Re: [ovs-discuss] OVN RBAC role for ovn-northd?
On Thu, Nov 7, 2019 at 11:20 PM aginwala wrote: > Thanks Frode for covering that. Added minor comments too your PR and you can > send formal patch. Thank you for the review Aliasgar, formal patch sent and it has already been merged [0][1]. Cheers! 0: https://patchwork.ozlabs.org/patch/1191671/ 1: https://github.com/ovn-org/ovn/commit/e60f2f2d074d992ecfa6d9fc905e98a408e2d85e -- Frode Nordahl > > > > > > > > On Thu, Nov 7, 2019 at 2:00 PM Frode Nordahl > wrote: >> >> fwiw; I proposed this small note earlier this evening: >> https://github.com/ovn-org/ovn/pull/25 >> >> tor. 7. nov. 2019, 21:47 skrev Ben Pfaff : >>> >>> Sure, anything helps. >>> >>> On Thu, Nov 07, 2019 at 12:27:44PM -0800, aginwala wrote: >>> > Hi Ben: >>> > >>> > It seems RBAC doc >>> > http://docs.openvswitch.org/en/stable/tutorials/ovn-rbac/#configuring-rbac >>> > only talks >>> > about chassis and not mentioning about northd. I can submit a patch to >>> > update that as a todo for northd and mention the workaround until we add >>> > formal support. Is that ok? >>> > >>> > >>> > >>> > >>> > On Thu, Nov 7, 2019 at 12:14 PM Ben Pfaff wrote: >>> > >>> > > Have we documented this? Should we? >>> > > >>> > > On Thu, Nov 07, 2019 at 10:20:22AM -0800, aginwala wrote: >>> > > > Hi: >>> > > > >>> > > > It is a known fact and have-been discussed before. We use the same >>> > > > workaround as you mentioned. Alternatively, you can also set role="" >>> > > > and >>> > > it >>> > > > will work for both northd and ovn-controller instead of separate >>> > > listeners >>> > > > which is also a security loop-hole. In short, some work is needed here >>> > > > to handle rbac for northd. >>> > > > >>> > > > On Thu, Nov 7, 2019 at 9:47 AM Frode Nordahl < >>> > > frode.nord...@canonical.com> >>> > > > wrote: >>> > > > >>> > > > > Hello all, >>> > > > > >>> > > > > TL;DR; When enabling the `ovn-controller` role on the SB DB >>> > > `ovsdb-server` >>> > > > > listener, `ovn-northd` no longer has the necessary access to do its >>> > > > > job >>> > > > > when you are unable to use the local unix socket for its connection >>> > > > > to >>> > > the >>> > > > > database. >>> > > > > >>> > > > > AFAICT there is no northd-specifc or admin type role available, >>> > > > > have I >>> > > > > missed something? >>> > > > > >>> > > > > I have worked around the issue by enabling a separate listener on a >>> > > > > different port on the Southbound ovsdb-servers so that `ovn-northd` >>> > > > > can >>> > > > > connect to that. >>> > > > > >>> > > > > >>> > > > > I have a OVN deployment with central components spread across three >>> > > > > machines, there is an instance of the Northbound and Southbound >>> > > > > `ovsdb-server` on each of them which are clustered, and there is >>> > > > > also >>> > > an >>> > > > > instance of `ovn-northd` on each of them. >>> > > > > >>> > > > > The deployment is TLS-enabled and I have enabled RBAC. >>> > > > > >>> > > > > Since the DBs are clustered I have no control of which machine will >>> > > > > be >>> > > the >>> > > > > leader, and it may be that one machine has the leader for the >>> > > Northbound DB >>> > > > > and a different machine has the leader of the Southbound DB. >>> > > > > >>> > > > > Because of this ovn-northd is unable to talk to the databases >>> > > > > through a >>> > > > > local unix socket and must use a TLS-enabled connection to the DBs, >>> > > > > and >>> > > > > herein lies the problem. >>> > > > > >>> > > > > >>> > > > > I peeked at the RBAC implementation, and it appears to me that the >>> > > > > permission system is tied to having specific columns in each table >>> > > > > that >>> > > > > maps to the name of the client that wants permission. On the >>> > > > > surface >>> > > this >>> > > > > appears to not fit with `ovn-northd`'s needs as I would think it >>> > > > > would >>> > > need >>> > > > > full access to all tables perhaps based on a centrally managed set >>> > > > > of >>> > > > > hostnames. >>> > > > > >>> > > > > -- >>> > > > > Frode Nordahl >>> > > > > >>> > > > > ___ >>> > > > > discuss mailing list >>> > > > > disc...@openvswitch.org >>> > > > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss >>> > > > > >>> > > >>> > > > ___ >>> > > > discuss mailing list >>> > > > disc...@openvswitch.org >>> > > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss >>> > > >>> > > ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] OVN RBAC role for ovn-northd?
