[ovs-dev] [PATCH 4/6] ovsdb: add support for role-based access controls

Lance Richardson lrichard at redhat.com
Mon May 1 14:13:21 UTC 2017


Add suport for ovsdb RBAC (role-based access control). This includes:

   - Support for "RBAC_Role" table. A db schema containing a table
     by this name will enable role-based access controls using
     this table for RBAC role configuration.

     The "RBAC_Role" table has one row per role, with each row having a
     "name" column (role name) and a "permissions" column (map of
     table name to UUID of row in separate permission table.) The
     permission table has one row per access control configuration,
     with the following columns:
          "name"          - name of table to which this row applies
          "authorization" - set of column names and column:key pairs
                            to be compared against client ID to
                            determine authorization status
          "insert_delete" - boolean, true if insertions and
                            authorized deletions are allowed.
          "update"        - Set of columns and column:key pairs for
                            which authorized updates are allowed.
   - Support for a new "role" column in the remote configuration
     table.
   - Logic for applying the RBAC role and permission tables, in
     combination with session role from the remote connection table
     and client id, to determine whether operations modifying database
     contents should be permitted.

Signed-off-by: Lance Richardson <lrichard at redhat.com>
---
 lib/jsonrpc.c          |  10 ++
 lib/jsonrpc.h          |   1 +
 lib/ovsdb-error.c      |  12 ++
 lib/ovsdb-error.h      |   4 +
 lib/ovsdb-idl.c        |   6 +
 ovsdb/automake.mk      |   2 +
 ovsdb/execution.c      |  43 ++++-
 ovsdb/jsonrpc-server.c |   6 +-
 ovsdb/jsonrpc-server.h |   1 +
 ovsdb/ovsdb-server.c   |   7 +-
 ovsdb/ovsdb-tool.c     |   2 +-
 ovsdb/ovsdb-util.c     |  37 +++++
 ovsdb/ovsdb-util.h     |   4 +
 ovsdb/ovsdb.c          |   3 +
 ovsdb/ovsdb.h          |   3 +
 ovsdb/rbac.c           | 443 +++++++++++++++++++++++++++++++++++++++++++++++++
 ovsdb/rbac.h           |  38 +++++
 ovsdb/trigger.c        |   8 +-
 ovsdb/trigger.h        |   5 +-
 tests/automake.mk      |   1 +
 tests/ovsdb-rbac.at    | 358 +++++++++++++++++++++++++++++++++++++++
 tests/ovsdb.at         |   1 +
 tests/test-ovsdb.c     |   5 +-
 23 files changed, 990 insertions(+), 10 deletions(-)
 create mode 100644 ovsdb/rbac.c
 create mode 100644 ovsdb/rbac.h
 create mode 100644 tests/ovsdb-rbac.at

diff --git a/lib/jsonrpc.c b/lib/jsonrpc.c
index a0ade9c..2fae057 100644
--- a/lib/jsonrpc.c
+++ b/lib/jsonrpc.c
@@ -1005,6 +1005,16 @@ jsonrpc_session_get_name(const struct jsonrpc_session *s)
     return reconnect_get_name(s->reconnect);
 }
 
+const char *
+jsonrpc_session_get_id(const struct jsonrpc_session *s)
+{
+    if (s->rpc && s->rpc->stream) {
+        return stream_get_peer_id(s->rpc->stream);
+    } else {
+        return NULL;
+    }
+}
+
 /* Always takes ownership of 'msg', regardless of success. */
 int
 jsonrpc_session_send(struct jsonrpc_session *s, struct jsonrpc_msg *msg)
diff --git a/lib/jsonrpc.h b/lib/jsonrpc.h
index 982017a..9b4fb0e 100644
--- a/lib/jsonrpc.h
+++ b/lib/jsonrpc.h
@@ -130,5 +130,6 @@ void jsonrpc_session_set_probe_interval(struct jsonrpc_session *,
                                         int probe_interval);
 void jsonrpc_session_set_dscp(struct jsonrpc_session *,
                               uint8_t dscp);
+const char *jsonrpc_session_get_id(const struct jsonrpc_session *);
 
 #endif /* jsonrpc.h */
diff --git a/lib/ovsdb-error.c b/lib/ovsdb-error.c
index dfa4249..b1aaf29 100644
--- a/lib/ovsdb-error.c
+++ b/lib/ovsdb-error.c
@@ -167,6 +167,18 @@ ovsdb_internal_error(struct ovsdb_error *inner_error,
     return error;
 }
 
+struct ovsdb_error *ovsdb_perm_error(const char *details, ...)
+{
+    struct ovsdb_error *error;
+    va_list args;
+
+    va_start(args, details);
+    error = ovsdb_error_valist("permission error", details, args);
+    va_end(args);
+
+    return error;
+}
+
 void
 ovsdb_error_destroy(struct ovsdb_error *error)
 {
diff --git a/lib/ovsdb-error.h b/lib/ovsdb-error.h
index 2bc259a..da91b74 100644
--- a/lib/ovsdb-error.h
+++ b/lib/ovsdb-error.h
@@ -41,6 +41,10 @@ struct ovsdb_error *ovsdb_internal_error(struct ovsdb_error *error,
     OVS_PRINTF_FORMAT(4, 5)
     OVS_WARN_UNUSED_RESULT;
 
+struct ovsdb_error *ovsdb_perm_error(const char *details, ...)
+    OVS_PRINTF_FORMAT(1, 2)
+    OVS_WARN_UNUSED_RESULT;
+
 /* Returns a pointer to an ovsdb_error that represents an internal error for
  * the current file name and line number with MSG as the associated message.
  * The caller is responsible for freeing the internal error. */
diff --git a/lib/ovsdb-idl.c b/lib/ovsdb-idl.c
index c79951f..73fb993 100644
--- a/lib/ovsdb-idl.c
+++ b/lib/ovsdb-idl.c
@@ -160,6 +160,7 @@ static const char *row_update_names[] = {"row_update", "row_update2"};
 
 static struct vlog_rate_limit syntax_rl = VLOG_RATE_LIMIT_INIT(1, 5);
 static struct vlog_rate_limit semantic_rl = VLOG_RATE_LIMIT_INIT(1, 5);
+static struct vlog_rate_limit other_rl = VLOG_RATE_LIMIT_INIT(1, 5);
 
