[ovs-dev] [PATCH ovn] northd: Amend RBAC rules for Port_Binding table

Frode Nordahl frode.nordahl at canonical.com
Fri Mar 12 07:01:51 UTC 2021


On Tue, Mar 2, 2021 at 7:29 PM Numan Siddique <numans at ovn.org> wrote:
>
> On Tue, Mar 2, 2021 at 11:39 PM Frode Nordahl
> <frode.nordahl at canonical.com> wrote:
> >
> > On Tue, Mar 2, 2021 at 6:55 PM Numan Siddique <numans at ovn.org> wrote:
> > >
> > > On Tue, Mar 2, 2021 at 10:54 PM Frode Nordahl
> > > <frode.nordahl at canonical.com> wrote:
> > > >
> > > > When `ovn-controller` claims a virtual lport it will update the
> > > > Port_Binding table with which chassis currently has claimed the
> > > > port as well as recording information about the virtual parent
> > > > lport [0].
> > > >
> > > > The current RBAC rules does not allow for the latter which makes
> > > > this operation fail.
> > > >
> > > > 0: https://github.com/ovn-org/ovn/blob/b7b0fbdab03ce8b39d5bdc114876e6b0d0683892/controller/pinctrl.c#L6150
> > > > Fixes: 054f4c85c ("Add a new logical switch port type - 'virtual'")
> > > > Reported-At: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1917475
> > > > Signed-off-by: Frode Nordahl <frode.nordahl at canonical.com>
> > >
> > > Thanks for this fix.  We really need to have test cases to cover the RBAC cases.
> >
> > You're welcome, and I agree.
> >
> > I was contemplating if we ought to enable TLS+RBAC by default in the
> > tests, it's slightly complicated due to not being able to use the unix
> > socket anymore, but I think we have all the macros and scripts we
> > would need to handle it. If we do it through `ovn_start` we should be
> > able to get it everywhere for "free".
>
> Agree.
>
> I think this patch requires similar changes for ovn-northd-ddlog.
> I think you need to update here -
> https://github.com/ovn-org/ovn/blob/master/northd/ovn_northd.dl#L1284
>
> Can you please update that and submit v2 ?

I have a series up here:
https://patchwork.ozlabs.org/project/ovn/list/?series=232350

It contains a few more fixes to RBAC rules discovered when running the
testsuite with RBAC enabled, I have also applied the fixes to the
ddlog version as well as making changes to the testsuite so that it
tests with SSL+RBAC for the ovn-controller connection by default.

Let me know what you think.


--
Frode Nordahl

> If you have any questions on the ddlog feel free to ask.
>
> Numan
>
> >
> > --
> > Frode Nordahl
> >
> >
> > > Numan
> > >
> > > > ---
> > > >  northd/ovn-northd.c | 2 +-
> > > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > >
> > > > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
> > > > index ac872aade..dd2c8e243 100644
> > > > --- a/northd/ovn-northd.c
> > > > +++ b/northd/ovn-northd.c
> > > > @@ -13251,7 +13251,7 @@ static const char *rbac_encap_update[] =
> > > >  static const char *rbac_port_binding_auth[] =
> > > >      {""};
> > > >  static const char *rbac_port_binding_update[] =
> > > > -    {"chassis", "up"};
> > > > +    {"chassis", "up", "virtual_parent"};
> > > >
> > > >  static const char *rbac_mac_binding_auth[] =
> > > >      {""};
> > > > --
> > > > 2.30.0
> > > >
> > > > _______________________________________________
> > > > dev mailing list
> > > > dev at openvswitch.org
> > > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> > > >
> >
> >
> >
> > --
> > Frode Nordahl
> > _______________________________________________
> > dev mailing list
> > dev at openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> >


More information about the dev mailing list