Thanks Frode for covering that. Added minor comments too your PR and you can send formal patch. On Thu, Nov 7, 2019 at 2:00 PM Frode Nordahl wrote: > fwiw; I proposed this small note earlier this evening: > https://github.com/ovn-org/ovn/pull/25 > > tor. 7. nov. 2019, 21:47 skrev Ben Pfaff : > >> Sure, anything helps. >> >> On Thu, Nov 07, 2019 at 12:27:44PM -0800, aginwala wrote: >> > Hi Ben: >> > >> > It seems RBAC doc >> > >> http://docs.openvswitch.org/en/stable/tutorials/ovn-rbac/#configuring-rbac >> > only talks >> > about chassis and not mentioning about northd. I can submit a patch to >> > update that as a todo for northd and mention the workaround until we add >> > formal support. Is that ok? >> > >> > >> > >> > >> > On Thu, Nov 7, 2019 at 12:14 PM Ben Pfaff wrote: >> > >> > > Have we documented this? Should we? >> > > >> > > On Thu, Nov 07, 2019 at 10:20:22AM -0800, aginwala wrote: >> > > > Hi: >> > > > >> > > > It is a known fact and have-been discussed before. We use the same >> > > > workaround as you mentioned. Alternatively, you can also set >> role="" and >> > > it >> > > > will work for both northd and ovn-controller instead of separate >> > > listeners >> > > > which is also a security loop-hole. In short, some work is needed >> here >> > > > to handle rbac for northd. >> > > > >> > > > On Thu, Nov 7, 2019 at 9:47 AM Frode Nordahl < >> > > frode.nord...@canonical.com> >> > > > wrote: >> > > > >> > > > > Hello all, >> > > > > >> > > > > TL;DR; When enabling the `ovn-controller` role on the SB DB >> > > `ovsdb-server` >> > > > > listener, `ovn-northd` no longer has the necessary access to do >> its job >> > > > > when you are unable to use the local unix socket for its >> connection to >> > > the >> > > > > database. >> > > > > >> > > > > AFAICT there is no northd-specifc or admin type role available, >> have I >> > > > > missed something? >> > > > > >> > > > > I have worked around the issue by enabling a separate listener on >> a >> > > > > different port on the Southbound ovsdb-servers so that >> `ovn-northd` can >> > > > > connect to that. >> > > > > >> > > > > >> > > > > I have a OVN deployment with central components spread across >> three >> > > > > machines, there is an instance of the Northbound and Southbound >> > > > > `ovsdb-server` on each of them which are clustered, and there is >> also >> > > an >> > > > > instance of `ovn-northd` on each of them. >> > > > > >> > > > > The deployment is TLS-enabled and I have enabled RBAC. >> > > > > >> > > > > Since the DBs are clustered I have no control of which machine >> will be >> > > the >> > > > > leader, and it may be that one machine has the leader for the >> > > Northbound DB >> > > > > and a different machine has the leader of the Southbound DB. >> > > > > >> > > > > Because of this ovn-northd is unable to talk to the databases >> through a >> > > > > local unix socket and must use a TLS-enabled connection to the >> DBs, and >> > > > > herein lies the problem. >> > > > > >> > > > > >> > > > > I peeked at the RBAC implementation, and it appears to me that the >> > > > > permission system is tied to having specific columns in each >> table that >> > > > > maps to the name of the client that wants permission. On the >> surface >> > > this >> > > > > appears to not fit with `ovn-northd`'s needs as I would think it >> would >> > > need >> > > > > full access to all tables perhaps based on a centrally managed >> set of >> > > > > hostnames. >> > > > > >> > > > > -- >> > > > > Frode Nordahl >> > > > > >> > > > > ___ >> > > > > discuss mailing list >> > > > > disc...@openvswitch.org >> > > > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss >> > > > > >> > > >> > > > ___ >> > > > discuss mailing list >> > > > disc...@openvswitch.org >> > > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss >> > > >> > > >> > ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] OVN RBAC role for ovn-northd?
