[ovs-dev] [PATCH ovn] northd: Amend RBAC rules for Port_Binding table

Numan Siddique numans at ovn.org
Tue Mar 2 18:30:44 UTC 2021


On Tue, Mar 2, 2021 at 11:58 PM Ben Pfaff <blp at ovn.org> wrote:
>
> On Tue, Mar 02, 2021 at 06:23:53PM +0100, Frode Nordahl wrote:
> > When `ovn-controller` claims a virtual lport it will update the
> > Port_Binding table with which chassis currently has claimed the
> > port as well as recording information about the virtual parent
> > lport [0].
> >
> > The current RBAC rules does not allow for the latter which makes
> > this operation fail.
> >
> > 0: https://github.com/ovn-org/ovn/blob/b7b0fbdab03ce8b39d5bdc114876e6b0d0683892/controller/pinctrl.c#L6150
> > Fixes: 054f4c85c ("Add a new logical switch port type - 'virtual'")
> > Reported-At: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1917475
> > Signed-off-by: Frode Nordahl <frode.nordahl at canonical.com>
> > ---
> >  northd/ovn-northd.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
> > index ac872aade..dd2c8e243 100644
> > --- a/northd/ovn-northd.c
> > +++ b/northd/ovn-northd.c
> > @@ -13251,7 +13251,7 @@ static const char *rbac_encap_update[] =
> >  static const char *rbac_port_binding_auth[] =
> >      {""};
> >  static const char *rbac_port_binding_update[] =
> > -    {"chassis", "up"};
> > +    {"chassis", "up", "virtual_parent"};
> >
> >  static const char *rbac_mac_binding_auth[] =
> >      {""};
>
> Please fold in the following corresponding change to ovn-northd-ddlog:
>
> diff --git a/northd/ovn_northd.dl b/northd/ovn_northd.dl
> index 13bbe17c81da..a26555c0cb45 100644
> --- a/northd/ovn_northd.dl
> +++ b/northd/ovn_northd.dl
> @@ -1280,7 +1280,7 @@ sb::Out_RBAC_Permission (
>      .table          = "Port_Binding",
>      .authorization  = set_singleton(""),
>      .insert_delete  = false,
> -    .update         = ["chassis", "up"].to_set()
> +    .update         = ["chassis", "up", "virtual_parent"].to_set()
>  ).

Thanks.

I was a few minutes late  :).

Numan

>
>  sb::Out_RBAC_Permission (
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>


More information about the dev mailing list