 static void ovsdb_idl_clear(struct ovsdb_idl *);
 static void ovsdb_idl_send_schema_request(struct ovsdb_idl *);
@@ -3746,9 +3747,14 @@ ovsdb_idl_txn_process_reply(struct ovsdb_idl *idl,
                             soft_errors++;
                         } else if (!strcmp(error->u.string, "not owner")) {
                             lock_errors++;
+                        } else if (!strcmp(error->u.string, "not allowed")) {
+                            hard_errors++;
+                            ovsdb_idl_txn_set_error_json(txn, op);
                         } else if (strcmp(error->u.string, "aborted")) {
                             hard_errors++;
                             ovsdb_idl_txn_set_error_json(txn, op);
+                            VLOG_WARN_RL(&other_rl,
+                                         "transaction error: %s", txn->error);
                         }
                     } else {
                         hard_errors++;
diff --git a/ovsdb/automake.mk b/ovsdb/automake.mk
index c218bf5..ac0f741 100644
--- a/ovsdb/automake.mk
+++ b/ovsdb/automake.mk
@@ -24,6 +24,8 @@ ovsdb_libovsdb_la_SOURCES = \
 	ovsdb/monitor.h \
 	ovsdb/query.c \
 	ovsdb/query.h \
+	ovsdb/rbac.c \
+	ovsdb/rbac.h \
 	ovsdb/replication.c \
 	ovsdb/replication.h \
 	ovsdb/row.c \
diff --git a/ovsdb/execution.c b/ovsdb/execution.c
index e2d320e..9f27457 100644
--- a/ovsdb/execution.c
+++ b/ovsdb/execution.c
@@ -32,6 +32,7 @@
 #include "table.h"
 #include "timeval.h"
 #include "transaction.h"
+#include "rbac.h"
 
 struct ovsdb_execution {
     struct ovsdb *db;
@@ -39,6 +40,8 @@ struct ovsdb_execution {
     struct ovsdb_txn *txn;
     struct ovsdb_symbol_table *symtab;
     bool durable;
+    const char *role;
+    const char *id;
 
     /* Triggers. */
     long long int elapsed_msec;
@@ -97,6 +100,7 @@ lookup_executor(const char *name, bool *read_only)
 struct json *
 ovsdb_execute(struct ovsdb *db, const struct ovsdb_session *session,
               const struct json *params, bool read_only,
+              const char *role, const char *id,
               long long int elapsed_msec, long long int *timeout_msec)
 {
     struct ovsdb_execution x;
@@ -126,6 +130,8 @@ ovsdb_execute(struct ovsdb *db, const struct ovsdb_session *session,
     x.txn = ovsdb_txn_create(db);
     x.symtab = ovsdb_symbol_table_create();
     x.durable = false;
+    x.role = role;
+    x.id = id;
     x.elapsed_msec = elapsed_msec;
     x.timeout_msec = LLONG_MAX;
     results = NULL;
@@ -305,6 +311,12 @@ ovsdb_execute_insert(struct ovsdb_execution *x, struct ovsdb_parser *parser,
         return error;
     }
 
+    if (!ovsdb_rbac_insert(x->db, table, x->role, x->id)) {
+        return ovsdb_perm_error("RBAC rules for client \"%s\" role \"%s\" "
+                                "prohibit row insertion into table \"%s\".",
+                                x->id, x->role, table->schema->name);
+    }
+
     if (uuid_name) {
         struct ovsdb_symbol *symbol;
 
@@ -410,6 +422,8 @@ struct update_row_cbdata {
     struct ovsdb_txn *txn;
     const struct ovsdb_row *row;
     const struct ovsdb_column_set *columns;
+    const char *role;
+    const char *id;
 };
 
 static bool
@@ -470,7 +484,15 @@ ovsdb_execute_update(struct ovsdb_execution *x, struct ovsdb_parser *parser,
         ur.txn = x->txn;
         ur.row = row;
         ur.columns = &columns;
-        ovsdb_query(table, &condition, update_row_cb, &ur);
+        if (ovsdb_rbac_update(x->db, table, &columns, &condition, x->role,
+                              x->id)) {
+            ovsdb_query(table, &condition, update_row_cb, &ur);
+        } else {
+            error = ovsdb_perm_error("RBAC rules for client \"%s\" role "
+                                     "\"%s\" prohibit modification of "
+                                     "table \"%s\".",
+                                     x->id, x->role, table->schema->name);
+        }
         json_object_put(result, "count", json_integer_create(ur.n_matches));
     }
 
@@ -529,7 +551,15 @@ ovsdb_execute_mutate(struct ovsdb_execution *x, struct ovsdb_parser *parser,
         mr.txn = x->txn;
         mr.mutations = &mutations;
         mr.error = &error;
-        ovsdb_query(table, &condition, mutate_row_cb, &mr);
+        if (ovsdb_rbac_mutate(x->db, table, &mutations, &condition, x->role,
+                              x->id)) {
+            ovsdb_query(table, &condition, mutate_row_cb, &mr);
+        } else {
+            error = ovsdb_perm_error("RBAC rules for client \"%s\" role "
+                                     "\"%s\" prohibit mutate operation on "
+                                     "table \"%s\".",
+                                     x->id, x->role, table->schema->name);
+        }
         json_object_put(result, "count", json_integer_create(mr.n_matches));
     }
 
@@ -579,8 +609,15 @@ ovsdb_execute_delete(struct ovsdb_execution *x, struct ovsdb_parser *parser,
         dr.n_matches = 0;
         dr.table = table;
         dr.txn = x->txn;
-        ovsdb_query(table, &condition, delete_row_cb, &dr);
 
+        if (ovsdb_rbac_delete(x->db, table, &condition, x->role, x->id)) {
+            ovsdb_query(table, &condition, delete_row_cb, &dr);
+        } else {
+            error = ovsdb_perm_error("RBAC rules for client \"%s\" role "
+                                     "\"%s\" prohibit row deletion from "
+                                     "table \"%s\".",
+                                     x->id, x->role, table->schema->name);
+        }
         json_object_put(result, "count", json_integer_create(dr.n_matches));
     }
 
diff --git a/ovsdb/jsonrpc-server.c b/ovsdb/jsonrpc-server.c
index 1ba6bb3..6edfe24 100644
--- a/ovsdb/jsonrpc-server.c
+++ b/ovsdb/jsonrpc-server.c
@@ -128,6 +128,7 @@ struct ovsdb_jsonrpc_remote {
     struct ovs_list sessions;   /* List of "struct ovsdb_jsonrpc_session"s. */
     uint8_t dscp;
     bool read_only;
+    char *role;
 };
 
 static struct ovsdb_jsonrpc_remote *ovsdb_jsonrpc_server_add_remote(
@@ -270,6 +271,7 @@ ovsdb_jsonrpc_server_add_remote(struct ovsdb_jsonrpc_server *svr,
     ovs_list_init(&remote->sessions);
     remote->dscp = options->dscp;
     remote->read_only = options->read_only;
+    remote->role = options->role ? xstrdup(options->role) : NULL;
     shash_add(&svr->remotes, name, remote);
 
     if (!listener) {
@@ -287,6 +289,7 @@ ovsdb_jsonrpc_server_del_remote(struct shash_node *node)
     ovsdb_jsonrpc_session_close_all(remote);
     pstream_close(remote->listener);
     shash_delete(&remote->server->remotes, node);
+    free(remote->role);
     free(remote);
 }
 