fwiw; I proposed this small note earlier this evening: https://github.com/ovn-org/ovn/pull/25 tor. 7. nov. 2019, 21:47 skrev Ben Pfaff : > Sure, anything helps. > > On Thu, Nov 07, 2019 at 12:27:44PM -0800, aginwala wrote: > > Hi Ben: > > > > It seems RBAC doc > > > http://docs.openvswitch.org/en/stable/tutorials/ovn-rbac/#configuring-rbac > > only talks > > about chassis and not mentioning about northd. I can submit a patch to > > update that as a todo for northd and mention the workaround until we add > > formal support. Is that ok? > > > > > > > > > > On Thu, Nov 7, 2019 at 12:14 PM Ben Pfaff wrote: > > > > > Have we documented this? Should we? > > > > > > On Thu, Nov 07, 2019 at 10:20:22AM -0800, aginwala wrote: > > > > Hi: > > > > > > > > It is a known fact and have-been discussed before. We use the same > > > > workaround as you mentioned. Alternatively, you can also set role="" > and > > > it > > > > will work for both northd and ovn-controller instead of separate > > > listeners > > > > which is also a security loop-hole. In short, some work is needed > here > > > > to handle rbac for northd. > > > > > > > > On Thu, Nov 7, 2019 at 9:47 AM Frode Nordahl < > > > frode.nord...@canonical.com> > > > > wrote: > > > > > > > > > Hello all, > > > > > > > > > > TL;DR; When enabling the `ovn-controller` role on the SB DB > > > `ovsdb-server` > > > > > listener, `ovn-northd` no longer has the necessary access to do > its job > > > > > when you are unable to use the local unix socket for its > connection to > > > the > > > > > database. > > > > > > > > > > AFAICT there is no northd-specifc or admin type role available, > have I > > > > > missed something? > > > > > > > > > > I have worked around the issue by enabling a separate listener on a > > > > > different port on the Southbound ovsdb-servers so that > `ovn-northd` can > > > > > connect to that. > > > > > > > > > > > > > > > I have a OVN deployment with central components spread across three > > > > > machines, there is an instance of the Northbound and Southbound > > > > > `ovsdb-server` on each of them which are clustered, and there is > also > > > an > > > > > instance of `ovn-northd` on each of them. > > > > > > > > > > The deployment is TLS-enabled and I have enabled RBAC. > > > > > > > > > > Since the DBs are clustered I have no control of which machine > will be > > > the > > > > > leader, and it may be that one machine has the leader for the > > > Northbound DB > > > > > and a different machine has the leader of the Southbound DB. > > > > > > > > > > Because of this ovn-northd is unable to talk to the databases > through a > > > > > local unix socket and must use a TLS-enabled connection to the > DBs, and > > > > > herein lies the problem. > > > > > > > > > > > > > > > I peeked at the RBAC implementation, and it appears to me that the > > > > > permission system is tied to having specific columns in each table > that > > > > > maps to the name of the client that wants permission. On the > surface > > > this > > > > > appears to not fit with `ovn-northd`'s needs as I would think it > would > > > need > > > > > full access to all tables perhaps based on a centrally managed set > of > > > > > hostnames. > > > > > > > > > > -- > > > > > Frode Nordahl > > > > > > > > > > ___ > > > > > discuss mailing list > > > > > disc...@openvswitch.org > > > > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > > > > > > > > > > > > ___ > > > > discuss mailing list > > > > disc...@openvswitch.org > > > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > > > > > > > ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] OVN RBAC role for ovn-northd?
