[ovs-dev] [PATCH v3 0/3] role-based access controls for ovsdb-server, ovn-sb

Lance Richardson lrichard at redhat.com
Wed May 31 23:04:02 UTC 2017 

This series implements role-based access control infrastructure for
ovsdb-server, and uses that infrastructure to apply role-based access
controls to the OVN_Southbound database. This implementation follows
the outline discussed at:

     https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/329801.html

With this series applied, enabling role-based ACLs for ovn-sb is a matter of:

    - Configuring southbound ovsdb-server and ovn-controller to use SSL,
      configuring an ovn-controller "role" for SSL connections via e.g.:
         ovn-sbctl set-connection role=ovn-controller pssl:6642
    - Using unique certificates for each ovn-controller with a unique
      CN for each chassis, generated e.g. via:
         ovs-pki -B 1024 -u req+sign chassis1 switch
         ovs-pki -B 1024 -u req+sign chassis2 switch
         ovs-pki -B 1024 -u req+sign chassis3 switch

Basic testing:
  - travis-ci build
  - unit tests
  - ovn sandbox, modified to enable rbac
  - three-node vagrant configuration (one central, two chassis nodes)

Lance Richardson (3):
  ovsdb: add support for role-based access controls
  ovn: add rbac tables to ovn southbound schema
  ovn-sbctl: support setting rbac role for remote connections

 lib/jsonrpc.c              |  10 +
 lib/jsonrpc.h              |   1 +
 lib/ovsdb-error.c          |  13 ++
 lib/ovsdb-error.h          |   4 +
 lib/ovsdb-idl.c            |   6 +
 ovn/northd/ovn-northd.c    | 197 ++++++++++++++++++++
 ovn/ovn-architecture.7.xml | 156 ++++++++++++++++
 ovn/ovn-sb.ovsschema       |  26 ++-
 ovn/ovn-sb.xml             |  40 ++++
 ovn/utilities/ovn-sbctl.c  |  12 +-
 ovsdb/automake.mk          |   2 +
 ovsdb/execution.c          |  44 ++++-
 ovsdb/jsonrpc-server.c     |   6 +-
 ovsdb/jsonrpc-server.h     |   1 +
 ovsdb/ovsdb-server.1.in    |  45 +++++
 ovsdb/ovsdb-server.c       |   8 +-
 ovsdb/ovsdb-tool.1.in      |  10 +-
 ovsdb/ovsdb-tool.c         |  23 ++-
 ovsdb/ovsdb-util.c         |  31 ++++
 ovsdb/ovsdb-util.h         |   4 +
 ovsdb/ovsdb.c              |   3 +
 ovsdb/ovsdb.h              |   3 +
 ovsdb/rbac.c               | 449 +++++++++++++++++++++++++++++++++++++++++++++
 ovsdb/rbac.h               |  48 +++++
 ovsdb/trigger.c            |   8 +-
 ovsdb/trigger.h            |   5 +-
 tests/automake.mk          |   1 +
 tests/ovsdb-rbac.at        | 375 +++++++++++++++++++++++++++++++++++++
 tests/ovsdb.at             |   1 +
 tests/test-ovsdb.c         |   5 +-
 30 files changed, 1517 insertions(+), 20 deletions(-)
 create mode 100644 ovsdb/rbac.c
 create mode 100644 ovsdb/rbac.h
 create mode 100644 tests/ovsdb-rbac.at

-- 
2.9.4

More information about the dev mailing list