Re: [ovs-dev] [RFC 0/5] role-based access controls for ovsdb-server, ovn-sb

Wed, 12 Apr 2017 06:31:05 -0700 

> From: "Lance Richardson" <[email protected]>
> To: "Ben Pfaff" <[email protected]>
> Cc: [email protected], "mickeys dev" <[email protected]>, "Russell 
> Bryant" <[email protected]>
> Sent: Thursday, 6 April, 2017 12:19:46 PM
> Subject: Re: [RFC 0/5] role-based access controls for ovsdb-server, ovn-sb
> 
> > From: "Ben Pfaff" <[email protected]>
> > To: "Lance Richardson" <[email protected]>
> > Cc: [email protected], [email protected], "mickeys dev"
> > <[email protected]>
> > Sent: Thursday, 6 April, 2017 12:03:44 PM
> > Subject: Re: [RFC 0/5] role-based access controls for ovsdb-server, ovn-sb
> > 
> > On Mon, Mar 27, 2017 at 02:56:08PM -0400, Lance Richardson wrote:
> > > This series implements role-based access control infrastructure for
> > > ovsdb-server, and uses that infrastructure to apply role-based access
> > > controls to the OVN_Southbound database. This implementation follows
> > > the outline discussed at:
> > > 
> > >      https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/329801.html
> > > 
> > > With this series applied, enabling role-based ACLs is a matter of:
> > > 
> > >     - Configuring southbound ovsdb-server and ovn-controller to use SSL,
> > >       configuring an ovn-controller "role" for SSL connections via e.g.:
> > >          ovn-sbctl set-connection role=ovn-controller pssl:6642
> > >     - Using unique certificates for each ovn-controller with a unique
> > >       CN for each chassis, generated e.g. via:
> > >          ovs-pki -B 1024 req+sign chassis1 switch
> > >          ovs-pki -B 1024 req+sign chassis2 switch
> > >          ovs-pki -B 1024 req+sign chassis3 switch
> > >     - Starting the southbound ovsdb-server with the "--rbac" command-line
> > >       option:
> > >          --rbac=db:OVN_Southbound,RBAC_Role
> > 
> > This series is promising.
> > 
> > I'm a little concerned about additional per-DB command-line options
> > because it makes it hard to add and remove databases at runtime.
> > 

Hi Ben,

Could we extend the database schema format to add something like:

    "_rbac_role": <rbac-role-table-id>

If so, I think we could eliminate the need to do anything extra for RBAC
support as databases are added/removed at runtime, and the --rbac= command-
line option would no longer be necessary.

    Lance
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to