On Tue, Dec 6, 2022 at 1:47 PM Dumitru Ceara <[email protected]> wrote: > > On 12/2/22 17:21, Frode Nordahl wrote: > > If a OVN deployment has OVN RBAC enabled for the southbound > > database, enabling BFD would lead to permission errors. > > > > The data in the entries in the BFD table do not belong to any > > given chassis and no column can provide authentication, but the > > rules still need to be there for successful operation. > > > > Fixes: 117203584d98 ("controller: introduce BFD tx path in ovn-controller.") > > Reported-at: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1995771 > > Signed-off-by: Frode Nordahl <[email protected]> > > --- > > Hi Frode, > > Thanks for the patch! > > > northd/ovn-northd.c | 13 +++++++++++++ > > 1 file changed, 13 insertions(+) > > > > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c > > index 965353cd7..89d8c7172 100644 > > --- a/northd/ovn-northd.c > > +++ b/northd/ovn-northd.c > > @@ -125,6 +125,11 @@ static const char *rbac_igmp_group_auth[] = > > {""}; > > static const char *rbac_igmp_group_update[] = > > {"address", "chassis", "datapath", "ports"}; > > +static const char *rbac_bfd_auth[] = > > + {""}; > > +static const char *rbac_bfd_update[] = > > + {"src_port", "disc", "logical_port", "dst_ip", "min_tx", "min_rx", > > + "detect_mult", "status", "external_ids", "options"}; > > I didn't try it out but isn't it enough if we list "status" here? > ovn-controller never tries to write to any of the others.
Ha, thank you for pointing that out, It ought to be sufficient then, I'll check and send a v2! -- Frode Nordahl > Regards, > Dumitru > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
