On Tue, Mar 02, 2021 at 06:23:53PM +0100, Frode Nordahl wrote:
> When `ovn-controller` claims a virtual lport it will update the
> Port_Binding table with which chassis currently has claimed the
> port as well as recording information about the virtual parent
> lport [0].
>
> The current RBAC rules does not allow for the latter which makes
> this operation fail.
>
> 0:
> https://github.com/ovn-org/ovn/blob/b7b0fbdab03ce8b39d5bdc114876e6b0d0683892/controller/pinctrl.c#L6150
> Fixes: 054f4c85c ("Add a new logical switch port type - 'virtual'")
> Reported-At: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1917475
> Signed-off-by: Frode Nordahl <[email protected]>
> ---
> northd/ovn-northd.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
> index ac872aade..dd2c8e243 100644
> --- a/northd/ovn-northd.c
> +++ b/northd/ovn-northd.c
> @@ -13251,7 +13251,7 @@ static const char *rbac_encap_update[] =
> static const char *rbac_port_binding_auth[] =
> {""};
> static const char *rbac_port_binding_update[] =
> - {"chassis", "up"};
> + {"chassis", "up", "virtual_parent"};
>
> static const char *rbac_mac_binding_auth[] =
> {""};
Please fold in the following corresponding change to ovn-northd-ddlog:
diff --git a/northd/ovn_northd.dl b/northd/ovn_northd.dl
index 13bbe17c81da..a26555c0cb45 100644
--- a/northd/ovn_northd.dl
+++ b/northd/ovn_northd.dl
@@ -1280,7 +1280,7 @@ sb::Out_RBAC_Permission (
.table = "Port_Binding",
.authorization = set_singleton(""),
.insert_delete = false,
- .update = ["chassis", "up"].to_set()
+ .update = ["chassis", "up", "virtual_parent"].to_set()
).
sb::Out_RBAC_Permission (
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
