On Mon, Mar 27, 2017 at 02:56:08PM -0400, Lance Richardson wrote: > This series implements role-based access control infrastructure for > ovsdb-server, and uses that infrastructure to apply role-based access > controls to the OVN_Southbound database. This implementation follows > the outline discussed at: > > https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/329801.html > > With this series applied, enabling role-based ACLs is a matter of: > > - Configuring southbound ovsdb-server and ovn-controller to use SSL, > configuring an ovn-controller "role" for SSL connections via e.g.: > ovn-sbctl set-connection role=ovn-controller pssl:6642 > - Using unique certificates for each ovn-controller with a unique > CN for each chassis, generated e.g. via: > ovs-pki -B 1024 req+sign chassis1 switch > ovs-pki -B 1024 req+sign chassis2 switch > ovs-pki -B 1024 req+sign chassis3 switch > - Starting the southbound ovsdb-server with the "--rbac" command-line > option: > --rbac=db:OVN_Southbound,RBAC_Role
This series is promising. I'm a little concerned about additional per-DB command-line options because it makes it hard to add and remove databases at runtime. _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
