Hi
This is my first question here so please kindly let me know if I need to add
any information to make the question actually answerable. : )
Basically, I have a working OVN test environment with one central node (where
nb and sb db runs) and 2 hypervisor nodes (ovn-controllers). SSL has already
been enabled for connection to south bound db. Hypervisors connect to sb db via
SSL.
To enable rbac on south bound connection I’ve issue the following command on
central node
ovn-sbctl set-connection role=ovn-controller ssl:[central_node_ip]:6642
The role, permission and connection table looks as follow:
#ovn-sbctl list rbac-role
_uuid : cfba4fb4-2073-4639-8da4-f43e3336583d
name : ovn-controller
permissions : {Chassis=6b444b75-a3dd-4482-8399-91db41eacbe8,
Encap=4e57bd31-f326-4c52-9814-963e92cd39cd,
MAC_Binding=e8c3f556-2f98-4b15-b40a-5a444903902a,
Port_Binding=9adcc428-8910-4e49-bff5-a82ec1dad586}
# ovn-sbctl list rbac-permission
_uuid : 9adcc428-8910-4e49-bff5-a82ec1dad586
authorization : [""]
insert_delete : false
table : Port_Binding
update : [chassis]
_uuid : 4e57bd31-f326-4c52-9814-963e92cd39cd
authorization : [chassis_name]
insert_delete : true
table : Encap
update : [ip, options, type]
_uuid : 6b444b75-a3dd-4482-8399-91db41eacbe8
authorization : [name]
insert_delete : true
table : Chassis
update : [encaps, external_ids, nb_cfg, vtep_logical_switches]
_uuid : e8c3f556-2f98-4b15-b40a-5a444903902a
authorization : [""]
insert_delete : true
table : MAC_Binding
update : [datapath, ip, logical_port, mac]
Both the role and permission table come with OVN by default.
I tested the following scenario for rbac:
Add one more row in the encap table with a random chassis_name “1234” from one
of the hypervisors. (The command issued and results are as below). I’m
expecting the command to fail because of rbac permission on encap table which
authorize based on chassis_name. But rom the output, it appears to have
succeeded.
# ovn-sbctl --id=@test97c983e4 --db=ssl:[central_node_ip]:6642
--private-key=/etc/openvswitch/ovn-controller-privkey.pem
--certificate=/etc/openvswitch/ovn-controller-cert.pem
--ca-cert=/etc/openvswitch/cacert.pem create encap chassis_name='1234'
ip='1234' options:csum="true" type="geneve"
2018-09-11T21:58:27Z|00002|sbctl|WARN|row id "@test97c983e4" was created but no
reference to it was inserted, so it will not actually appear in the database
I cant find many documents that actually shows how to setup and test rbac for
ovn other than the official doc
http://docs.openvswitch.org/en/latest/topics/role-based-access-control/
Can someone help to tell what’s going on here?
Am I configured rbac wrong or use the wrong test parameters?
Thank you very much!
Zhenhua
_______________________________________________
discuss mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