@@ -1038,7 +1041,8 @@ ovsdb_jsonrpc_trigger_create(struct ovsdb_jsonrpc_session *s, struct ovsdb *db,
     /* Insert into trigger table. */
     t = xmalloc(sizeof *t);
     ovsdb_trigger_init(&s->up, db, &t->trigger, params, time_msec(),
-                       s->read_only);
+                       s->read_only, s->remote->role,
+                       jsonrpc_session_get_id(s->js));
     t->id = id;
     hmap_insert(&s->triggers, &t->hmap_node, hash);
 
diff --git a/ovsdb/jsonrpc-server.h b/ovsdb/jsonrpc-server.h
index 3cacbb6..1add327 100644
--- a/ovsdb/jsonrpc-server.h
+++ b/ovsdb/jsonrpc-server.h
@@ -37,6 +37,7 @@ struct ovsdb_jsonrpc_options {
     int probe_interval;         /* Max idle time before probing, in msec. */
     bool read_only;             /* Only read-only transactions are allowed. */
     int dscp;                   /* Dscp value for manager connections */
+    char *role;                 /* Role, for role-based access controls */
 };
 struct ovsdb_jsonrpc_options *
 ovsdb_jsonrpc_default_options(const char *target);
diff --git a/ovsdb/ovsdb-server.c b/ovsdb/ovsdb-server.c
index 50c3555..32ee96c 100644
--- a/ovsdb/ovsdb-server.c
+++ b/ovsdb/ovsdb-server.c
@@ -683,7 +683,7 @@ add_manager_options(struct shash *remotes, const struct ovsdb_row *row)
     struct ovsdb_jsonrpc_options *options;
     long long int max_backoff, probe_interval;
     bool read_only;
-    const char *target, *dscp_string;
+    const char *target, *dscp_string, *role;
 
     if (!ovsdb_util_read_string_column(row, "target", &target) || !target) {
         VLOG_INFO_RL(&rl, "Table `%s' has missing or invalid `target' column",
@@ -702,6 +702,10 @@ add_manager_options(struct shash *remotes, const struct ovsdb_row *row)
     if (ovsdb_util_read_bool_column(row, "read_only", &read_only)) {
         options->read_only = read_only;
     }
+    free(options->role);
+    if (ovsdb_util_read_string_column(row, "role", &role) && role) {
+        options->role = xstrdup(role);
+    }
 
     options->dscp = DSCP_DEFAULT;
     dscp_string = ovsdb_util_read_map_string_column(row, "other_config",
@@ -1350,6 +1354,7 @@ parse_options(int *argcp, char **argvp[],
         OPT_SYNC_FROM,
         OPT_SYNC_EXCLUDE,
         OPT_ACTIVE,
+        OPT_RBAC,
         VLOG_OPTION_ENUMS,
         DAEMON_OPTION_ENUMS,
         SSL_OPTION_ENUMS,
diff --git a/ovsdb/ovsdb-tool.c b/ovsdb/ovsdb-tool.c
index 8d7e76a..fb8eb1e 100644
--- a/ovsdb/ovsdb-tool.c
+++ b/ovsdb/ovsdb-tool.c
@@ -366,7 +366,7 @@ transact(bool read_only, int argc, char *argv[])
     check_ovsdb_error(ovsdb_file_open(db_file_name, read_only, &db, NULL));
 
     request = parse_json(transaction);
-    result = ovsdb_execute(db, NULL, request, false, 0, NULL);
+    result = ovsdb_execute(db, NULL, request, false, NULL, NULL, 0, NULL);
     json_destroy(request);
 
     print_and_free_json(result);
diff --git a/ovsdb/ovsdb-util.c b/ovsdb/ovsdb-util.c
index 647f5df..3f7e1af 100644
--- a/ovsdb/ovsdb-util.c
+++ b/ovsdb/ovsdb-util.c
@@ -88,6 +88,43 @@ ovsdb_util_read_map_string_column(const struct ovsdb_row *row,
     return atom_value ? atom_value->string : NULL;
 }
 
+/* Read string-uuid key-values from a map.  Returns the row associated with
+ * 'key', if found, or NULL */
+const struct ovsdb_row *
+ovsdb_util_read_map_string_uuid_column(const struct ovsdb_row *row,
+                                       const char *column_name,
+                                       const char *key)
+{
+    union ovsdb_atom *atom_key = NULL, *atom_value = NULL;
+    const struct ovsdb_table *ref_table;
+    const struct ovsdb_column *column;
+    const struct ovsdb_datum *datum;
+    size_t i;
+
+    column = ovsdb_table_schema_get_column(row->table->schema, column_name);
+    if (!column ||
+        column->type.key.type != OVSDB_TYPE_STRING ||
+        column->type.value.type != OVSDB_TYPE_UUID) {
+        return NULL;
+    }
+
+    datum = &row->fields[column->index];
+
+    for (i = 0; i < datum->n; i++) {
+        atom_key = &datum->keys[i];
+        if (!strcmp(atom_key->string, key)) {
+            atom_value = &datum->values[i];
+            break;
+        }
+    }
+
+    if (!atom_value) {
+        return NULL;
+    }
+    ref_table = column->type.value.u.uuid.refTable;
+    return ovsdb_table_get_row(ref_table, &atom_value->uuid);
+}
+
 const union ovsdb_atom *
 ovsdb_util_read_column(const struct ovsdb_row *row, const char *column_name,
                        enum ovsdb_atomic_type type)
diff --git a/ovsdb/ovsdb-util.h b/ovsdb/ovsdb-util.h
index effbec8..abd81ff 100644
--- a/ovsdb/ovsdb-util.h
+++ b/ovsdb/ovsdb-util.h
@@ -25,6 +25,10 @@ struct ovsdb_datum *ovsdb_util_get_datum(struct ovsdb_row *row,
 const char *ovsdb_util_read_map_string_column(const struct ovsdb_row *row,
                                               const char *column_name,
                                               const char *key);
+const struct ovsdb_row *ovsdb_util_read_map_string_uuid_column(
+                                                    const struct ovsdb_row *r,
+                                                    const char *column_name,
+                                                    const char *key);
 const union ovsdb_atom *ovsdb_util_read_column(const struct ovsdb_row *row,
                                                const char *column_name,
                                                enum ovsdb_atomic_type type);
diff --git a/ovsdb/ovsdb.c b/ovsdb/ovsdb.c
index 0391900..d8f441a 100644
--- a/ovsdb/ovsdb.c
+++ b/ovsdb/ovsdb.c
@@ -351,6 +351,9 @@ ovsdb_create(struct ovsdb_schema *schema)
         }
     }
 
