[ovs-dev] [PATCH] [RFC] ovn-controller: Experiment with restricting access to columns.

Mark Michelson mmichels at redhat.com
Mon Jun 18 12:36:47 UTC 2018


On 06/16/2018 12:53 AM, Ben Pfaff wrote:
> On Fri, Jun 15, 2018 at 10:11:41AM -0400, Mark Michelson wrote:
>> On 06/13/2018 11:29 PM, Han Zhou wrote:
>>> On Wed, Jun 13, 2018 at 3:37 PM, Ben Pfaff <blp at ovn.org> wrote:
>>>>
>>>> To make ovn-controller recompute incrementally, we need accurate
>>>> dependencies for each function that reads or writes a table.  It's
>>>> currently difficult to be sure about these dependencies, and certainly
>>>> difficult to maintain them over time, because there's no way to actually
>>>> enforce them.
>>>>
>>>> This commit experiments with an approach that allows for fairly
>>>> fine-grained access control within ovn-controller to tables and columns.
>>>> It's based on generating a new version of the IDL data structures for each
>>>> case where we want different access control.  All of these data structures
>>>> have the same format, but the columns that a given piece of code is not
>>>> supposed to touch are renamed to discourage programmers from using them,
>>>> e.g. they're given names suffixed with "__accessdenied".  (This means
>>>> that there is no runtime overhead to the access control since it only
>>>> requires a cast to convert between the regular and restricted versions.)
>>>> In addition, when a columns is supposed to be read-only, functions for
>>>> modifying the column are not supplied.
>>>>
>>>> This commit only tries out this experiment for a single file within
>>>> ovn-controller, the BFD implementation (mostly because that's
>>>> alphabetically first, no other real reason).  It would require a little
>>>> more work to apply it everywhere, but it's probably not a huge deal.
>>>>
>>>> Comments?
>>>>
>>>> CC: Han Zhou <zhouhan at gmail.com>
>>>> Signed-off-by: Ben Pfaff <blp at ovn.org>
>>>> ---
>>>>   ovn/controller/automake.mk         |   5 +
>>>>   ovn/controller/bfd-vswitch-idl.def |  21 ++++
>>>>   ovn/controller/bfd.c               |  20 ++--
>>>>   ovn/controller/bfd.h               |   8 +-
>>>>   ovn/controller/ovn-controller.c    |  13 ++-
>>>>   ovsdb/ovsdb-idlc.in                | 223 ++++++++++++++++++++++++++++++
>>> ++++++-
>>>>   6 files changed, 268 insertions(+), 22 deletions(-)
>>>>   create mode 100644 ovn/controller/bfd-vswitch-idl.def
>>>>
>>>
>>> I wanted to have a quick test but it didn't pass the compile:
>>> In file included from ovn/controller/bfd.c:17:0:
>>> ovn/controller/bfd.h:19:44: fatal error: ovn/controller/bfd-vswitch-idl.h:
>>> No such file or directory
>>
>> Here's a different datapoint in the same category.
>>
>> I got a slightly different error when I tried to compile.
>> ovn/controller/bfd-vswitch-idl.h was auto-generated and everything worked up
>> until the very end:
>>
>> "The following files are in git but not the distribution:
>> ovn/controller/bfd-vswitch-idl.def"
>>
>> The make command I ran was `make sandbox SANDBOXFLAGS="--ovn"`
>>
>> I tried running `make distclean` then reconfiguring, but this didn't help.
>>
>> For comparison, Han, these are my software versions, in case that might be
>> why auto-generation worked for me but not you:
>> gcc version is 7.3.1
>> make version is 4.2.1
>> autoconf version is 2.69
> 
> I've fixed that locally now.  It needed EXTRA_DIST +=
> ovn/controller/bfd-vswitch-idl.def.
> 

I can confirm this worked for me too. Thanks!


More information about the dev mailing list