[ovs-dev] [PATCH ovn] ovn-northd: Fix chassis/chassis_private RBAC.

Dumitru Ceara dceara at redhat.com
Tue Sep 8 09:28:15 UTC 2020


On 9/8/20 9:53 AM, Numan Siddique wrote:
> 
> 
> On Mon, Sep 7, 2020 at 10:29 PM Dumitru Ceara <dceara at redhat.com
> <mailto:dceara at redhat.com>> wrote:
> 
>     Steps to reproduce the issue:
> 
>     $ make sandbox
>     $ ovs-vsctl set open . external_ids:system-id=new-chassis
> 
>     Fixes: 94a32fca2d2b ("chassis: Fix the way encaps are updated for a
>     chassis record.")
>     Fixes: 5344f24ecb1a ("ovn-controller: Refactor chassis.c to abstract
>     the string parsing")
>     Signed-off-by: Dumitru Ceara <dceara at redhat.com
>     <mailto:dceara at redhat.com>>
> 
> 
> Hi Dumitru,
> 
> I applied this patch to master. Earlier after running "make sandbox",
> ovn-controller was not able to create a chassis row. This is fixed now.
> 
> However after applying, I just noticed that when I run the below 2
> commands, the second one fails
> 
> ovs-vsctl set open . external_ids:system-id=ch-1
> ovs-vsctl set open . external_ids:system-id=ch-2
> 
> ***
> 2020-09-08T07:50:20.385Z|00022|ovsdb_idl|WARN|transaction error:
> {"details":"RBAC rules for client \"chassis-1\" role \"ovn-controller\"
> prohibit modification of table \"Encap\".","error":"permission error"}
> 2020-09-08T07:50:32.260Z|00023|ovsdb_idl|WARN|transaction error:
> {"details":"RBAC rules for client \"chassis-1\" role \"ovn-controller\"
> prohibit modification of table \"Chassis\".","error":"permission error"}
> ***
> 
> Thanks
> Numan
> 

Hi Numan,

As pointed out by Han on the other thread, changing system-id will not
work out of the box with RBAC enabled. The user will have to change SSL
certificates to match the new chassis-id. Old Chassis/Chassis_private
records will have to be manually deleted.

I'm not sure how we could fix this.

Regards,
Dumitru



More information about the dev mailing list