On 12/2/22 17:21, Frode Nordahl wrote:
> If a OVN deployment has OVN RBAC enabled for the southbound
> database, enabling BFD would lead to permission errors.
>
> The data in the entries in the BFD table do not belong to any
> given chassis and no column can provide authentication, but the
> rules still need to be there for successful operation.
>
> Fixes: 117203584d98 ("controller: introduce BFD tx path in ovn-controller.")
> Reported-at: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1995771
> Signed-off-by: Frode Nordahl <[email protected]>
> ---
Hi Frode,
Thanks for the patch!
> northd/ovn-northd.c | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
> diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
> index 965353cd7..89d8c7172 100644
> --- a/northd/ovn-northd.c
> +++ b/northd/ovn-northd.c
> @@ -125,6 +125,11 @@ static const char *rbac_igmp_group_auth[] =
> {""};
> static const char *rbac_igmp_group_update[] =
> {"address", "chassis", "datapath", "ports"};
> +static const char *rbac_bfd_auth[] =
> + {""};
> +static const char *rbac_bfd_update[] =
> + {"src_port", "disc", "logical_port", "dst_ip", "min_tx", "min_rx",
> + "detect_mult", "status", "external_ids", "options"};
I didn't try it out but isn't it enough if we list "status" here?
ovn-controller never tries to write to any of the others.
Regards,
Dumitru
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
