Signed-off-by: Frode Nordahl <frode.nord...@canonical.com> Acked-by: Aliasgar Ginwala <aginw...@ebay.com> Submitted-at: https://github.com/ovn-org/ovn/pull/25 --- .../topics/role-based-access-control.rst | 7 ++++++ Documentation/tutorials/ovn-rbac.rst | 25 +++++++++++++++++++ 2 files changed, 32 insertions(+)
diff --git a/Documentation/topics/role-based-access-control.rst b/Documentation/topics/role-based-access-control.rst index 2acd1e88b..e13e2d5dc 100644 --- a/Documentation/topics/role-based-access-control.rst +++ b/Documentation/topics/role-based-access-control.rst @@ -82,6 +82,13 @@ command: $ ovn-sbctl set-connection role=ovn-controller ssl:192.168.0.1:6642 +.. note:: + + There is currently no pre-defined role for ovn-northd. You must configure + a separate listener on the OVN southbound database that ovn-northd can + connect to if your deployment topology require ovn-northd to connect to a + OVN southbound database instance on a remote machine. + Pre-defined Roles ----------------- This section describes roles that have been defined internally by OVS/OVN. diff --git a/Documentation/tutorials/ovn-rbac.rst b/Documentation/tutorials/ovn-rbac.rst index 22b169d6d..fc2de5d5d 100644 --- a/Documentation/tutorials/ovn-rbac.rst +++ b/Documentation/tutorials/ovn-rbac.rst @@ -132,3 +132,28 @@ Configuring RBAC /path/to/chassis_2-cert.pem /path/to/cacert.pem $ ovs-vsctl set open_vswitch . \ external_ids:ovn-remote=ssl:machine_3-ip:6642 + +The OVN central control daemon and RBAC +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The OVN central control daemon (`ovn-northd`) needs full write access to +the southbound database. When you have one machine hosting the central +components, `ovn-northd` can talk to the databases through a local unix +socket, bypassing the `ovn-controller` RBAC configured for the listener +at port '6642'. However, if you want to deploy multiple machines for +hosting the central components, `ovn-northd` will require a remote +connection to all of them. + +1. Configure the southbound database with a second SSL listener on a + separate port without RBAC enabled for use by `ovn-northd`. + + In `machine_3`:: + + $ ovn-sbctl -- --id=@conn_uuid create Connection \ + target="pssl\:16642" \ + -- add SB_Global . connections=@conn_uuid + + .. note:: + + Care should be taken to restrict access to the above mentioned port + so that only trusted machines can connect to it. -- 2.20.1 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev