<div dir="ltr">Thanks Frode for covering that. Added minor comments too your PR and you can send formal patch. <div><br></div><div><br><div><br></div><div><br></div><div><br></div><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Nov 7, 2019 at 2:00 PM Frode Nordahl <<a href="mailto:frode.nordahl@canonical.com" target="_blank">frode.nordahl@canonical.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto">fwiw; I proposed this small note earlier this evening: <a href="https://github.com/ovn-org/ovn/pull/25" target="_blank">https://github.com/ovn-org/ovn/pull/25</a></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">tor. 7. nov. 2019, 21:47 skrev Ben Pfaff <<a href="mailto:blp@ovn.org" target="_blank">blp@ovn.org</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Sure, anything helps.<br>
<br>
On Thu, Nov 07, 2019 at 12:27:44PM -0800, aginwala wrote:<br>
> Hi Ben:<br>
> <br>
> It seems RBAC doc<br>
> <a href="http://docs.openvswitch.org/en/stable/tutorials/ovn-rbac/#configuring-rbac" rel="noreferrer noreferrer" target="_blank">http://docs.openvswitch.org/en/stable/tutorials/ovn-rbac/#configuring-rbac</a><br>
> only talks<br>
> about chassis and not mentioning about northd. I can submit a patch to<br>
> update that as a todo for northd and mention the workaround until we add<br>
> formal support. Is that ok?<br>
> <br>
> <br>
> <br>
> <br>
> On Thu, Nov 7, 2019 at 12:14 PM Ben Pfaff <<a href="mailto:blp@ovn.org" rel="noreferrer" target="_blank">blp@ovn.org</a>> wrote:<br>
> <br>
> > Have we documented this? Should we?<br>
> ><br>
> > On Thu, Nov 07, 2019 at 10:20:22AM -0800, aginwala wrote:<br>
> > > Hi:<br>
> > ><br>
> > > It is a known fact and have-been discussed before. We use the same<br>
> > > workaround as you mentioned. Alternatively, you can also set role="" and<br>
> > it<br>
> > > will work for both northd and ovn-controller instead of separate<br>
> > listeners<br>
> > > which is also a security loop-hole. In short, some work is needed here<br>
> > > to handle rbac for northd.<br>
> > ><br>
> > > On Thu, Nov 7, 2019 at 9:47 AM Frode Nordahl <<br>
> > <a href="mailto:frode.nordahl@canonical.com" rel="noreferrer" target="_blank">frode.nordahl@canonical.com</a>><br>
> > > wrote:<br>
> > ><br>
> > > > Hello all,<br>
> > > ><br>
> > > > TL;DR; When enabling the `ovn-controller` role on the SB DB<br>
> > `ovsdb-server`<br>
> > > > listener, `ovn-northd` no longer has the necessary access to do its job<br>
> > > > when you are unable to use the local unix socket for its connection to<br>
> > the<br>
> > > > database.<br>
> > > ><br>
> > > > AFAICT there is no northd-specifc or admin type role available, have I<br>
> > > > missed something?<br>
> > > ><br>
> > > > I have worked around the issue by enabling a separate listener on a<br>
> > > > different port on the Southbound ovsdb-servers so that `ovn-northd` can<br>
> > > > connect to that.<br>
> > > ><br>
> > > ><br>
> > > > I have a OVN deployment with central components spread across three<br>
> > > > machines, there is an instance of the Northbound and Southbound<br>
> > > > `ovsdb-server` on each of them which are clustered, and there is also<br>
> > an<br>
> > > > instance of `ovn-northd` on each of them.<br>
> > > ><br>
> > > > The deployment is TLS-enabled and I have enabled RBAC.<br>
> > > ><br>
> > > > Since the DBs are clustered I have no control of which machine will be<br>
> > the<br>
> > > > leader, and it may be that one machine has the leader for the<br>
> > Northbound DB<br>
> > > > and a different machine has the leader of the Southbound DB.<br>
> > > ><br>
> > > > Because of this ovn-northd is unable to talk to the databases through a<br>
> > > > local unix socket and must use a TLS-enabled connection to the DBs, and<br>
> > > > herein lies the problem.<br>
> > > ><br>
> > > ><br>
> > > > I peeked at the RBAC implementation, and it appears to me that the<br>
> > > > permission system is tied to having specific columns in each table that<br>
> > > > maps to the name of the client that wants permission. On the surface<br>
> > this<br>
> > > > appears to not fit with `ovn-northd`'s needs as I would think it would<br>
> > need<br>
> > > > full access to all tables perhaps based on a centrally managed set of<br>
> > > > hostnames.<br>
> > > ><br>
> > > > --<br>
> > > > Frode Nordahl<br>
> > > ><br>
> > > > _______________________________________________<br>
> > > > discuss mailing list<br>
> > > > <a href="mailto:discuss@openvswitch.org" rel="noreferrer" target="_blank">discuss@openvswitch.org</a><br>
> > > > <a href="https://mail.openvswitch.org/mailman/listinfo/ovs-discuss" rel="noreferrer noreferrer" target="_blank">https://mail.openvswitch.org/mailman/listinfo/ovs-discuss</a><br>
> > > ><br>
> ><br>
> > > _______________________________________________<br>
> > > discuss mailing list<br>
> > > <a href="mailto:discuss@openvswitch.org" rel="noreferrer" target="_blank">discuss@openvswitch.org</a><br>
> > > <a href="https://mail.openvswitch.org/mailman/listinfo/ovs-discuss" rel="noreferrer noreferrer" target="_blank">https://mail.openvswitch.org/mailman/listinfo/ovs-discuss</a><br>
> ><br>
> ><br>
</blockquote></div>
</blockquote></div>