[ovs-dev] [RFC 0/5] role-based access controls for ovsdb-server, ovn-sb

Lance Richardson lrichard at redhat.com
Mon Mar 27 18:56:08 UTC 2017 

This series implements role-based access control infrastructure for
ovsdb-server, and uses that infrastructure to apply role-based access
controls to the OVN_Southbound database. This implementation follows
the outline discussed at:

     https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/329801.html

With this series applied, enabling role-based ACLs is a matter of:

    - Configuring southbound ovsdb-server and ovn-controller to use SSL,
      configuring an ovn-controller "role" for SSL connections via e.g.:
         ovn-sbctl set-connection role=ovn-controller pssl:6642
    - Using unique certificates for each ovn-controller with a unique
      CN for each chassis, generated e.g. via:
         ovs-pki -B 1024 req+sign chassis1 switch
         ovs-pki -B 1024 req+sign chassis2 switch
         ovs-pki -B 1024 req+sign chassis3 switch
    - Starting the southbound ovsdb-server with the "--rbac" command-line
      option:
         --rbac=db:OVN_Southbound,RBAC_Role

This series is posted as RFC mainly to solicit high-level feedback about
the approach, although feedback about implementation details would also
be welcome. Known deficiencies:

    - No unit tests.
    - Sketchy documentation.

Regards,

    Lance


Lance Richardson (5):
  stream: store stream peer id with stream state
  ovsdb: refactor utility functions into separate file
  ovsdb: add support for role-based access controls
  ovn: add rbac tables to ovn southbound schema
  ovn-sbctl: support setting rbac role for remote connections

 lib/jsonrpc.c             |  10 ++
 lib/jsonrpc.h             |   2 +
 lib/stream-provider.h     |   1 +
 lib/stream-ssl.c          |  44 ++++++++
 lib/stream.c              |  14 +++
 lib/stream.h              |   3 +
 ovn/northd/ovn-northd.c   | 190 +++++++++++++++++++++++++++++++
 ovn/ovn-sb.ovsschema      |  26 ++++-
 ovn/ovn-sb.xml            |  39 +++++++
 ovn/utilities/ovn-sbctl.c |  12 +-
 ovsdb/automake.mk         |   6 +-
 ovsdb/execution.c         |  38 ++++++-
 ovsdb/jsonrpc-server.c    |   6 +-
 ovsdb/jsonrpc-server.h    |   1 +
 ovsdb/mutation.c          |  11 +-
 ovsdb/mutation.h          |   6 +-
 ovsdb/ovsdb-server.c      | 229 +++++++++++--------------------------
 ovsdb/ovsdb-tool.c        |   2 +-
 ovsdb/ovsdb-util.c        | 230 ++++++++++++++++++++++++++++++++++++++
 ovsdb/ovsdb-util.h        |  44 ++++++++
 ovsdb/ovsdb.h             |   1 +
 ovsdb/rbac.c              | 279 ++++++++++++++++++++++++++++++++++++++++++++++
 ovsdb/rbac.h              |  26 +++++
 ovsdb/trigger.c           |   8 +-
 ovsdb/trigger.h           |   5 +-
 tests/test-ovsdb.c        |   7 +-
 26 files changed, 1058 insertions(+), 182 deletions(-)
 create mode 100644 ovsdb/ovsdb-util.c
 create mode 100644 ovsdb/ovsdb-util.h
 create mode 100644 ovsdb/rbac.c
 create mode 100644 ovsdb/rbac.h

-- 
2.7.4

More information about the dev mailing list