On 6/11/21 6:30 PM, Han Zhou wrote:
On Fri, Jun 11, 2021 at 11:24 AM Mark Michelson <[email protected]
<mailto:[email protected]>> wrote:
>
> Hi Han,
>
> I'm fine with fixing the test this way, since like you said it's not
> meant to test RBAC.
>
> Acked-by: Mark Michelson <[email protected]
<mailto:[email protected]>>
>
Thanks Mark! I applied the patch 1-3 of this series to master and
branch-2.16. I will address your comment for patch 4.
> However, based on how this sounds, there is still a bug in
> ovn-northd-ddlog wrt RBAC, and that should still be fixed since this
> could cause failures for other tests.
>
In fact this is not a fault of ovn-northd-ddlog. It may be a general
problem of north RBAC - the only role we defined is for ovn-controller,
which is set in the Connection table's "role" column for the SSL connect
method. It means there is no role for northd to apply RBAC. So if northd
wants to use SSL, it needs a different SSL connection (probably a
different port) in the connection table without setting the "role"
(leave it empty). It has been discussed somewhere (probably in github)
for a workaround to the problem, is to use iptables rules or other FW
mechanism to allow access to the port dedicated for northd (without
RBAC) only from northd IPs.
Unless a test specifically is testing SSL between northd and the
southbound database, it's probably OK for northd to connect to the
southbound database using a unix socket by default. Then if SSL is
required for a specific test, then create the second connection using a
separate port.
For this test, it fails because the SSL connection created by the
ovn_start() already sets the "role" to ovn-controller, so through this
connection it is not allowed to update tables other than the ones
allowed for ovn-controller role. For the regular ovn-northd this test
case always succeeds because in fact the regular ovn-northd handles
sb_cfg update incorrectly when the update to SB fails. It updates the
expected sb_cfg back to NB even if it is not written to SB successfully.
It can be fixed as a separate patch (not something urgent though).
I agree. This isn't something super urgent.
Thanks,
Han
> On 6/11/21 2:24 AM, Han Zhou wrote:
> > This test fails for ovn-northd-ddlog because of the RBAC role when
using
> > the SSL connection. RBAC is not the purpose of the test case, so this
> > patch fixes it without enabling RBAC.
> >
> > Signed-off-by: Han Zhou <[email protected] <mailto:[email protected]>>
> > ---
> > tests/ovn-northd.at <http://ovn-northd.at> | 19 +++++++++++++++++--
> > 1 file changed, 17 insertions(+), 2 deletions(-)
> >
> > diff --git a/tests/ovn-northd.at <http://ovn-northd.at>
b/tests/ovn-northd.at <http://ovn-northd.at>
> > index 4692775ad..ad1732da3 100644
> > --- a/tests/ovn-northd.at <http://ovn-northd.at>
> > +++ b/tests/ovn-northd.at <http://ovn-northd.at>
> > @@ -3618,9 +3618,23 @@ ovn_start --backup-northd=none
> > as northd
> > OVS_APP_EXIT_AND_WAIT([NORTHD_TYPE])
> >
> > +as ovn-sb
> > +OVS_APP_EXIT_AND_WAIT([ovsdb-server])
> > +
> > +key_server=testpki-test-privkey.pem
> > +cert_server=testpki-test-cert.pem
> > +cacert=testpki-cacert.pem
> > +
> > +cd ovn-sb
> > +rm ovsdb-server.log
> > +ssl_options="--remote=pssl:0:127.0.0.1 ovn-sb.db -p
$PKIDIR/$key_server -c $PKIDIR/$cert_server -C $PKIDIR/$cacert"
> > +AT_CHECK([ovsdb-server --detach --no-chdir --pidfile --log-file
$ssl_options], [0], [], [stderr])
> > +on_exit "kill `cat ovsdb-server.pid`"
> > +PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
> > +cd ..
> > +
> > key=testpki-hv1-privkey.pem
> > cert=testpki-hv1-cert.pem
> > -cacert=testpki-cacert.pem
> >
> > key2=testpki-hv2-privkey.pem
> > cert3=testpki-hv3-cert.pem
> > @@ -3629,8 +3643,9 @@ cert3=testpki-hv3-cert.pem
> > cp $PKIDIR/$key2 $key
> > cp $PKIDIR/$cert3 $cert
> > cp $PKIDIR/$cacert $cacert
> > +as northd
> > start_daemon ovn$NORTHD_TYPE -vjsonrpc \
> > - --ovnnb-db=$OVN_NB_DB --ovnsb-db=$SSL_OVN_SB_DB \
> > + --ovnnb-db=$OVN_NB_DB --ovnsb-db=ssl:127.0.0.1:$TCP_PORT \
> > -p $key -c $cert -C $cacert
> >
> > # SSL should not connect because of key and cert mismatch
> >
>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