+    /* Use RBAC roles table if present. */
+    db->rbac_role = ovsdb_get_table(db, "RBAC_Role");
+
     return db;
 }
 
diff --git a/ovsdb/ovsdb.h b/ovsdb/ovsdb.h
index fc45c80..89bbfa2 100644
--- a/ovsdb/ovsdb.h
+++ b/ovsdb/ovsdb.h
@@ -62,6 +62,8 @@ struct ovsdb {
     /* Triggers. */
     struct ovs_list triggers;   /* Contains "struct ovsdb_trigger"s. */
     bool run_triggers;
+
+    struct ovsdb_table *rbac_role;
 };
 
 struct ovsdb *ovsdb_create(struct ovsdb_schema *);
@@ -73,6 +75,7 @@ struct ovsdb_table *ovsdb_get_table(const struct ovsdb *, const char *);
 
 struct json *ovsdb_execute(struct ovsdb *, const struct ovsdb_session *,
                            const struct json *params, bool read_only,
+                           const char *role, const char *id,
                            long long int elapsed_msec,
                            long long int *timeout_msec);
 
diff --git a/ovsdb/rbac.c b/ovsdb/rbac.c
new file mode 100644
index 0000000..6d8aa67
--- /dev/null
+++ b/ovsdb/rbac.c
@@ -0,0 +1,443 @@
+/*
+ * Copyright (c) 2017 Red Hat, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <config.h>
+#include <limits.h>
+
+#include "column.h"
+#include "condition.h"
+#include "file.h"
+#include "mutation.h"
+#include "ovsdb-data.h"
+#include "ovsdb-error.h"
+#include "ovsdb-parser.h"
+#include "ovsdb.h"
+#include "query.h"
+#include "row.h"
+#include "server.h"
+#include "table.h"
+#include "timeval.h"
+#include "transaction.h"
+#include "ovsdb-util.h"
+#include "condition.h"
+#include "rbac.h"
+#include "openvswitch/vlog.h"
+
+VLOG_DEFINE_THIS_MODULE(ovsdb_rbac);
+
+static const struct ovsdb_row *
+ovsdb_find_row_by_string_key(const struct ovsdb_table *table,
+                             const char *column_name,
+                             const char *key)
+{
+    const struct ovsdb_column *column;
+    const struct ovsdb_row *row;
+
+    column = ovsdb_table_schema_get_column(table->schema, column_name);
+
+    if (column) {
+        HMAP_FOR_EACH (row, hmap_node, &table->rows) {
+            const struct ovsdb_datum *datum;
+            size_t i;
+
+            datum = &row->fields[column->index];
+            for (i = 0; i < datum->n; i++) {
+                if (datum->keys[i].string[0] &&
+                    !strcmp(key, datum->keys[i].string)) {
+                    return row;
+                }
+            }
+        }
+    }
+    return NULL;
+}
+
+static const struct ovsdb_row *
+ovsdb_rbac_lookup_perms(const struct ovsdb *db, const char *role,
+                        const char *table)
+{
+    static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
+    const struct ovsdb_row *role_row, *perm_row;
+    const struct ovsdb_column *column;
+
+    /* Lookup role in roles table */
+    role_row = ovsdb_find_row_by_string_key(db->rbac_role, "name", role);
+    if (!role_row) {
+        VLOG_INFO_RL(&rl, "rbac: role \"%s\" not found in rbac roles table",
+                     role);
+        return NULL;
+    }
+
+    /* Find row in permissions column for table from "permissions" column */
+    column = ovsdb_table_schema_get_column(role_row->table->schema,
+                                           "permissions");
+    if (!column) {
+        VLOG_INFO_RL(&rl, "rbac: \"permissions\" column not present in rbac "
+                  "roles table");
+        return NULL;
+    }
+    perm_row = ovsdb_util_read_map_string_uuid_column(role_row, "permissions",
+                                                      table);
+
+    return perm_row;
+}
+
+static bool
+ovsdb_rbac_authorized(const struct ovsdb_row *perms,
+                      const char *id,
+                      const struct ovsdb_row *row)
+{
+    static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
+    const struct ovsdb_datum *datum;
+    size_t i;
+
+    datum = ovsdb_util_get_datum(CONST_CAST(struct ovsdb_row *, perms),
+                                 "authorization",
+                                 OVSDB_TYPE_STRING, OVSDB_TYPE_VOID, UINT_MAX);
+
+    if (!datum) {
+        VLOG_INFO_RL(&rl, "rbac: error reading authorization column");
+        return false;
+    }
+
+    for (i = 0; i < datum->n; i++) {
+        const char *name = datum->keys[i].string;
+        const char *value = NULL;
+        bool is_map;
+
+        if (name[0] == '\0') {
+            /* empty string means all are authorized */
+            return true;
+        }
+
+        is_map = strchr(name, ':') != NULL;
+
+        if (is_map) {
+            char *tmp = xstrdup(name);
+            char *col_name, *key, *save_ptr = NULL;
+            col_name = strtok_r(tmp, ":", &save_ptr);
+            key = strtok_r(NULL, ":", &save_ptr);
+
+            if (col_name && key) {
+                value = ovsdb_util_read_map_string_column(row, col_name, key);
+            }
+            free(tmp);
+        } else {
+            ovsdb_util_read_string_column(row, name, &value);
+        }
+        if (value && !strcmp(value, id)) {
+            return true;
+        }
+    }
+
+    return false;
+}
+
+bool
+ovsdb_rbac_insert(const struct ovsdb *db, const struct ovsdb_table *table,
+                  const char *role, const char *id)
+{
+    const struct ovsdb_table_schema *ts = table->schema;
+    const struct ovsdb_row *perms;
+    bool insdel;
+
+    if (!db->rbac_role || !role || *role == '\0') {
+        return true;
+    }
+
+    if (!id) {
+        goto denied;
+    }
+
+    perms = ovsdb_rbac_lookup_perms(db, role, ts->name);
+
+    if (!perms) {
+        goto denied;
+    }
+
+    if (!ovsdb_util_read_bool_column(perms, "insert_delete", &insdel)) {
+        return false;
+    }
+
+    if (insdel) {
+        return true;
+    }
+
+denied:
+    return false;
+}
+
+struct rbac_delete_cbdata {
+    const struct ovsdb_table *table;
+    const struct ovsdb_row *perms;
+    const char *role;
+    const char *id;
+    bool permitted;
+};
+
+static bool
+rbac_delete_cb(const struct ovsdb_row *row, void *rd_)
+{
+    struct rbac_delete_cbdata *rd = rd_;
+    bool insdel;
+
+    if (!ovsdb_rbac_authorized(rd->perms, rd->id, row)) {
+        goto denied;
+    }
+
+    if (!ovsdb_util_read_bool_column(rd->perms, "insert_delete", &insdel)) {
+        goto denied;
+    }
+
+    if (!insdel) {
+        goto denied;
+    }
+    return true;
+
+denied:
+    rd->permitted = false;
+    return false;
+}
+
+bool
+ovsdb_rbac_delete(const struct ovsdb *db, struct ovsdb_table *table,
+                  struct ovsdb_condition *condition,
+                  const char *role, const char *id)
+{
+    const struct ovsdb_table_schema *ts = table->schema;
+    const struct ovsdb_row *perms;
+    struct rbac_delete_cbdata rd;
+
+    if (!db->rbac_role || !role || *role == '\0') {
+        return true;
+    }
+    if (!id) {
+        goto denied;
+    }
+
+    perms = ovsdb_rbac_lookup_perms(db, role, ts->name);
+
+    if (!perms) {
+        goto denied;
+    }
+
+    rd.permitted = true;
+    rd.perms = perms;
+    rd.table = table;
+    rd.role = role;
+    rd.id = id;
+
+    ovsdb_query(table, condition, rbac_delete_cb, &rd);
+
