[ovs-dev] [PATCH 0/6] role-based access controls for ovsdb-server, ovn-sb

Lance Richardson lrichard at redhat.com
Mon May 1 14:12:50 UTC 2017 

This series implements role-based access control infrastructure for
ovsdb-server, and uses that infrastructure to apply role-based access
controls to the OVN_Southbound database. This implementation follows
the outline discussed at:

     https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/329801.html

With this series applied, enabling role-based ACLs is a matter of:

    - Configuring southbound ovsdb-server and ovn-controller to use SSL,
      configuring an ovn-controller "role" for SSL connections via e.g.:
         ovn-sbctl set-connection role=ovn-controller pssl:6642
    - Using unique certificates for each ovn-controller with a unique
      CN for each chassis, generated e.g. via:
         ovs-pki -B 1024 -u req+sign chassis1 switch
         ovs-pki -B 1024 -u req+sign chassis2 switch
         ovs-pki -B 1024 -u req+sign chassis3 switch

Lance Richardson (6):
  stream: store stream peer id with stream state
  ovsdb: refactor utility functions into separate file
  ovs-pki: add option to suppress generated id in common name
  ovsdb: add support for role-based access controls
  ovn: add rbac tables to ovn southbound schema
  ovn-sbctl: support setting rbac role for remote connections

 lib/jsonrpc.c              |  10 +
 lib/jsonrpc.h              |   1 +
 lib/ovsdb-error.c          |  12 ++
 lib/ovsdb-error.h          |   4 +
 lib/ovsdb-idl.c            |   6 +
 lib/stream-provider.h      |   1 +
 lib/stream-ssl.c           |  44 +++++
 lib/stream.c               |  15 ++
 lib/stream.h               |   2 +
 ovn/northd/ovn-northd.c    | 190 +++++++++++++++++++
 ovn/ovn-architecture.7.xml | 155 ++++++++++++++++
 ovn/ovn-sb.ovsschema       |  28 ++-
 ovn/ovn-sb.xml             |  39 ++++
 ovn/utilities/ovn-sbctl.c  |  12 +-
 ovsdb/automake.mk          |   6 +-
 ovsdb/execution.c          |  43 ++++-
 ovsdb/jsonrpc-server.c     |   6 +-
 ovsdb/jsonrpc-server.h     |   1 +
 ovsdb/ovsdb-server.c       | 194 ++------------------
 ovsdb/ovsdb-tool.c         |   2 +-
 ovsdb/ovsdb-util.c         | 233 ++++++++++++++++++++++++
 ovsdb/ovsdb-util.h         |  52 ++++++
 ovsdb/ovsdb.c              |   3 +
 ovsdb/ovsdb.h              |   3 +
 ovsdb/rbac.c               | 443 +++++++++++++++++++++++++++++++++++++++++++++
 ovsdb/rbac.h               |  38 ++++
 ovsdb/trigger.c            |   8 +-
 ovsdb/trigger.h            |   5 +-
 tests/automake.mk          |   1 +
 tests/ovsdb-rbac.at        | 358 ++++++++++++++++++++++++++++++++++++
 tests/ovsdb.at             |   1 +
 tests/test-ovsdb.c         |   5 +-
 utilities/ovs-pki.8.in     |   9 +
 utilities/ovs-pki.in       |  16 +-
 34 files changed, 1751 insertions(+), 195 deletions(-)
 create mode 100644 ovsdb/ovsdb-util.c
 create mode 100644 ovsdb/ovsdb-util.h
 create mode 100644 ovsdb/rbac.c
 create mode 100644 ovsdb/rbac.h
 create mode 100644 tests/ovsdb-rbac.at

-- 
2.7.4

More information about the dev mailing list