On Tue, Mar 2, 2021 at 11:39 PM Frode Nordahl <[email protected]> wrote: > > On Tue, Mar 2, 2021 at 6:55 PM Numan Siddique <[email protected]> wrote: > > > > On Tue, Mar 2, 2021 at 10:54 PM Frode Nordahl > > <[email protected]> wrote: > > > > > > When `ovn-controller` claims a virtual lport it will update the > > > Port_Binding table with which chassis currently has claimed the > > > port as well as recording information about the virtual parent > > > lport [0]. > > > > > > The current RBAC rules does not allow for the latter which makes > > > this operation fail. > > > > > > 0: > > > https://github.com/ovn-org/ovn/blob/b7b0fbdab03ce8b39d5bdc114876e6b0d0683892/controller/pinctrl.c#L6150 > > > Fixes: 054f4c85c ("Add a new logical switch port type - 'virtual'") > > > Reported-At: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1917475 > > > Signed-off-by: Frode Nordahl <[email protected]> > > > > Thanks for this fix. We really need to have test cases to cover the RBAC > > cases. > > You're welcome, and I agree. > > I was contemplating if we ought to enable TLS+RBAC by default in the > tests, it's slightly complicated due to not being able to use the unix > socket anymore, but I think we have all the macros and scripts we > would need to handle it. If we do it through `ovn_start` we should be > able to get it everywhere for "free".
Agree. I think this patch requires similar changes for ovn-northd-ddlog. I think you need to update here - https://github.com/ovn-org/ovn/blob/master/northd/ovn_northd.dl#L1284 Can you please update that and submit v2 ? If you have any questions on the ddlog feel free to ask. Numan > > -- > Frode Nordahl > > > > Numan > > > > > --- > > > northd/ovn-northd.c | 2 +- > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c > > > index ac872aade..dd2c8e243 100644 > > > --- a/northd/ovn-northd.c > > > +++ b/northd/ovn-northd.c > > > @@ -13251,7 +13251,7 @@ static const char *rbac_encap_update[] = > > > static const char *rbac_port_binding_auth[] = > > > {""}; > > > static const char *rbac_port_binding_update[] = > > > - {"chassis", "up"}; > > > + {"chassis", "up", "virtual_parent"}; > > > > > > static const char *rbac_mac_binding_auth[] = > > > {""}; > > > -- > > > 2.30.0 > > > > > > _______________________________________________ > > > dev mailing list > > > [email protected] > > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > > > > > > -- > Frode Nordahl > _______________________________________________ > dev mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
