[ovs-dev] [PATCH ovn v2 2/9] northd: Add missing RBAC rules for FDB table

Frode Nordahl frode.nordahl at canonical.com
Fri Mar 5 12:16:24 UTC 2021


The recently added FDB table did not get its RBAC rules which
would prohibit a `ovn-controller` from updating it with RBAC
enabled.

Fixes: 6ec3b1259 ("MAC learning: Add a new FDB table in southbound db")
Signed-off-by: Frode Nordahl <frode.nordahl at canonical.com>
---
 northd/ovn-northd.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index bafcb51e9..bb8f3032c 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -13248,6 +13248,11 @@ static const char *rbac_encap_auth[] =
 static const char *rbac_encap_update[] =
     {"type", "options", "ip"};
 
+static const char *rbac_fdb_auth[] =
+    {""};
+static const char *rbac_fdb_update[] =
+    {"dp_key", "mac", "port_key"};
+
 static const char *rbac_port_binding_auth[] =
     {""};
 static const char *rbac_port_binding_update[] =
@@ -13300,6 +13305,14 @@ static struct rbac_perm_cfg {
         .update = rbac_encap_update,
         .n_update = ARRAY_SIZE(rbac_encap_update),
         .row = NULL
+    },{
+        .table = "FDB",
+        .auth = rbac_fdb_auth,
+        .n_auth = ARRAY_SIZE(rbac_fdb_auth),
+        .insdel = true,
+        .update = rbac_fdb_update,
+        .n_update = ARRAY_SIZE(rbac_fdb_update),
+        .row = NULL
     },{
         .table = "Port_Binding",
         .auth = rbac_port_binding_auth,
-- 
2.30.0



More information about the dev mailing list