[ovs-dev] [PATCH ovn] ovn-northd: Fix chassis/chassis_private RBAC.
Dumitru Ceara
dceara at redhat.com
Tue Sep 8 09:28:15 UTC 2020
On 9/8/20 9:53 AM, Numan Siddique wrote:
>
>
> On Mon, Sep 7, 2020 at 10:29 PM Dumitru Ceara <dceara at redhat.com
> <mailto:dceara at redhat.com>> wrote:
>
> Steps to reproduce the issue:
>
> $ make sandbox
> $ ovs-vsctl set open . external_ids:system-id=new-chassis
>
> Fixes: 94a32fca2d2b ("chassis: Fix the way encaps are updated for a
> chassis record.")
> Fixes: 5344f24ecb1a ("ovn-controller: Refactor chassis.c to abstract
> the string parsing")
> Signed-off-by: Dumitru Ceara <dceara at redhat.com
> <mailto:dceara at redhat.com>>
>
>
> Hi Dumitru,
>
> I applied this patch to master. Earlier after running "make sandbox",
> ovn-controller was not able to create a chassis row. This is fixed now.
>
> However after applying, I just noticed that when I run the below 2
> commands, the second one fails
>
> ovs-vsctl set open . external_ids:system-id=ch-1
> ovs-vsctl set open . external_ids:system-id=ch-2
>
> ***
> 2020-09-08T07:50:20.385Z|00022|ovsdb_idl|WARN|transaction error:
> {"details":"RBAC rules for client \"chassis-1\" role \"ovn-controller\"
> prohibit modification of table \"Encap\".","error":"permission error"}
> 2020-09-08T07:50:32.260Z|00023|ovsdb_idl|WARN|transaction error:
> {"details":"RBAC rules for client \"chassis-1\" role \"ovn-controller\"
> prohibit modification of table \"Chassis\".","error":"permission error"}
> ***
>
> Thanks
> Numan
>
Hi Numan,
As pointed out by Han on the other thread, changing system-id will not
work out of the box with RBAC enabled. The user will have to change SSL
certificates to match the new chassis-id. Old Chassis/Chassis_private
records will have to be manually deleted.
I'm not sure how we could fix this.
Regards,
Dumitru
More information about the dev
mailing list