[ovs-dev] [PATCH ovn] docs: Add note about RBAC and remote ovn-northd connection

Numan Siddique numans at ovn.org
Fri Nov 8 10:56:17 UTC 2019 

On Fri, Nov 8, 2019 at 11:22 AM Frode Nordahl
<frode.nordahl at canonical.com> wrote:
>
> Signed-off-by: Frode Nordahl <frode.nordahl at canonical.com>
> Acked-by: Aliasgar Ginwala <aginwala at ebay.com>
> Submitted-at: https://github.com/ovn-org/ovn/pull/25

I applied this patch to master.
Sorry I didn't notice that you already had sent the patch to the ML
and I resubmitted here - https://patchwork.ozlabs.org/patch/1191808/.

Thanks
Numan

> ---
>  .../topics/role-based-access-control.rst      |  7 ++++++
>  Documentation/tutorials/ovn-rbac.rst          | 25 +++++++++++++++++++
>  2 files changed, 32 insertions(+)
>
> diff --git a/Documentation/topics/role-based-access-control.rst
> b/Documentation/topics/role-based-access-control.rst
> index 2acd1e88b..e13e2d5dc 100644
> --- a/Documentation/topics/role-based-access-control.rst
> +++ b/Documentation/topics/role-based-access-control.rst
> @@ -82,6 +82,13 @@ command:
>
>     $ ovn-sbctl set-connection role=ovn-controller ssl:192.168.0.1:6642
>
> +.. note::
> +
> +   There is currently no pre-defined role for ovn-northd. You must configure
> +   a separate listener on the OVN southbound database that ovn-northd can
> +   connect to if your deployment topology require ovn-northd to connect to a
> +   OVN southbound database instance on a remote machine.
> +
>  Pre-defined Roles
>  -----------------
>  This section describes roles that have been defined internally by OVS/OVN.
> diff --git a/Documentation/tutorials/ovn-rbac.rst
> b/Documentation/tutorials/ovn-rbac.rst
> index 22b169d6d..fc2de5d5d 100644
> --- a/Documentation/tutorials/ovn-rbac.rst
> +++ b/Documentation/tutorials/ovn-rbac.rst
> @@ -132,3 +132,28 @@ Configuring RBAC
>                      /path/to/chassis_2-cert.pem /path/to/cacert.pem
>        $ ovs-vsctl set open_vswitch . \
>                      external_ids:ovn-remote=ssl:machine_3-ip:6642
> +
> +The OVN central control daemon and RBAC
> +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> +
> +The OVN central control daemon (`ovn-northd`) needs full write access to
> +the southbound database. When you have one machine hosting the central
> +components, `ovn-northd` can talk to the databases through a local unix
> +socket, bypassing the `ovn-controller` RBAC configured for the listener
> +at port '6642'. However, if you want to deploy multiple machines for
> +hosting the central components, `ovn-northd` will require a remote
> +connection to all of them.
> +
> +1. Configure the southbound database with a second SSL listener on a
> +   separate port without RBAC enabled for use by `ovn-northd`.
> +
> +   In `machine_3`::
> +
> +      $ ovn-sbctl -- --id=@conn_uuid create Connection \
> +          target="pssl\:16642" \
> +          -- add  SB_Global . connections=@conn_uuid
> +
> +   .. note::
> +
> +     Care should be taken to restrict access to the above mentioned port
> +     so that only trusted machines can connect to it.
> --
> 2.20.1
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

More information about the dev mailing list