On 10/29/25 1:30 PM, Ales Musil via dev wrote:
> When RBAC was enabled ovn-controller wasn't able to create any
> Learned_Route rows due to missing RBAC configuration. Add the
> configuration to allow ovn-controller insertion and update inside
> Learned_Route table.
>
> Fixes: 866a5014ae45 ("controller: Support learning routes.")
> Signed-off-by: Ales Musil <[email protected]>
> ---
Hi Ales,
Thanks for the patch!
> northd/ovn-northd.c | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
> diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
> index c9d88dd22..9e5adb60f 100644
> --- a/northd/ovn-northd.c
> +++ b/northd/ovn-northd.c
> @@ -128,6 +128,11 @@ static const char *rbac_bfd_auth[] =
> static const char *rbac_bfd_update[] =
> {"status"};
>
> +static const char *rbac_learned_route_auth[] =
> + {""};
> +static const char *rbac_learned_route_update[] =
> + {"datapath", "logical_port", "ip_prefix", "nexthop"};
In hindsight this might have been an unfortunate schema design decision
when we chose to add "external_ids" to the SB.Learned_Route table.
Do we want to allow ovn-controller to also update external_ids? If I
understand correctly it would anyway be allowed to create entries with
external_ids set after this patch.
> +
> static struct rbac_perm_cfg {
> const char *table;
> const char **auth;
> @@ -217,6 +222,14 @@ static struct rbac_perm_cfg {
> .update = rbac_bfd_update,
> .n_update = ARRAY_SIZE(rbac_bfd_update),
> .row = NULL
> + },{
> + .table = "Learned_Route",
> + .auth = rbac_learned_route_auth,
> + .n_auth = ARRAY_SIZE(rbac_learned_route_auth),
> + .insdel = true,
> + .update = rbac_learned_route_update,
> + .n_update = ARRAY_SIZE(rbac_learned_route_update),
> + .row = NULL
> },{
> .table = NULL,
> .auth = NULL,
Regards,
Dumitru
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
