, *for a configurable amount of time* based on the peer property
98
125
``peer.gossip.pvtData.pullRetryThreshold`` in the peer configuration ``core.yaml``
99
126
file.
100
127
101
128
.. note:: The peers being asked for private data will only return the private data
102
129
if the requesting peer is a member of the collection as defined by the
103
-
policy.
130
+
private data dissemination policy.
104
131
105
132
Considerations when using ``pullRetryThreshold``:
106
133
@@ -114,7 +141,7 @@ Considerations when using ``pullRetryThreshold``:
114
141
(including the private data hash), without the private data.
115
142
116
143
* If the peer was entitled to the private data but it is missing, then
117
-
that the peer will not be able to endorse future transactions that reference
144
+
that peer will not be able to endorse future transactions that reference
118
145
the missing private data - a chaincode query for a key that is missing will
119
146
be detected (based on the presence of the key’s hash in the state database),
120
147
and the chaincode will receive an error.
@@ -129,23 +156,6 @@ properties will have ensured the private data is available on other peers.
129
156
gossip configured correctly. Refer to our documentation on :doc:`gossip`,
130
157
paying particular attention to the section on "anchor peers".
131
158
132
-
Endorsement
133
-
~~~~~~~~~~~
134
-
135
-
The endorsing peer plays an important role in disseminating private data to
136
-
other authorized peers, ensuring the availability of private data on the
137
-
channel. To assist with this dissemination, the ``maxPeerCount`` and
138
-
``requiredPeerCount`` properties in the collection definition control the
139
-
dissemination behavior.
140
-
141
-
If the endorsing peer cannot successfully disseminate the private data to at least
142
-
the ``requiredPeerCount``, it will return an error back to the client. The endorsing
143
-
peer will attempt to disseminate the private data to peers of different organizations,
144
-
in an effort to ensure that each authorized organization has a copy of the private
145
-
data. Since transactions are not committed at chaincode execution time, the endorsing
146
-
peer and recipient peers store a copy of the private data in a local ``transient store``
147
-
alongside their blockchain until the transaction is committed.
148
-
149
159
Referencing collections from chaincode
150
160
--------------------------------------
151
161
@@ -167,7 +177,7 @@ not to include private data in the main part of the chaincode proposal. A specia
167
177
field in the chaincode proposal called the ``transient`` field can be used to pass
168
178
private data from the client (or data that chaincode will use to generate private
169
179
data), to chaincode invocation on the peer. The chaincode can retrieve the
170
-
``transient`` field by calling the ```GetTransient()`` API <https://github.com/hyperledger/fabric/blob/13447bf5ead693f07285ce63a1903c5d0d25f096/core/chaincode/shim/interfaces_stable.go>`_.
180
+
``transient`` field by calling the `GetTransient() API <https://github.com/hyperledger/fabric/blob/8b3cbda97e58d1a4ff664219244ffd1d89d7fba8/core/chaincode/shim/interfaces.go#L315-L321>`_.
171
181
This ``transient`` field gets excluded from the channel transaction.
0 commit comments