[ovs-discuss] OVN RBAC role for ovn-northd?

Ben Pfaff blp at ovn.org
Thu Nov 7 20:47:30 UTC 2019


Sure, anything helps.

On Thu, Nov 07, 2019 at 12:27:44PM -0800, aginwala wrote:
> Hi Ben:
> 
> It seems RBAC doc
> http://docs.openvswitch.org/en/stable/tutorials/ovn-rbac/#configuring-rbac
> only talks
> about chassis and not mentioning about northd. I can submit a patch to
> update that as a todo for northd and mention the workaround until we add
> formal support. Is that ok?
> 
> 
> 
> 
> On Thu, Nov 7, 2019 at 12:14 PM Ben Pfaff <blp at ovn.org> wrote:
> 
> > Have we documented this?  Should we?
> >
> > On Thu, Nov 07, 2019 at 10:20:22AM -0800, aginwala wrote:
> > > Hi:
> > >
> > > It is a known fact and have-been discussed before. We use the same
> > > workaround as you mentioned. Alternatively, you can also set role="" and
> > it
> > > will work for both northd and ovn-controller instead of separate
> > listeners
> > > which is also a security loop-hole. In short, some work is needed here
> > > to handle rbac for northd.
> > >
> > > On Thu, Nov 7, 2019 at 9:47 AM Frode Nordahl <
> > frode.nordahl at canonical.com>
> > > wrote:
> > >
> > > > Hello all,
> > > >
> > > > TL;DR; When enabling the `ovn-controller` role on the SB DB
> > `ovsdb-server`
> > > > listener, `ovn-northd` no longer has the necessary access to do its job
> > > > when you are unable to use the local unix socket for its connection to
> > the
> > > > database.
> > > >
> > > > AFAICT there is no northd-specifc or admin type role available, have I
> > > > missed something?
> > > >
> > > > I have worked around the issue by enabling a separate listener on a
> > > > different port on the Southbound ovsdb-servers so that `ovn-northd` can
> > > > connect to that.
> > > >
> > > >
> > > > I have a OVN deployment with central components spread across three
> > > > machines, there is an instance of the Northbound and Southbound
> > > > `ovsdb-server` on each of them which are clustered, and there is also
> > an
> > > > instance of `ovn-northd` on each of them.
> > > >
> > > > The deployment is TLS-enabled and I have enabled RBAC.
> > > >
> > > > Since the DBs are clustered I have no control of which machine will be
> > the
> > > > leader, and it may be that one machine has the leader for the
> > Northbound DB
> > > > and a different machine has the leader of the Southbound DB.
> > > >
> > > > Because of this ovn-northd is unable to talk to the databases through a
> > > > local unix socket and must use a TLS-enabled connection to the DBs, and
> > > > herein lies the problem.
> > > >
> > > >
> > > > I peeked at the RBAC implementation, and it appears to me that the
> > > > permission system is tied to having specific columns in each table that
> > > > maps to the name of the client that wants permission.  On the surface
> > this
> > > > appears to not fit with `ovn-northd`'s needs as I would think it would
> > need
> > > > full access to all tables perhaps based on a centrally managed set of
> > > > hostnames.
> > > >
> > > > --
> > > > Frode Nordahl
> > > >
> > > > _______________________________________________
> > > > discuss mailing list
> > > > discuss at openvswitch.org
> > > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
> > > >
> >
> > > _______________________________________________
> > > discuss mailing list
> > > discuss at openvswitch.org
> > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
> >
> >


More information about the discuss mailing list