[ovs-dev] [PATCH ovn] Add IGMP_Group to ovn-controller RBAC

Thu, 11 Feb 2021 01:55:52 -0800 

If RBAC and IGMP snooping are enabled, ovn-controllers need to
be able to register new entries to table IGMP_Group as requests
are detected.

For that, ovn-controllers need to have read/write access to
IGMP_Group table.

Signed-off-by: Pedro Guimaraes <[email protected]>
Reported-at: https://github.com/ovn-org/ovn/issues/77
---
 northd/ovn-northd.c    | 12 ++++++++++++
 ovn-architecture.7.xml | 16 ++++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index b2b5f6a1b..39d798782 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -13009,6 +13009,10 @@ static const char *rbac_svc_monitor_auth[] =
     {""};
 static const char *rbac_svc_monitor_auth_update[] =
     {"status"};
+static const char *rbac_igmp_group_auth[] =
+    {""};
+static const char *rbac_igmp_group_update[] =
+    {"address", "chassis", "datapath", "ports"};
 
 static struct rbac_perm_cfg {
     const char *table;
@@ -13067,6 +13071,14 @@ static struct rbac_perm_cfg {
         .update = rbac_svc_monitor_auth_update,
         .n_update = ARRAY_SIZE(rbac_svc_monitor_auth_update),
         .row = NULL
+    },{
+        .table = "IGMP_Group",
+        .auth = rbac_igmp_group_auth,
+        .n_auth = ARRAY_SIZE(rbac_igmp_group_auth),
+        .insdel = true,
+        .update = rbac_igmp_group_update,
+        .n_update = ARRAY_SIZE(rbac_igmp_group_update),
+        .row = NULL
     },{
         .table = NULL,
         .auth = NULL,
diff --git a/ovn-architecture.7.xml b/ovn-architecture.7.xml
index e5c9f9549..0eef9b739 100644
--- a/ovn-architecture.7.xml
+++ b/ovn-architecture.7.xml
@@ -2597,6 +2597,22 @@
         modified by ovn-controller.
       </p>
     </dd>
+
+    <dt><code>IGMP_Group</code></dt>
+    <dd>
+      <p>
+        <code>Authorization</code>: disabled (all clients are considered
+        to be authorized).
+      </p>
+      <p>
+        <code>Insert/Delete</code>: row insertion/deletion are permitted.
+      </p>
+      <p>
+        <code>Update</code>: The columns <code>address</code>,
+        <code>chassis</code>, <code>datapath</code>, and
+        <code>ports</code> may be modified by ovn-controller.
+      </p>
+    </dd>
   </dl>
 
   <p>
-- 
2.30.0

_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to