[ovs-dev] [PATCH] [RFC] ovn-controller: Experiment with restricting access to columns.
mmichels at redhat.com
Fri Jun 15 14:11:41 UTC 2018
On 06/13/2018 11:29 PM, Han Zhou wrote:
> On Wed, Jun 13, 2018 at 3:37 PM, Ben Pfaff <blp at ovn.org> wrote:
>> To make ovn-controller recompute incrementally, we need accurate
>> dependencies for each function that reads or writes a table. It's
>> currently difficult to be sure about these dependencies, and certainly
>> difficult to maintain them over time, because there's no way to actually
>> enforce them.
>> This commit experiments with an approach that allows for fairly
>> fine-grained access control within ovn-controller to tables and columns.
>> It's based on generating a new version of the IDL data structures for each
>> case where we want different access control. All of these data structures
>> have the same format, but the columns that a given piece of code is not
>> supposed to touch are renamed to discourage programmers from using them,
>> e.g. they're given names suffixed with "__accessdenied". (This means
>> that there is no runtime overhead to the access control since it only
>> requires a cast to convert between the regular and restricted versions.)
>> In addition, when a columns is supposed to be read-only, functions for
>> modifying the column are not supplied.
>> This commit only tries out this experiment for a single file within
>> ovn-controller, the BFD implementation (mostly because that's
>> alphabetically first, no other real reason). It would require a little
>> more work to apply it everywhere, but it's probably not a huge deal.
>> CC: Han Zhou <zhouhan at gmail.com>
>> Signed-off-by: Ben Pfaff <blp at ovn.org>
>> ovn/controller/automake.mk | 5 +
>> ovn/controller/bfd-vswitch-idl.def | 21 ++++
>> ovn/controller/bfd.c | 20 ++--
>> ovn/controller/bfd.h | 8 +-
>> ovn/controller/ovn-controller.c | 13 ++-
>> ovsdb/ovsdb-idlc.in | 223 ++++++++++++++++++++++++++++++
>> 6 files changed, 268 insertions(+), 22 deletions(-)
>> create mode 100644 ovn/controller/bfd-vswitch-idl.def
> I wanted to have a quick test but it didn't pass the compile:
> In file included from ovn/controller/bfd.c:17:0:
> ovn/controller/bfd.h:19:44: fatal error: ovn/controller/bfd-vswitch-idl.h:
> No such file or directory
Here's a different datapoint in the same category.
I got a slightly different error when I tried to compile.
ovn/controller/bfd-vswitch-idl.h was auto-generated and everything
worked up until the very end:
"The following files are in git but not the distribution:
The make command I ran was `make sandbox SANDBOXFLAGS="--ovn"`
I tried running `make distclean` then reconfiguring, but this didn't help.
For comparison, Han, these are my software versions, in case that might
be why auto-generation worked for me but not you:
gcc version is 7.3.1
make version is 4.2.1
autoconf version is 2.69
> I didn't debug, but by looking at the code I got the idea. It ensures the
> purpose is declared through the generated data type and violations are
> captured at compile time.
> I think this is a brilliant way to achieve the check with such a small
> change, however, I am not sure how is it supposed to help for generating
> the dependency. I think instead of caring about whether it is read-only, we
> should care about whether it is write-only.
> For example, a engine node A reads on Table T1's column C1, reads & writes
> on Table T2's column C2, and writes on T3's C3. In this case A depends on
> T1 and T2, but not depends on T3.
> So I think what matters to the dependency generation is whether it is
> Write-Only. Read-Only is no different from ReadWrite.
> If my understanding is correct (that we don't care about the difference
> between RO and RW), for WO columns, we can simply just don't monitor its
> change. Then we don't even need this feature from dependency generation
> point of view.
> Did I miss something?
> Another thing, however, I think is really important for the dependency
> generation is the columns that reference other tables, e.g. bfd_run()
> doesn't has table "ovsrec_port" as input, but in fact it depends on this
> table by referencing from ovsrec_bridge->ports. We need the table being
> referenced appear in the input parameters.
> The approach in the patch may not solve that problem directly, but
> something similar may work: we could declare the usage for a referenced
> column as "direct" or "indirect". "indirect" means the column can be
> accessed only with "get functions" instead of pointers. The "get functions"
> requires an additional parameter that is the instance of the table being
> referenced. To call the "get function" to access the column, the caller
> function needs to have the table being referenced passed in as parameter,
> so we will be able to catch the dependency. I am not sure if this approach
> is too heavy, or is tricky to implement.
> dev mailing list
> dev at openvswitch.org
More information about the dev