[ovs-dev] [PATCH ovn] northd: Fix RBAC for IGMP_Group.

Wed, 10 Feb 2021 03:50:45 -0800 

Reported-at: https://github.com/ovn-org/ovn/issues/77
Fixes: 605535f9adf2 ("OVN: Add ovn-northd IGMP support")
Signed-off-by: Dumitru Ceara <[email protected]>
---
 northd/ovn-northd.c    | 13 +++++++++++++
 ovn-architecture.7.xml | 21 +++++++++++++++++++--
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index db6572a..234ec8d 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -12996,6 +12996,11 @@ static const char *rbac_svc_monitor_auth[] =
 static const char *rbac_svc_monitor_auth_update[] =
     {"status"};
 
+static const char *rbac_igmp_group_auth[] =
+    {""};
+static const char *rbac_igmp_group_update[] =
+    {"address", "datapath", "chassis", "ports"};
+
 static struct rbac_perm_cfg {
     const char *table;
     const char **auth;
@@ -13054,6 +13059,14 @@ static struct rbac_perm_cfg {
         .n_update = ARRAY_SIZE(rbac_svc_monitor_auth_update),
         .row = NULL
     },{
+        .table = "IGMP_Group",
+        .auth = rbac_igmp_group_auth,
+        .n_auth = ARRAY_SIZE(rbac_igmp_group_auth),
+        .insdel = true,
+        .update = rbac_igmp_group_update,
+        .n_update = ARRAY_SIZE(rbac_igmp_group_update),
+        .row = NULL
+    },{
         .table = NULL,
         .auth = NULL,
         .n_auth = 0,
diff --git a/ovn-architecture.7.xml b/ovn-architecture.7.xml
index e5c9f95..854f8c2 100644
--- a/ovn-architecture.7.xml
+++ b/ovn-architecture.7.xml
@@ -2529,8 +2529,9 @@
   <p>
     RBAC configuration for the OVN southbound database is maintained by
     ovn-northd. With RBAC enabled, modifications are only permitted for the
-    <code>Chassis</code>, <code>Encap</code>, <code>Port_Binding</code>, and
-    <code>MAC_Binding</code> tables, and are restricted as follows:
+    <code>Chassis</code>, <code>Encap</code>, <code>Port_Binding</code>,
+    <code>MAC_Binding</code>, and <code>IGMP_Group</code> tables, and are
+    restricted as follows:
   </p>
   <dl>
     <dt><code>Chassis</code></dt>
@@ -2597,6 +2598,22 @@
         modified by ovn-controller.
       </p>
     </dd>
+
+    <dt><code>IGMP_Group</code></dt>
+    <dd>
+      <p>
+        <code>Authorization</code>: disabled (all clients are considered
+        to be authorized).
+      </p>
+      <p>
+        <code>Insert/Delete</code>: row insertion/deletion are permitted.
+      </p>
+      <p>
+        <code>Update</code>: The columns <code>address</code>,
+        <code>datapath</code>, <code>chassis</code>, and <code>ports</code>
+        may be modified by ovn-controller.
+      </p>
+    </dd>
   </dl>
 
   <p>
-- 
1.8.3.1

_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to