> From: "Ben Pfaff" <b...@ovn.org> > To: "Lance Richardson" <lrich...@redhat.com> > Cc: d...@openvswitch.org, russe...@ovn.org, "mickeys dev" > <mickeys....@gmail.com> > Sent: Thursday, 6 April, 2017 12:03:44 PM > Subject: Re: [RFC 0/5] role-based access controls for ovsdb-server, ovn-sb > > On Mon, Mar 27, 2017 at 02:56:08PM -0400, Lance Richardson wrote: > > This series implements role-based access control infrastructure for > > ovsdb-server, and uses that infrastructure to apply role-based access > > controls to the OVN_Southbound database. This implementation follows > > the outline discussed at: > > > > https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/329801.html > > > > With this series applied, enabling role-based ACLs is a matter of: > > > > - Configuring southbound ovsdb-server and ovn-controller to use SSL, > > configuring an ovn-controller "role" for SSL connections via e.g.: > > ovn-sbctl set-connection role=ovn-controller pssl:6642 > > - Using unique certificates for each ovn-controller with a unique > > CN for each chassis, generated e.g. via: > > ovs-pki -B 1024 req+sign chassis1 switch > > ovs-pki -B 1024 req+sign chassis2 switch > > ovs-pki -B 1024 req+sign chassis3 switch > > - Starting the southbound ovsdb-server with the "--rbac" command-line > > option: > > --rbac=db:OVN_Southbound,RBAC_Role > > This series is promising. > > I'm a little concerned about additional per-DB command-line options > because it makes it hard to add and remove databases at runtime. >
Hi Ben, Thanks for the feedback, I will incorporate it in a v2 along with fixes for a couple of issues I've found in testing. Regarding your concern about the per-DB command-line options, I don't have any ideas at the moment other than maybe having a reserved table name for RBAC_Role, this seems unclean unless there's a provision for such a thing. Thanks again, Lance _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
