This patch extends RBAC restrictiveness of the encap table in the ovn southbound database by only allowing modification by the chassis that created the encap.
Signed-off-by: Mark Michelson <[email protected]> Reported-by: Lance Richardson <[email protected]> --- ovn/controller/chassis.c | 1 + ovn/northd/ovn-northd.c | 2 +- ovn/ovn-sb.ovsschema | 5 +++-- ovn/ovn-sb.xml | 3 +++ ovn/utilities/ovn-sbctl.c | 1 + 5 files changed, 9 insertions(+), 3 deletions(-) diff --git a/ovn/controller/chassis.c b/ovn/controller/chassis.c index d38bc949a..640ebbc40 100644 --- a/ovn/controller/chassis.c +++ b/ovn/controller/chassis.c @@ -222,6 +222,7 @@ chassis_run(struct controller_ctx *ctx, const char *chassis_id, sbrec_encap_set_type(encaps[i], type); sbrec_encap_set_ip(encaps[i], encap_ip); sbrec_encap_set_options(encaps[i], &options); + sbrec_encap_set_name(encaps[i], chassis_id); } sbrec_chassis_set_encaps(chassis_rec, encaps, n_encaps); free(encaps); diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c index a3f138d44..473221a70 100644 --- a/ovn/northd/ovn-northd.c +++ b/ovn/northd/ovn-northd.c @@ -6025,7 +6025,7 @@ static const char *rbac_chassis_update[] = {"nb_cfg", "external_ids", "encaps", "vtep_logical_switches"}; static const char *rbac_encap_auth[] = - {""}; + {"name"}; static const char *rbac_encap_update[] = {"type", "options", "ip"}; diff --git a/ovn/ovn-sb.ovsschema b/ovn/ovn-sb.ovsschema index 264364095..8ee6a4519 100644 --- a/ovn/ovn-sb.ovsschema +++ b/ovn/ovn-sb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Southbound", "version": "1.14.0", - "cksum": "3613553908 13275", + "cksum": "1622387373 13319", "tables": { "SB_Global": { "columns": { @@ -45,7 +45,8 @@ "value": "string", "min": 0, "max": "unlimited"}}, - "ip": {"type": "string"}}}, + "ip": {"type": "string"}, + "name": {"type": "string"}}}, "Address_Set": { "columns": { "name": {"type": "string"}, diff --git a/ovn/ovn-sb.xml b/ovn/ovn-sb.xml index c1731d284..4a12f3eaf 100644 --- a/ovn/ovn-sb.xml +++ b/ovn/ovn-sb.xml @@ -353,6 +353,9 @@ <column name="ip"> The IPv4 address of the encapsulation tunnel endpoint. </column> + <column name="name"> + The name of the chassis that created this encap. + </column> </table> <table name="Address_Set" title="Address Sets"> diff --git a/ovn/utilities/ovn-sbctl.c b/ovn/utilities/ovn-sbctl.c index 5c3403266..669d47495 100644 --- a/ovn/utilities/ovn-sbctl.c +++ b/ovn/utilities/ovn-sbctl.c @@ -571,6 +571,7 @@ cmd_chassis_add(struct ctl_context *ctx) sbrec_encap_set_type(encaps[i], encap_type); sbrec_encap_set_ip(encaps[i], encap_ip); sbrec_encap_set_options(encaps[i], &options); + sbrec_encap_set_name(encaps[i], ch_name); i++; } sset_destroy(&encap_set); -- 2.13.3 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
