We just received a new operational requirement that we have to restrict access to all binaries that provide RW access to infrastructure components, but yet still have the ability to read current state from the infrastructure.
For OVN/OVS, this means we won't be able to use the following binaries in our production environment to read current state: ovs-vsctl, ovs-dpctl, ovs-ofctl, ovs-appctl, ovn-nbctl, and ovn-sbctl. I'm thinking of meeting this by creating new binaries ovs-vsread, ovs-dpread, ovs-ofread, ovs-appread, ovn-nbread, and ovn-sbread that would include the show, list, and search commands from their RW brethren, but omit the various add and del commands. Before I start crafting code, I wanted to see if folks can think of a simpler way of meeting this new requirement... Ryan _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