+    if (rd.permitted) {
+        return true;
+    }
+
+denied:
+    return false;
+}
+
+struct rbac_update_cbdata {
+    const struct ovsdb_table *table;
+    const struct ovsdb_column_set *columns; /* columns to be modified */
+    const struct ovsdb_datum *modifiable; /* modifiable column names */
+    const struct ovsdb_row *perms;
+    const char *role;
+    const char *id;
+    bool permitted;
+};
+
+static bool
+rbac_column_modification_permitted(const struct ovsdb_column *column,
+                                   const struct ovsdb_datum *modifiable)
+{
+    size_t i;
+
+    for (i = 0; i < modifiable->n; i++) {
+        char *name = modifiable->keys[i].string;
+
+        if (!strcmp(name, column->name)) {
+            return true;
+        }
+    }
+    return false;
+}
+
+static bool
+rbac_update_cb(const struct ovsdb_row *row, void *ru_)
+{
+    struct rbac_update_cbdata *ru = ru_;
+    size_t i;
+
+    if (!ovsdb_rbac_authorized(ru->perms, ru->id, row)) {
+        goto denied;
+    }
+
+    for (i = 0; i < ru->columns->n_columns; i++) {
+        const struct ovsdb_column *column = ru->columns->columns[i];
+
+        if (!rbac_column_modification_permitted(column, ru->modifiable)) {
+            goto denied;
+        }
+    }
+    return true;
+
+denied:
+    ru->permitted = false;
+    return false;
+}
+
+bool
+ovsdb_rbac_update(const struct ovsdb *db,
+                  struct ovsdb_table *table,
+                  struct ovsdb_column_set *columns,
+                  struct ovsdb_condition *condition,
+                  const char *role, const char *id)
+{
+    static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
+    const struct ovsdb_table_schema *ts = table->schema;
+    const struct ovsdb_datum *datum;
+    const struct ovsdb_row *perms;
+    struct rbac_update_cbdata ru;
+
+    if (!db->rbac_role || !role || *role == '\0') {
+        return true;
+    }
+    if (!id) {
+        goto denied;
+    }
+
+    perms = ovsdb_rbac_lookup_perms(db, role, ts->name);
+
+    if (!perms) {
+        goto denied;
+    }
+
+    datum = ovsdb_util_get_datum(CONST_CAST(struct ovsdb_row *, perms),
+                                 "update",
+                                 OVSDB_TYPE_STRING, OVSDB_TYPE_VOID, UINT_MAX);
+
+    if (!datum) {
+        VLOG_INFO_RL(&rl, "ovsdb_rbac_update: could not read \"update\" "
+                     "column");
+        goto denied;
+    }
+
+    ru.table = table;
+    ru.columns = columns;
+    ru.role = role;
+    ru.id = id;
+    ru.perms = perms;
+    ru.modifiable = datum;
+    ru.permitted = true;
+
+    ovsdb_query(table, condition, rbac_update_cb, &ru);
+
+    if (ru.permitted) {
+        return true;
+    }
+
+denied:
+    return false;
+}
+
+struct rbac_mutate_cbdata {
+    const struct ovsdb_table *table;
+    const struct ovsdb_mutation_set *mutations; /* columns to be mutated */
+    const struct ovsdb_datum *modifiable; /* modifiable column names */
+    const struct ovsdb_row *perms;
+    const char *role;
+    const char *id;
+    bool permitted;
+};
+
+static bool
+rbac_mutate_cb(const struct ovsdb_row *row, void *rm_)
+{
+    struct rbac_mutate_cbdata *rm = rm_;
+    size_t i;
+
+    if (!ovsdb_rbac_authorized(rm->perms, rm->id, row)) {
+        goto denied;
+    }
+
+    for (i = 0; i < rm->mutations->n_mutations; i++) {
+        const struct ovsdb_column *column = rm->mutations->mutations[i].column;
+
+        if (!rbac_column_modification_permitted(column, rm->modifiable)) {
+            goto denied;
+        }
+    }
+
+    return true;
+
+denied:
+    rm->permitted = false;
+    return false;
+}
+
+bool
+ovsdb_rbac_mutate(const struct ovsdb *db,
+                  struct ovsdb_table *table,
+                  struct ovsdb_mutation_set *mutations,
+                  struct ovsdb_condition *condition,
+                  const char *role, const char *id)
+{
+    static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
+    const struct ovsdb_table_schema *ts = table->schema;
+    const struct ovsdb_datum *datum;
+    const struct ovsdb_row *perms;
+    struct rbac_mutate_cbdata rm;
+
+    if (!db->rbac_role || !role || *role == '\0') {
+        return true;
+    }
+    if (!id) {
+        goto denied;
+    }
+
+    perms = ovsdb_rbac_lookup_perms(db, role, ts->name);
+
+    if (!perms) {
+        goto denied;
+    }
+
+    datum = ovsdb_util_get_datum(CONST_CAST(struct ovsdb_row *, perms),
+                                 "update",
+                                 OVSDB_TYPE_STRING, OVSDB_TYPE_VOID, UINT_MAX);
+
+    if (!datum) {
+        VLOG_INFO_RL(&rl, "ovsdb_rbac_mutate: could not read \"update\" "
+                     "column");
+        goto denied;
+    }
+
+    rm.table = table;
+    rm.mutations = mutations;
+    rm.role = role;
+    rm.id = id;
+    rm.perms = perms;
+    rm.modifiable = datum;
+    rm.permitted = true;
+
+    ovsdb_query(table, condition, rbac_mutate_cb, &rm);
+
+    if (rm.permitted) {
+        return true;
+    }
+
+denied:
+    return false;
+}
diff --git a/ovsdb/rbac.h b/ovsdb/rbac.h
new file mode 100644
index 0000000..1c2664b
--- /dev/null
+++ b/ovsdb/rbac.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 2017 Red Hat, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef OVSDB_RBAC_H
+#define OVSDB_RBAC_H 1
+struct ovsdb_mutation_set;
+
+bool ovsdb_rbac_insert(const struct ovsdb *,
+                       const struct ovsdb_table *,
+                       const char *, const char *);
+bool ovsdb_rbac_delete(const struct ovsdb *,
+                       struct ovsdb_table *table,
+                       struct ovsdb_condition *condition,
+                       const char *role, const char *id);
+bool ovsdb_rbac_update(const struct ovsdb *,
+                       struct ovsdb_table *table,
+                       struct ovsdb_column_set *columns,
+                       struct ovsdb_condition *condition,
+                       const char *role, const char *id);
+bool ovsdb_rbac_mutate(const struct ovsdb *,
+                       struct ovsdb_table *table,
+                       struct ovsdb_mutation_set *mutations,
+                       struct ovsdb_condition *condition,
+                       const char *role, const char *id);
+#endif /* ovsdb/rbac.h */
diff --git a/ovsdb/trigger.c b/ovsdb/trigger.c
index a859983..94b95ea 100644
--- a/ovsdb/trigger.c
+++ b/ovsdb/trigger.c
@@ -32,7 +32,8 @@ void
 ovsdb_trigger_init(struct ovsdb_session *session, struct ovsdb *db,
                    struct ovsdb_trigger *trigger,
                    struct json *request, long long int now,
-                   bool read_only)
+                   bool read_only, const char *role,
+                   const char *id)
 {
     trigger->session = session;
     trigger->db = db;
@@ -42,6 +43,8 @@ ovsdb_trigger_init(struct ovsdb_session *session, struct ovsdb *db,
     trigger->created = now;
     trigger->timeout_msec = LLONG_MAX;
     trigger->read_only = read_only;
+    trigger->role = role ? xstrdup(role): NULL;
+    trigger->id = id ? xstrdup(id): NULL;
     ovsdb_trigger_try(trigger, now);
 }
 
