[ovs-git] [openvswitch/ovs] d6db7b: ovsdb: add support for role-based access controls

GitHub noreply at github.com
Thu Jun 8 21:07:26 UTC 2017


  Branch: refs/heads/master
  Home:   https://github.com/openvswitch/ovs
  Commit: d6db7b3cc4bcf908e3016924f4e782d4740f804f
      https://github.com/openvswitch/ovs/commit/d6db7b3cc4bcf908e3016924f4e782d4740f804f
  Author: Lance Richardson <lrichard at redhat.com>
  Date:   2017-06-08 (Thu, 08 Jun 2017)

  Changed paths:
    M NEWS
    M lib/jsonrpc.c
    M lib/jsonrpc.h
    M lib/ovsdb-error.c
    M lib/ovsdb-error.h
    M lib/ovsdb-idl.c
    M ovsdb/automake.mk
    M ovsdb/execution.c
    M ovsdb/jsonrpc-server.c
    M ovsdb/jsonrpc-server.h
    M ovsdb/ovsdb-server.1.in
    M ovsdb/ovsdb-server.c
    M ovsdb/ovsdb-tool.1.in
    M ovsdb/ovsdb-tool.c
    M ovsdb/ovsdb-util.c
    M ovsdb/ovsdb-util.h
    M ovsdb/ovsdb.c
    M ovsdb/ovsdb.h
    A ovsdb/rbac.c
    A ovsdb/rbac.h
    M ovsdb/trigger.c
    M ovsdb/trigger.h
    M tests/automake.mk
    A tests/ovsdb-rbac.at
    M tests/ovsdb.at
    M tests/test-ovsdb.c

  Log Message:
  -----------
  ovsdb: add support for role-based access controls

Add suport for ovsdb RBAC (role-based access control). This includes:

   - Support for "RBAC_Role" table. A db schema containing a table
     by this name will enable role-based access controls using
     this table for RBAC role configuration.

     The "RBAC_Role" table has one row per role, with each row having a
     "name" column (role name) and a "permissions" column (map of
     table name to UUID of row in separate permission table.) The
     permission table has one row per access control configuration,
     with the following columns:
    "name"          - name of table to which this row applies
    "authorization" - set of column names and column:key pairs
                      to be compared against client ID to
                      determine authorization status
    "insert_delete" - boolean, true if insertions and
                      authorized deletions are allowed.
    "update"        - Set of columns and column:key pairs for
                      which authorized updates are allowed.
   - Support for a new "role" column in the remote configuration
     table.
   - Logic for applying the RBAC role and permission tables, in
     combination with session role from the remote connection table
     and client id, to determine whether operations modifying database
     contents should be permitted.
   - Support for specifying RBAC role string as a command-line option
     to ovsdb-tool (Ben Pfaff).

Signed-off-by: Lance Richardson <lrichard at redhat.com>
Co-authored-by: Ben Pfaff <blp at ovn.org>
Signed-off-by: Ben Pfaff <blp at ovn.org>


  Commit: 75ddb5f4698fa64a10edc04522bdb2ec2eedb47d
      https://github.com/openvswitch/ovs/commit/75ddb5f4698fa64a10edc04522bdb2ec2eedb47d
  Author: Lance Richardson <lrichard at redhat.com>
  Date:   2017-06-08 (Thu, 08 Jun 2017)

  Changed paths:
    M NEWS
    M ovn/northd/ovn-northd.c
    M ovn/ovn-architecture.7.xml
    M ovn/ovn-sb.ovsschema
    M ovn/ovn-sb.xml

  Log Message:
  -----------
  ovn: add rbac tables to ovn southbound schema

Add rbac "roles" and "permissions" tables to ovn southbound
database schema, add support to ovn-northd for managing these
tables.

Signed-off-by: Lance Richardson <lrichard at redhat.com>
Signed-off-by: Ben Pfaff <blp at ovn.org>


  Commit: fff48136657c76279b08ea27474c6741db576157
      https://github.com/openvswitch/ovs/commit/fff48136657c76279b08ea27474c6741db576157
  Author: Lance Richardson <lrichard at redhat.com>
  Date:   2017-06-08 (Thu, 08 Jun 2017)

  Changed paths:
    M ovn/utilities/ovn-sbctl.c

  Log Message:
  -----------
  ovn-sbctl: support setting rbac role for remote connections

Add support for specifying rbac "role" when setting remote
connection configuration in the southbound database.

Prior to this change, usage examples included:

    ovn-sbctl set-connection ptcp:6642
    ovn-sbctl set-connection pssl:6642 \
                       read-only ptcp:7777 \
                       read-write punix:/tmp.foo

With this change, in addition to the above:

    ovn-sbctl set-connection role=ovn-controller pssl:6642 \
                       read-only role= ptcp:7777 \
                       read-write punix:/tmp/foo

As with the "read-only"/"read-write" attributes, the specified
role is applied to all subsequent connections until changed.

Signed-off-by: Lance Richardson <lrichard at redhat.com>
Signed-off-by: Ben Pfaff <blp at ovn.org>


Compare: https://github.com/openvswitch/ovs/compare/8155ab7e632f...fff48136657c


More information about the git mailing list