Sure, anything helps. On Thu, Nov 07, 2019 at 12:27:44PM -0800, aginwala wrote: > Hi Ben: > > It seems RBAC doc > http://docs.openvswitch.org/en/stable/tutorials/ovn-rbac/#configuring-rbac > only talks > about chassis and not mentioning about northd. I can submit a patch to > update that as a todo for northd and mention the workaround until we add > formal support. Is that ok? > > > > > On Thu, Nov 7, 2019 at 12:14 PM Ben Pfaff wrote: > > > Have we documented this? Should we? > > > > On Thu, Nov 07, 2019 at 10:20:22AM -0800, aginwala wrote: > > > Hi: > > > > > > It is a known fact and have-been discussed before. We use the same > > > workaround as you mentioned. Alternatively, you can also set role="" and > > it > > > will work for both northd and ovn-controller instead of separate > > listeners > > > which is also a security loop-hole. In short, some work is needed here > > > to handle rbac for northd. > > > > > > On Thu, Nov 7, 2019 at 9:47 AM Frode Nordahl < > > frode.nord...@canonical.com> > > > wrote: > > > > > > > Hello all, > > > > > > > > TL;DR; When enabling the `ovn-controller` role on the SB DB > > `ovsdb-server` > > > > listener, `ovn-northd` no longer has the necessary access to do its job > > > > when you are unable to use the local unix socket for its connection to > > the > > > > database. > > > > > > > > AFAICT there is no northd-specifc or admin type role available, have I > > > > missed something? > > > > > > > > I have worked around the issue by enabling a separate listener on a > > > > different port on the Southbound ovsdb-servers so that `ovn-northd` can > > > > connect to that. > > > > > > > > > > > > I have a OVN deployment with central components spread across three > > > > machines, there is an instance of the Northbound and Southbound > > > > `ovsdb-server` on each of them which are clustered, and there is also > > an > > > > instance of `ovn-northd` on each of them. > > > > > > > > The deployment is TLS-enabled and I have enabled RBAC. > > > > > > > > Since the DBs are clustered I have no control of which machine will be > > the > > > > leader, and it may be that one machine has the leader for the > > Northbound DB > > > > and a different machine has the leader of the Southbound DB. > > > > > > > > Because of this ovn-northd is unable to talk to the databases through a > > > > local unix socket and must use a TLS-enabled connection to the DBs, and > > > > herein lies the problem. > > > > > > > > > > > > I peeked at the RBAC implementation, and it appears to me that the > > > > permission system is tied to having specific columns in each table that > > > > maps to the name of the client that wants permission. On the surface > > this > > > > appears to not fit with `ovn-northd`'s needs as I would think it would > > need > > > > full access to all tables perhaps based on a centrally managed set of > > > > hostnames. > > > > > > > > -- > > > > Frode Nordahl > > > > > > > > ___ > > > > discuss mailing list > > > > disc...@openvswitch.org > > > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > > > > > > > > > ___ > > > discuss mailing list > > > disc...@openvswitch.org > > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > > > > ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] OVN RBAC role for ovn-northd?
Hi Ben: It seems RBAC doc http://docs.openvswitch.org/en/stable/tutorials/ovn-rbac/#configuring-rbac only talks about chassis and not mentioning about northd. I can submit a patch to update that as a todo for northd and mention the workaround until we add formal support. Is that ok? On Thu, Nov 7, 2019 at 12:14 PM Ben Pfaff wrote: > Have we documented this? Should we? > > On Thu, Nov 07, 2019 at 10:20:22AM -0800, aginwala wrote: > > Hi: > > > > It is a known fact and have-been discussed before. We use the same > > workaround as you mentioned. Alternatively, you can also set role="" and > it > > will work for both northd and ovn-controller instead of separate > listeners > > which is also a security loop-hole. In short, some work is needed here > > to handle rbac for northd. > > > > On Thu, Nov 7, 2019 at 9:47 AM Frode Nordahl < > frode.nord...