@@ -51,6 +54,8 @@ ovsdb_trigger_destroy(struct ovsdb_trigger *trigger)
     ovs_list_remove(&trigger->node);
     json_destroy(trigger->request);
     json_destroy(trigger->result);
+    free(trigger->role);
+    free(trigger->id);
 }
 
 bool
@@ -114,6 +119,7 @@ ovsdb_trigger_try(struct ovsdb_trigger *t, long long int now)
 {
     t->result = ovsdb_execute(t->db, t->session,
                               t->request, t->read_only,
+                              t->role, t->id,
                               now - t->created, &t->timeout_msec);
     if (t->result) {
         ovsdb_trigger_complete(t);
diff --git a/ovsdb/trigger.h b/ovsdb/trigger.h
index c8474a4..90246a4 100644
--- a/ovsdb/trigger.h
+++ b/ovsdb/trigger.h
@@ -30,12 +30,15 @@ struct ovsdb_trigger {
     long long int created;      /* Time created. */
     long long int timeout_msec; /* Max wait duration. */
     bool read_only;             /* Database is in read only mode. */
+    char *role;                 /* Role, for role-based access controls. */
+    char *id;                   /* ID, for role-based access controls. */
 };
 
 void ovsdb_trigger_init(struct ovsdb_session *, struct ovsdb *,
                         struct ovsdb_trigger *,
                         struct json *request, long long int now,
-                        bool read_only);
+                        bool read_only, const char *role,
+                        const char *id);
 void ovsdb_trigger_destroy(struct ovsdb_trigger *);
 
