[ovs-discuss] OVN RBAC role for ovn-northd?

aginwala aginwala at asu.edu
Thu Nov 7 22:20:23 UTC 2019


Thanks Frode for covering that. Added minor comments too your PR and you
can send formal patch.







On Thu, Nov 7, 2019 at 2:00 PM Frode Nordahl <frode.nordahl at canonical.com>
wrote:

> fwiw; I proposed this small note earlier this evening:
> https://github.com/ovn-org/ovn/pull/25
>
> tor. 7. nov. 2019, 21:47 skrev Ben Pfaff <blp at ovn.org>:
>
>> Sure, anything helps.
>>
>> On Thu, Nov 07, 2019 at 12:27:44PM -0800, aginwala wrote:
>> > Hi Ben:
>> >
>> > It seems RBAC doc
>> >
>> http://docs.openvswitch.org/en/stable/tutorials/ovn-rbac/#configuring-rbac
>> > only talks
>> > about chassis and not mentioning about northd. I can submit a patch to
>> > update that as a todo for northd and mention the workaround until we add
>> > formal support. Is that ok?
>> >
>> >
>> >
>> >
>> > On Thu, Nov 7, 2019 at 12:14 PM Ben Pfaff <blp at ovn.org> wrote:
>> >
>> > > Have we documented this?  Should we?
>> > >
>> > > On Thu, Nov 07, 2019 at 10:20:22AM -0800, aginwala wrote:
>> > > > Hi:
>> > > >
>> > > > It is a known fact and have-been discussed before. We use the same
>> > > > workaround as you mentioned. Alternatively, you can also set
>> role="" and
>> > > it
>> > > > will work for both northd and ovn-controller instead of separate
>> > > listeners
>> > > > which is also a security loop-hole. In short, some work is needed
>> here
>> > > > to handle rbac for northd.
>> > > >
>> > > > On Thu, Nov 7, 2019 at 9:47 AM Frode Nordahl <
>> > > frode.nordahl at canonical.com>
>> > > > wrote:
>> > > >
>> > > > > Hello all,
>> > > > >
>> > > > > TL;DR; When enabling the `ovn-controller` role on the SB DB
>> > > `ovsdb-server`
>> > > > > listener, `ovn-northd` no longer has the necessary access to do
>> its job
>> > > > > when you are unable to use the local unix socket for its
>> connection to
>> > > the
>> > > > > database.
>> > > > >
>> > > > > AFAICT there is no northd-specifc or admin type role available,
>> have I
>> > > > > missed something?
>> > > > >
>> > > > > I have worked around the issue by enabling a separate listener on
>> a
>> > > > > different port on the Southbound ovsdb-servers so that
>> `ovn-northd` can
>> > > > > connect to that.
>> > > > >
>> > > > >
>> > > > > I have a OVN deployment with central components spread across
>> three
>> > > > > machines, there is an instance of the Northbound and Southbound
>> > > > > `ovsdb-server` on each of them which are clustered, and there is
>> also
>> > > an
>> > > > > instance of `ovn-northd` on each of them.
>> > > > >
>> > > > > The deployment is TLS-enabled and I have enabled RBAC.
>> > > > >
>> > > > > Since the DBs are clustered I have no control of which machine
>> will be
>> > > the
>> > > > > leader, and it may be that one machine has the leader for the
>> > > Northbound DB
>> > > > > and a different machine has the leader of the Southbound DB.
>> > > > >
>> > > > > Because of this ovn-northd is unable to talk to the databases
>> through a
>> > > > > local unix socket and must use a TLS-enabled connection to the
>> DBs, and
>> > > > > herein lies the problem.
>> > > > >
>> > > > >
>> > > > > I peeked at the RBAC implementation, and it appears to me that the
>> > > > > permission system is tied to having specific columns in each
>> table that
>> > > > > maps to the name of the client that wants permission.  On the
>> surface
>> > > this
>> > > > > appears to not fit with `ovn-northd`'s needs as I would think it
>> would
>> > > need
>> > > > > full access to all tables perhaps based on a centrally managed
>> set of
>> > > > > hostnames.
>> > > > >
>> > > > > --
>> > > > > Frode Nordahl
>> > > > >
>> > > > > _______________________________________________
>> > > > > discuss mailing list
>> > > > > discuss at openvswitch.org
>> > > > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>> > > > >
>> > >
>> > > > _______________________________________________
>> > > > discuss mailing list
>> > > > discuss at openvswitch.org
>> > > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>> > >
>> > >
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20191107/8b4ff62c/attachment-0001.html>


More information about the discuss mailing list