[ovs-discuss] OVN RBAC role for ovn-northd?

aginwala aginwala at asu.edu
Thu Nov 7 18:20:22 UTC 2019


Hi:

It is a known fact and have-been discussed before. We use the same
workaround as you mentioned. Alternatively, you can also set role="" and it
will work for both northd and ovn-controller instead of separate listeners
which is also a security loop-hole. In short, some work is needed here
to handle rbac for northd.

On Thu, Nov 7, 2019 at 9:47 AM Frode Nordahl <frode.nordahl at canonical.com>
wrote:

> Hello all,
>
> TL;DR; When enabling the `ovn-controller` role on the SB DB `ovsdb-server`
> listener, `ovn-northd` no longer has the necessary access to do its job
> when you are unable to use the local unix socket for its connection to the
> database.
>
> AFAICT there is no northd-specifc or admin type role available, have I
> missed something?
>
> I have worked around the issue by enabling a separate listener on a
> different port on the Southbound ovsdb-servers so that `ovn-northd` can
> connect to that.
>
>
> I have a OVN deployment with central components spread across three
> machines, there is an instance of the Northbound and Southbound
> `ovsdb-server` on each of them which are clustered, and there is also an
> instance of `ovn-northd` on each of them.
>
> The deployment is TLS-enabled and I have enabled RBAC.
>
> Since the DBs are clustered I have no control of which machine will be the
> leader, and it may be that one machine has the leader for the Northbound DB
> and a different machine has the leader of the Southbound DB.
>
> Because of this ovn-northd is unable to talk to the databases through a
> local unix socket and must use a TLS-enabled connection to the DBs, and
> herein lies the problem.
>
>
> I peeked at the RBAC implementation, and it appears to me that the
> permission system is tied to having specific columns in each table that
> maps to the name of the client that wants permission.  On the surface this
> appears to not fit with `ovn-northd`'s needs as I would think it would need
> full access to all tables perhaps based on a centrally managed set of
> hostnames.
>
> --
> Frode Nordahl
>
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20191107/4af1023c/attachment-0001.html>


More information about the discuss mailing list