 bool ovsdb_trigger_is_complete(const struct ovsdb_trigger *);
diff --git a/tests/automake.mk b/tests/automake.mk
index c6bd120..0c28c47 100644
--- a/tests/automake.mk
+++ b/tests/automake.mk
@@ -82,6 +82,7 @@ TESTSUITE_AT = \
 	tests/ovsdb-monitor.at \
 	tests/ovsdb-idl.at \
 	tests/ovsdb-lock.at \
+	tests/ovsdb-rbac.at \
 	tests/ovs-vsctl.at \
 	tests/ovs-xapi-sync.at \
 	tests/stp.at \
diff --git a/tests/ovsdb-rbac.at b/tests/ovsdb-rbac.at
new file mode 100644
index 0000000..abafa99
--- /dev/null
+++ b/tests/ovsdb-rbac.at
@@ -0,0 +1,358 @@
+AT_BANNER([OVSDB -- ovsdb-server rbac])
+
+AT_SETUP([ovsdb-server/rbac 2])
+AT_KEYWORDS([ovsdb server rbac])
+AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
+
+RBAC_PKIDIR="$(pwd)"
+RBAC_PKI="sh $abs_top_srcdir/utilities/ovs-pki.in --dir=$RBAC_PKIDIR/pki --log=$RBAC_PKIDIR/rbac-pki.log"
+$RBAC_PKI -B 1024 init
+$RBAC_PKI -B 1024 req+sign ovsdb-server switch
+$RBAC_PKI -B 1024 -u req+sign client-1 switch
+$RBAC_PKI -B 1024 -u req+sign client-2 switch
+
+AT_DATA([schema],
+  [[{"name": "mydb",
+     "tables": {
+       "Root": {
+         "columns": {
+           "connections": {
+             "type": {
+               "key": {"type": "uuid", "refTable": "Connection"},
+               "min": 0,
+               "max": "unlimited"}}},
+          "isRoot": true},
+       "Connection": {
+         "columns": {
+           "target": {
+             "type": "string"},
+           "role": {
+             "type": "string"}}},
+        "RBAC_Role": {
+            "columns": {
+                "name": {"type": "string"},
+                "permissions": {
+                    "type": {"key": {"type": "string"},
+                             "value": {"type": "uuid",
+                                       "refTable": "RBAC_Permission",
+                                       "refType": "weak"},
+                                     "min": 0, "max": "unlimited"}}},
+            "isRoot": true},
+        "RBAC_Permission": {
+            "columns": {
+                "table": {"type": "string"},
+                "authorization": {"type": {"key": "string",
+                                           "min": 0,
+                                           "max": "unlimited"}},
+                "insert_delete": {"type": "boolean"},
+                "update" : {"type": {"key": "string",
+                                     "min": 0,
+                                     "max": "unlimited"}}},
+            "isRoot": true},
+       "fixed_colors": {
+         "columns": {
+           "name": {"type": "string"}, "value": {"type": "integer"}},
+         "indexes": [["name"]],
+         "isRoot": true},
+       "user_colors": {
+         "columns": {
+           "creator": {"type": "string"},
+           "name": {"type": "string"},
+           "value": {"type": "integer"}},
+         "indexes": [["name"]],
+         "isRoot": true},
+       "other_colors": {
+         "columns": {
+           "creator": {
+             "type": {"key": {"type": "string"},
+                      "value": {"type": "string"},
+                      "min": 0, "max": "unlimited"}},
+           "name": {"type": "string"},
+           "value": {"type": "integer"}},
+         "indexes": [["name"]],
+         "isRoot": true}
+    },
+     "version": "5.1.3",
+     "cksum": "12345678 9"
+}
+]])
+
+AT_CHECK([ovsdb-tool create db schema], [0], [ignore], [ignore])
+AT_CHECK(
+  [[ovsdb-tool transact db \
+     '["mydb",
+       {"op": "insert",
+        "table": "Root",
+        "row": {
+          "connections": ["set", [["named-uuid", "x"]]]}},
+       {"op": "insert",
+        "table": "Connection",
+        "uuid-name": "x",
+        "row": {"target": "pssl:0:127.0.0.1",
+                "role": "testrole"}},
+       {"op": "insert",
+        "table": "fixed_colors",
+        "row": {"name": "red",
+                "value": '16711680'}},
+       {"op": "insert",
+        "table": "RBAC_Role",
+        "row": {"name": "testrole",
+                "permissions": ["map", [["user_colors", ["named-uuid", "y"]],
+                                        ["other_colors", ["named-uuid", "z"]]]]}},
+       {"op": "insert",
+        "table": "RBAC_Permission",
+        "uuid-name": "y",
+        "row": {"authorization": "creator",
+                "insert_delete": true,
+                "table": "user_colors",
+                "update": ["set", ["name", "value"]]}},
+       {"op": "insert",
+        "table": "RBAC_Permission",
+        "uuid-name": "z",
+        "row": {"authorization": "creator:chassis",
+                "insert_delete": true,
+                "table": "user_colors",
+                "update": ["set", ["name", "value"]]}}
+]']], [0], [ignore], [ignore])
+
+AT_CHECK([ovsdb-server --log-file --detach --no-chdir --pidfile --remote=db:mydb,Root,connections \
+        --private-key=$RBAC_PKIDIR/ovsdb-server-privkey.pem \
+        --certificate=$RBAC_PKIDIR/ovsdb-server-cert.pem \
+        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
+        db], [0], [ignore], [ignore])
+PARSE_LISTENING_PORT([ovsdb-server.log], [SSL_PORT])
+
+# Test 1:
+# Attempt to insert a row into the "fixed_colors" table.  This should
+# fail as there are no permissions for role "testrole" for this table.
+AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
+        --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
+        --certificate=$RBAC_PKIDIR/client-1-cert.pem \
+        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
+        ['["mydb",
+         {"op": "insert",
+          "table": "fixed_colors",
+          "row": {"name": "chartreuse", "value": '8388352'}}
+         ]']], [0], [stdout], [ignore])
+cat stdout >> output
+AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"details":"RBAC rules for client \"client-1\" role \"testrole\" prohibit row insertion into table \"fixed_colors\".","error":"permission error"}]]
+], [ignore])
+
+# Test 2:
+# Attempt to insert a row into the "user_colors" table.  This should
+# succeed since role "testrole" has permissions for this table that
+# allow row insertion.
+AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
+        --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
+        --certificate=$RBAC_PKIDIR/client-1-cert.pem \
+        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
+        ['["mydb",
+         {"op": "insert",
+          "table": "user_colors",
+          "row": {"creator": "client-1", "name": "chartreuse", "value": '8388352'}}
+         ]']], [0], [stdout], [ignore])
+cat stdout >> output
+AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"uuid":["uuid","<0>"]}]]
+], [ignore])
+
+# Test 3:
+# Attempt to update a column in the "user_colors" table.  This should
+# succeed since role "testrole" has permissions for this table that
+# allow update of the "value" column when ID is equal to the value in
+# the "creator" column.
+AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
+        --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
+        --certificate=$RBAC_PKIDIR/client-1-cert.pem \
+        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
+        ['["mydb",
+         {"op": "update",
+          "table": "user_colors",
+          "where": [["name", "==", "chartreuse"]],
+          "row": {"value": '8388353'}}
+         ]']], [0], [stdout], [ignore])
+cat stdout >> output
+AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"count":1}]]
+], [ignore])
+
+# Test 4:
+# Attempt to update a column in the "user_colors" table.  Same as
+# previous test, but with a different client ID. This should fail
+# the RBAC authorization test because "client-2" does not match the
+# "creator" column for this row.
+AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
+        --private-key=$RBAC_PKIDIR/client-2-privkey.pem \
+        --certificate=$RBAC_PKIDIR/client-2-cert.pem \
+        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
+        ['["mydb",
+         {"op": "update",
+          "table": "user_colors",
+          "where": [["name", "==", "chartreuse"]],
+          "row": {"value": '8388354'}}
+         ]']], [0], [stdout], [ignore])
+cat stdout >> output
+AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit modification of table \"user_colors\".","error":"permission error"}]]
+], [ignore])
+
+# Test 5:
+# Attempt to mutate a column in the "user_colors" table.  This should
