[ovs-discuss] OVN RBAC role for ovn-northd?

Frode Nordahl frode.nordahl at canonical.com
Fri Nov 8 11:20:28 UTC 2019 

On Thu, Nov 7, 2019 at 11:20 PM aginwala <aginwala at asu.edu> wrote:
> Thanks Frode for covering that. Added minor comments too your PR and you can send formal patch.

Thank you for the review Aliasgar, formal patch sent and it has
already been merged [0][1].

Cheers!

0: https://patchwork.ozlabs.org/patch/1191671/
1: https://github.com/ovn-org/ovn/commit/e60f2f2d074d992ecfa6d9fc905e98a408e2d85e

--
Frode Nordahl

>
>
>
>
>
>
>
> On Thu, Nov 7, 2019 at 2:00 PM Frode Nordahl <frode.nordahl at canonical.com> wrote:
>>
>> fwiw; I proposed this small note earlier this evening: https://github.com/ovn-org/ovn/pull/25
>>
>> tor. 7. nov. 2019, 21:47 skrev Ben Pfaff <blp at ovn.org>:
>>>
>>> Sure, anything helps.
>>>
>>> On Thu, Nov 07, 2019 at 12:27:44PM -0800, aginwala wrote:
>>> > Hi Ben:
>>> >
>>> > It seems RBAC doc
>>> > http://docs.openvswitch.org/en/stable/tutorials/ovn-rbac/#configuring-rbac
>>> > only talks
>>> > about chassis and not mentioning about northd. I can submit a patch to
>>> > update that as a todo for northd and mention the workaround until we add
>>> > formal support. Is that ok?
>>> >
>>> >
>>> >
>>> >
>>> > On Thu, Nov 7, 2019 at 12:14 PM Ben Pfaff <blp at ovn.org> wrote:
>>> >
>>> > > Have we documented this?  Should we?
>>> > >
>>> > > On Thu, Nov 07, 2019 at 10:20:22AM -0800, aginwala wrote:
>>> > > > Hi:
>>> > > >
>>> > > > It is a known fact and have-been discussed before. We use the same
>>> > > > workaround as you mentioned. Alternatively, you can also set role="" and
>>> > > it
>>> > > > will work for both northd and ovn-controller instead of separate
>>> > > listeners
>>> > > > which is also a security loop-hole. In short, some work is needed here
>>> > > > to handle rbac for northd.
>>> > > >
>>> > > > On Thu, Nov 7, 2019 at 9:47 AM Frode Nordahl <
>>> > > frode.nordahl at canonical.com>
>>> > > > wrote:
>>> > > >
>>> > > > > Hello all,
>>> > > > >
>>> > > > > TL;DR; When enabling the `ovn-controller` role on the SB DB
>>> > > `ovsdb-server`
>>> > > > > listener, `ovn-northd` no longer has the necessary access to do its job
>>> > > > > when you are unable to use the local unix socket for its connection to
>>> > > the
>>> > > > > database.
>>> > > > >
>>> > > > > AFAICT there is no northd-specifc or admin type role available, have I
>>> > > > > missed something?
>>> > > > >
>>> > > > > I have worked around the issue by enabling a separate listener on a
>>> > > > > different port on the Southbound ovsdb-servers so that `ovn-northd` can
>>> > > > > connect to that.
>>> > > > >
>>> > > > >
>>> > > > > I have a OVN deployment with central components spread across three
>>> > > > > machines, there is an instance of the Northbound and Southbound
>>> > > > > `ovsdb-server` on each of them which are clustered, and there is also
>>> > > an
>>> > > > > instance of `ovn-northd` on each of them.
>>> > > > >
>>> > > > > The deployment is TLS-enabled and I have enabled RBAC.
>>> > > > >
>>> > > > > Since the DBs are clustered I have no control of which machine will be
>>> > > the
>>> > > > > leader, and it may be that one machine has the leader for the
>>> > > Northbound DB
>>> > > > > and a different machine has the leader of the Southbound DB.
>>> > > > >
>>> > > > > Because of this ovn-northd is unable to talk to the databases through a
>>> > > > > local unix socket and must use a TLS-enabled connection to the DBs, and
>>> > > > > herein lies the problem.
>>> > > > >
>>> > > > >
>>> > > > > I peeked at the RBAC implementation, and it appears to me that the
>>> > > > > permission system is tied to having specific columns in each table that
>>> > > > > maps to the name of the client that wants permission.  On the surface
>>> > > this
>>> > > > > appears to not fit with `ovn-northd`'s needs as I would think it would
>>> > > need
>>> > > > > full access to all tables perhaps based on a centrally managed set of
>>> > > > > hostnames.
>>> > > > >
>>> > > > > --
>>> > > > > Frode Nordahl
>>> > > > >
>>> > > > > _______________________________________________
>>> > > > > discuss mailing list
>>> > > > > discuss at openvswitch.org
>>> > > > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>>> > > > >
>>> > >
>>> > > > _______________________________________________
>>> > > > discuss mailing list
>>> > > > discuss at openvswitch.org
>>> > > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>>> > >
>>> > >

More information about the discuss mailing list