[ovs-discuss] OVN RBAC role for ovn-northd?

Frode Nordahl frode.nordahl at canonical.com
Thu Nov 7 19:12:22 UTC 2019


On Thu, Nov 7, 2019 at 7:20 PM aginwala <aginwala at asu.edu> wrote:

> Hi:
>
> It is a known fact and have-been discussed before. We use the same
> workaround as you mentioned. Alternatively, you can also set role="" and it
> will work for both northd and ovn-controller instead of separate listeners
> which is also a security loop-hole. In short, some work is needed here
> to handle rbac for northd.
>

Thank you for your prompt response, and for confirming it being a known gap
and that the approach is a reasonable one.  Albeit not a solution, securing
the separate port with external means such as firewall rules that only
allow connections from the machines hosting ovn-northd will at least make
it a bit more secure.

Apologies for any duplicate questions or discussions.  I made an honest
attempt to find the information by searching the mailing list archive and
existing documentation.

-- 
Frode Nordahl



>
> On Thu, Nov 7, 2019 at 9:47 AM Frode Nordahl <frode.nordahl at canonical.com>
> wrote:
>
>> Hello all,
>>
>> TL;DR; When enabling the `ovn-controller` role on the SB DB
>> `ovsdb-server` listener, `ovn-northd` no longer has the necessary access to
>> do its job when you are unable to use the local unix socket for its
>> connection to the database.
>>
>> AFAICT there is no northd-specifc or admin type role available, have I
>> missed something?
>>
>> I have worked around the issue by enabling a separate listener on a
>> different port on the Southbound ovsdb-servers so that `ovn-northd` can
>> connect to that.
>>
>>
>> I have a OVN deployment with central components spread across three
>> machines, there is an instance of the Northbound and Southbound
>> `ovsdb-server` on each of them which are clustered, and there is also an
>> instance of `ovn-northd` on each of them.
>>
>> The deployment is TLS-enabled and I have enabled RBAC.
>>
>> Since the DBs are clustered I have no control of which machine will be
>> the leader, and it may be that one machine has the leader for the
>> Northbound DB and a different machine has the leader of the Southbound DB.
>>
>> Because of this ovn-northd is unable to talk to the databases through a
>> local unix socket and must use a TLS-enabled connection to the DBs, and
>> herein lies the problem.
>>
>>
>> I peeked at the RBAC implementation, and it appears to me that the
>> permission system is tied to having specific columns in each table that
>> maps to the name of the client that wants permission.  On the surface this
>> appears to not fit with `ovn-northd`'s needs as I would think it would need
>> full access to all tables perhaps based on a centrally managed set of
>> hostnames.
>>
>> --
>> Frode Nordahl
>>
>> _______________________________________________
>> discuss mailing list
>> discuss at openvswitch.org
>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20191107/7eae8146/attachment.html>


More information about the discuss mailing list