On Mon, Mar 27, 2017 at 02:56:11PM -0400, Lance Richardson wrote:
> Add suport for ovsdb RBAC (role-based access control). This includes:
>
> - Support for new "--rbac <table>" command-line option to
> ovsdb-server, to specify the RBAC roles table to be used.
>
> This table has one row per role, with each row having a
> "name" column (role name) and a "permissions" column (map of
> table name to UUID of row in separate permission table.) The
> permission table has one row per access control configuration,
> with columns:
> "name" - name of table to which this row applies
> "authorization" - set of column names and column:key pairs
> to be compared against client ID to
> determine authorization status
> "insert_delete" - boolean, true if insertions and
> authorized deletions are allowed.
> "update" - Set of columns and column:key pairs for
> which authorized updates are allowed.
> - Support for a new "role" column in the remote configuration
> table.
> - Logic for applying the RBAC role and permission tables, in
> combination with session role and client id, to determine
> whether operations modifying database contents should be
> permitted.
>
> Signed-off-by: Lance Richardson <lrich...@redhat.com>
Thank you for working on this. I have some preliminary comments; I did
not scrutinize all the code.
"git am" says:
.git/rebase-apply/patch:892: new blank line at EOF.
+
warning: 1 line adds whitespace errors.
There's a too-deep indentation in the new code in
ovsdb_execute_insert().
I've tried to make the OVSDB errors a little more conversational in the
past, so that they'd be formatted something more like "RBAC for client X
with role Y prohibits update to column Z in table T." Not that it's
important.
I'm not sure that a syntax error is the best choice of errors to use.
Access denied errors are pretty different from syntax errors, and in
theory a client might want to react differently in each case. OVSDB
does not have an existing tag for errors that is completely appropriate,
so it might make sense to create a "permission denied" tag and use
that.
I don't think it makes sense to invent a tag named "mutate execution
denied by RBAC"; it is too specific.
Maybe the distinction between tags and details for errors is not clear.
The tag is supposed to be a kind of category, perhaps roughly equivalent
to an errno value. It should be a short and generally pretty generic
string, which a machine can recognize. The details, on the other hand,
are freeform text that is supposed to help a human find out what went
wrong in detail.
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
