[ovs-discuss] OVN RBAC role for ovn-northd?

Frode Nordahl frode.nordahl at canonical.com
Thu Nov 7 17:47:00 UTC 2019


Hello all,

TL;DR; When enabling the `ovn-controller` role on the SB DB `ovsdb-server`
listener, `ovn-northd` no longer has the necessary access to do its job
when you are unable to use the local unix socket for its connection to the
database.

AFAICT there is no northd-specifc or admin type role available, have I
missed something?

I have worked around the issue by enabling a separate listener on a
different port on the Southbound ovsdb-servers so that `ovn-northd` can
connect to that.


I have a OVN deployment with central components spread across three
machines, there is an instance of the Northbound and Southbound
`ovsdb-server` on each of them which are clustered, and there is also an
instance of `ovn-northd` on each of them.

The deployment is TLS-enabled and I have enabled RBAC.

Since the DBs are clustered I have no control of which machine will be the
leader, and it may be that one machine has the leader for the Northbound DB
and a different machine has the leader of the Southbound DB.

Because of this ovn-northd is unable to talk to the databases through a
local unix socket and must use a TLS-enabled connection to the DBs, and
herein lies the problem.


I peeked at the RBAC implementation, and it appears to me that the
permission system is tied to having specific columns in each table that
maps to the name of the client that wants permission.  On the surface this
appears to not fit with `ovn-northd`'s needs as I would think it would need
full access to all tables perhaps based on a centrally managed set of
hostnames.

-- 
Frode Nordahl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20191107/109d3c12/attachment.html>


More information about the discuss mailing list