[ovs-dev] [PATCH] [RFC] ovn-controller: Experiment with restricting access to columns.
mmichels at redhat.com
Mon Jun 18 12:36:47 UTC 2018
On 06/16/2018 12:53 AM, Ben Pfaff wrote:
> On Fri, Jun 15, 2018 at 10:11:41AM -0400, Mark Michelson wrote:
>> On 06/13/2018 11:29 PM, Han Zhou wrote:
>>> On Wed, Jun 13, 2018 at 3:37 PM, Ben Pfaff <blp at ovn.org> wrote:
>>>> To make ovn-controller recompute incrementally, we need accurate
>>>> dependencies for each function that reads or writes a table. It's
>>>> currently difficult to be sure about these dependencies, and certainly
>>>> difficult to maintain them over time, because there's no way to actually
>>>> enforce them.
>>>> This commit experiments with an approach that allows for fairly
>>>> fine-grained access control within ovn-controller to tables and columns.
>>>> It's based on generating a new version of the IDL data structures for each
>>>> case where we want different access control. All of these data structures
>>>> have the same format, but the columns that a given piece of code is not
>>>> supposed to touch are renamed to discourage programmers from using them,
>>>> e.g. they're given names suffixed with "__accessdenied". (This means
>>>> that there is no runtime overhead to the access control since it only
>>>> requires a cast to convert between the regular and restricted versions.)
>>>> In addition, when a columns is supposed to be read-only, functions for
>>>> modifying the column are not supplied.
>>>> This commit only tries out this experiment for a single file within
>>>> ovn-controller, the BFD implementation (mostly because that's
>>>> alphabetically first, no other real reason). It would require a little
>>>> more work to apply it everywhere, but it's probably not a huge deal.
>>>> CC: Han Zhou <zhouhan at gmail.com>
>>>> Signed-off-by: Ben Pfaff <blp at ovn.org>
>>>> ovn/controller/automake.mk | 5 +
>>>> ovn/controller/bfd-vswitch-idl.def | 21 ++++
>>>> ovn/controller/bfd.c | 20 ++--
>>>> ovn/controller/bfd.h | 8 +-
>>>> ovn/controller/ovn-controller.c | 13 ++-
>>>> ovsdb/ovsdb-idlc.in | 223 ++++++++++++++++++++++++++++++
>>>> 6 files changed, 268 insertions(+), 22 deletions(-)
>>>> create mode 100644 ovn/controller/bfd-vswitch-idl.def
>>> I wanted to have a quick test but it didn't pass the compile:
>>> In file included from ovn/controller/bfd.c:17:0:
>>> ovn/controller/bfd.h:19:44: fatal error: ovn/controller/bfd-vswitch-idl.h:
>>> No such file or directory
>> Here's a different datapoint in the same category.
>> I got a slightly different error when I tried to compile.
>> ovn/controller/bfd-vswitch-idl.h was auto-generated and everything worked up
>> until the very end:
>> "The following files are in git but not the distribution:
>> The make command I ran was `make sandbox SANDBOXFLAGS="--ovn"`
>> I tried running `make distclean` then reconfiguring, but this didn't help.
>> For comparison, Han, these are my software versions, in case that might be
>> why auto-generation worked for me but not you:
>> gcc version is 7.3.1
>> make version is 4.2.1
>> autoconf version is 2.69
> I've fixed that locally now. It needed EXTRA_DIST +=
I can confirm this worked for me too. Thanks!
More information about the dev