Hi: It is a known fact and have-been discussed before. We use the same workaround as you mentioned. Alternatively, you can also set role="" and it will work for both northd and ovn-controller instead of separate listeners which is also a security loop-hole. In short, some work is needed here to handle rbac for northd.
On Thu, Nov 7, 2019 at 9:47 AM Frode Nordahl <[email protected]> wrote: > Hello all, > > TL;DR; When enabling the `ovn-controller` role on the SB DB `ovsdb-server` > listener, `ovn-northd` no longer has the necessary access to do its job > when you are unable to use the local unix socket for its connection to the > database. > > AFAICT there is no northd-specifc or admin type role available, have I > missed something? > > I have worked around the issue by enabling a separate listener on a > different port on the Southbound ovsdb-servers so that `ovn-northd` can > connect to that. > > > I have a OVN deployment with central components spread across three > machines, there is an instance of the Northbound and Southbound > `ovsdb-server` on each of them which are clustered, and there is also an > instance of `ovn-northd` on each of them. > > The deployment is TLS-enabled and I have enabled RBAC. > > Since the DBs are clustered I have no control of which machine will be the > leader, and it may be that one machine has the leader for the Northbound DB > and a different machine has the leader of the Southbound DB. > > Because of this ovn-northd is unable to talk to the databases through a > local unix socket and must use a TLS-enabled connection to the DBs, and > herein lies the problem. > > > I peeked at the RBAC implementation, and it appears to me that the > permission system is tied to having specific columns in each table that > maps to the name of the client that wants permission. On the surface this > appears to not fit with `ovn-northd`'s needs as I would think it would need > full access to all tables perhaps based on a centrally managed set of > hostnames. > > -- > Frode Nordahl > > _______________________________________________ > discuss mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss >
_______________________________________________ discuss mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
