[ovs-dev] [PATCH ovn v2 1/9] northd: Amend RBAC rules for Port_Binding table

Frode Nordahl frode.nordahl at canonical.com
Fri Mar 5 12:16:23 UTC 2021


When `ovn-controller` claims a virtual lport it will update the
Port_Binding table with which chassis currently has claimed the
port as well as recording information about the virtual parent
lport [0].

When `ovn-controller` claims a lport it will also update the
encap field of the Port_Binding table if set and an update is
needed.

The current RBAC rules does not allow for these updates.

0: https://github.com/ovn-org/ovn/blob/b7b0fbdab03ce8b39d5bdc114876e6b0d0683892/controller/pinctrl.c#L6150
Fixes: 054f4c85c ("Add a new logical switch port type - 'virtual'")
Fixes: 6c8b9a132 (" ovn-controller: Store the local port bindings in the runtime data I-P state")
Reported-At: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1917475
Signed-off-by: Frode Nordahl <frode.nordahl at canonical.com>
---
 northd/ovn-northd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index ac872aade..bafcb51e9 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -13251,7 +13251,7 @@ static const char *rbac_encap_update[] =
 static const char *rbac_port_binding_auth[] =
     {""};
 static const char *rbac_port_binding_update[] =
-    {"chassis", "up"};
+    {"chassis", "encap", "up", "virtual_parent"};
 
 static const char *rbac_mac_binding_auth[] =
     {""};
-- 
2.30.0



More information about the dev mailing list