+# succeed since role "testrole" has permissions for this table that
+# allow update of the "value" column when ID is equal to the value in
+# the "creator" column.
+AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
+        --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
+        --certificate=$RBAC_PKIDIR/client-1-cert.pem \
+        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
+        ['["mydb",
+         {"op": "mutate",
+          "table": "user_colors",
+          "where": [["name", "==", "chartreuse"]],
+          "mutations": [["value", "+=", '10']]}
+         ]']], [0], [stdout], [ignore])
+cat stdout >> output
+AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"count":1}]]
+], [ignore])
+
+# Test 6:
+# Attempt to mutate a column in the "user_colors" table.  Same as
+# previous test, but with a different client ID. This should fail
+# the RBAC authorization test because "client-2" does not match the
+# "creator" column for this row.
+AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
+        --private-key=$RBAC_PKIDIR/client-2-privkey.pem \
+        --certificate=$RBAC_PKIDIR/client-2-cert.pem \
+        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
+        ['["mydb",
+         {"op": "mutate",
+          "table": "user_colors",
+          "where": [["name", "==", "chartreuse"]],
+          "mutations": [["value", "+=", '10']]}
+         ]']], [0], [stdout], [ignore])
+cat stdout >> output
+AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit mutate operation on table \"user_colors\".","error":"permission error"}]]
+], [ignore])
+
+# Test 7:
+# Attempt to delete a row from the "user_colors" table. This should fail
+# the RBAC authorization test because "client-2" does not match the
+# "creator" column for this row.
+AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
+        --private-key=$RBAC_PKIDIR/client-2-privkey.pem \
+        --certificate=$RBAC_PKIDIR/client-2-cert.pem \
+        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
+        ['["mydb",
+         {"op": "delete",
+          "table": "user_colors",
+          "where": [["name", "==", "chartreuse"]]}
+         ]']], [0], [stdout], [ignore])
+cat stdout >> output
+AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit row deletion from table \"user_colors\".","error":"permission error"}]]
+], [ignore])
+
+# Test 8:
+# Attempt to delete a row from the "user_colors" table. This should pass
+# the RBAC authorization test because "client-1" does matches the
+# "creator" column for this row.
+AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
+        --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
+        --certificate=$RBAC_PKIDIR/client-1-cert.pem \
+        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
+        ['["mydb",
+         {"op": "delete",
+          "table": "user_colors",
+          "where": [["name", "==", "chartreuse"]]}
+         ]']], [0], [stdout], [ignore])
+cat stdout >> output
+AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"count":1}]]
+], [ignore])
+
+# Test 9:
+# Attempt to insert a row into the "other_colors" table.  This should
+# succeed since role "testrole" has permissions for this table that
+# allow row insertion.
+AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
+        --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
+        --certificate=$RBAC_PKIDIR/client-1-cert.pem \
+        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
+        ['["mydb",
+         {"op": "insert",
+          "table": "other_colors",
+          "row": {"creator": ["map",[["chassis", "client-1"]]], "name": "seafoam", "value": '7466680'}}
+         ]']], [0], [stdout], [ignore])
+cat stdout >> output
+AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"uuid":["uuid","<0>"]}]]
+], [ignore])
+
+# Test 10:
+# Attempt to update a column in the "user_colors" table.  This should
+# succeed since role "testrole" has permissions for this table that
+# allow update of the "value" column when ID is equal to the value in
+# the "creator" column.
+AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
+        --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
+        --certificate=$RBAC_PKIDIR/client-1-cert.pem \
+        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
+        ['["mydb",
+         {"op": "update",
+          "table": "other_colors",
+          "where": [["name", "==", "seafoam"]],
+          "row": {"value": '8388353'}}
+         ]']], [0], [stdout], [ignore])
+cat stdout >> output
+AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"count":1}]]
+], [ignore])
+
+# Test 11:
+# Attempt to update a column in the "other_colors" table.  Same as
+# previous test, but with a different client ID. This should fail
+# the RBAC authorization test because "client-2" does not match the
+# "creator" column for this row.
+AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
+        --private-key=$RBAC_PKIDIR/client-2-privkey.pem \
+        --certificate=$RBAC_PKIDIR/client-2-cert.pem \
+        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
+        ['["mydb",
+         {"op": "update",
+          "table": "other_colors",
+          "where": [["name", "==", "seafoam"]],
+          "row": {"value": '8388354'}}
+         ]']], [0], [stdout], [ignore])
+cat stdout >> output
+AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit modification of table \"other_colors\".","error":"permission error"}]]
+], [ignore])
+
+# Test 12:
+# Attempt to delete a row from the "other_colors" table. This should fail
+# the RBAC authorization test because "client-2" does not match the
+# "creator" column for this row.
+AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
+        --private-key=$RBAC_PKIDIR/client-2-privkey.pem \
+        --certificate=$RBAC_PKIDIR/client-2-cert.pem \
+        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
+        ['["mydb",
+         {"op": "delete",
+          "table": "other_colors",
+          "where": [["name", "==", "seafoam"]]}
+         ]']], [0], [stdout], [ignore])
+cat stdout >> output
+AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit row deletion from table \"other_colors\".","error":"permission error"}]]
+], [ignore])
+
+# Test 13:
+# Attempt to delete a row from the "other_colors" table. This should pass
+# the RBAC authorization test because "client-1" does matches the
+# "creator" column for this row.
+AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
+        --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
+        --certificate=$RBAC_PKIDIR/client-1-cert.pem \
+        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
+        ['["mydb",
+         {"op": "delete",
+          "table": "other_colors",
+          "where": [["name", "==", "seafoam"]]}
+         ]']], [0], [stdout], [ignore])
+cat stdout >> output
+AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"count":1}]]
+], [ignore])
+
+OVSDB_SERVER_SHUTDOWN
+AT_CLEANUP
diff --git a/tests/ovsdb.at b/tests/ovsdb.at
index fe617a5..8a389b8 100644
--- a/tests/ovsdb.at
+++ b/tests/ovsdb.at
@@ -148,3 +148,4 @@ m4_include([tests/ovsdb-server.at])
 m4_include([tests/ovsdb-monitor.at])
 m4_include([tests/ovsdb-idl.at])
 m4_include([tests/ovsdb-lock.at])
+m4_include([tests/ovsdb-rbac.at])
diff --git a/tests/test-ovsdb.c b/tests/test-ovsdb.c
index 0f2101e..9c51e32 100644
--- a/tests/test-ovsdb.c
+++ b/tests/test-ovsdb.c
@@ -1435,7 +1435,7 @@ do_execute__(struct ovs_cmdl_context *ctx, bool ro)
         char *s;
 
         params = parse_json(ctx->argv[i]);
-        result = ovsdb_execute(db, NULL, params, ro,  0, NULL);
+        result = ovsdb_execute(db, NULL, params, ro,  NULL, NULL, 0, NULL);
         s = json_to_string(result, JSSF_SORT);
         printf("%s\n", s);
         free(s);
@@ -1513,7 +1513,8 @@ do_trigger(struct ovs_cmdl_context *ctx)
             json_destroy(params);
         } else {
             struct test_trigger *t = xmalloc(sizeof *t);
-            ovsdb_trigger_init(&session, db, &t->trigger, params, now, false);
+            ovsdb_trigger_init(&session, db, &t->trigger, params, now, false,
+                               NULL, NULL);
             t->number = number++;
             if (ovsdb_trigger_is_complete(&t->trigger)) {
                 do_trigger_dump(t, now, "immediate");
-- 
2.7.4



More information about the dev mailing list