@canonical.com> > > wrote: > > > > > Hello all, > > > > > > TL;DR; When enabling the `ovn-controller` role on the SB DB > `ovsdb-server` > > > listener, `ovn-northd` no longer has the necessary access to do its job > > > when you are unable to use the local unix socket for its connection to > the > > > database. > > > > > > AFAICT there is no northd-specifc or admin type role available, have I > > > missed something? > > > > > > I have worked around the issue by enabling a separate listener on a > > > different port on the Southbound ovsdb-servers so that `ovn-northd` can > > > connect to that. > > > > > > > > > I have a OVN deployment with central components spread across three > > > machines, there is an instance of the Northbound and Southbound > > > `ovsdb-server` on each of them which are clustered, and there is also > an > > > instance of `ovn-northd` on each of them. > > > > > > The deployment is TLS-enabled and I have enabled RBAC. > > > > > > Since the DBs are clustered I have no control of which machine will be > the > > > leader, and it may be that one machine has the leader for the > Northbound DB > > > and a different machine has the leader of the Southbound DB. > > > > > > Because of this ovn-northd is unable to talk to the databases through a > > > local unix socket and must use a TLS-enabled connection to the DBs, and > > > herein lies the problem. > > > > > > > > > I peeked at the RBAC implementation, and it appears to me that the > > > permission system is tied to having specific columns in each table that > > > maps to the name of the client that wants permission. On the surface > this > > > appears to not fit with `ovn-northd`'s needs as I would think it would > need > > > full access to all tables perhaps based on a centrally managed set of > > > hostnames. > > > > > > -- > > > Frode Nordahl > > > > > > ___ > > > discuss mailing list > > > disc...@openvswitch.org > > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > > > > > > ___ > > discuss mailing list > > disc...@openvswitch.org > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > > ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] OVN RBAC role for ovn-northd?
Have we documented this? Should we? On Thu, Nov 07, 2019 at 10:20:22AM -0800, aginwala wrote: > Hi: > > It is a known fact and have-been discussed before. We use the same > workaround as you mentioned. Alternatively, you can also set role="" and it > will work for both northd and ovn-controller instead of separate listeners > which is also a security loop-hole. In short, some work is needed here > to handle rbac for northd. > > On Thu, Nov 7, 2019 at 9:47 AM Frode Nordahl > wrote: > > > Hello all, > > > > TL;DR; When enabling the `ovn-controller` role on the SB DB `ovsdb-server` > > listener, `ovn-northd` no longer has the necessary access to do its job > > when you are unable to use the local unix socket for its connection to the > > database. > > > > AFAICT there is no northd-specifc or admin type role available, have I > > missed something? > > > > I have worked around the issue by enabling a separate listener on a > > different port on the Southbound ovsdb-servers so that `ovn-northd` can > > connect to that. > > > > > > I have a OVN deployment with central components spread across three > > machines, there is an instance of the Northbound and Southbound > > `ovsdb-server` on each of them which are clustered, and there is also an > > instance of `ovn-northd` on each of them. > > > > The deployment is TLS-enabled and I have enabled RBAC. > > > > Since the DBs are clustered I have no control of which machine will be the > > leader, and it may be that one machine has the leader for the Northbound DB > > and a different machine has the leader of the Southbound DB. > > > > Because of this ovn-northd is unable to talk to the databases through a > > local unix socket and must use a TLS-enabled connection to the DBs, and > > herein lies the problem. > > > > > > I peeked at the RBAC implementation, and it appears to me that the > > permission system is tied to having specific columns in each table that > > maps to the name of the client that wants permission. On the surface this > > appears to not fit with `ovn-northd`'s needs as I would think it would need > > full access to all tables perhaps based on a centrally managed set of > > hostnames. > > > > -- > > Frode Nordahl > > > > ___ > > discuss mailing list > > disc...@openvswitch.org > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > > > ___ > discuss mailing list > disc...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] OVN RBAC role for ovn-northd?
On Thu, Nov 7, 2019 at 7:20 PM aginwala wrote: > Hi: > > It is a known fact and have-been discussed before. We use the same > workaround as you mentioned. Alternatively, you can also set role="" and it > will work for both northd and ovn-controller instead of separate listeners > which is also a security loop-hole. In short, some work is needed here > to handle rbac for northd. > Thank you for your prompt response, and for confirming it being a known gap and that the approach is a reasonable one. Albeit not a solution, securing the separate port with external means such as firewall rules that only allow connections from the machines hosting ovn-northd will at least make it a bit more secure. Apologies for any duplicate questions or discussions. I made an honest attempt to find the information by searching the mailing list archive and existing documentation. -- Frode Nordahl > > On Thu, Nov 7, 2019 at 9:47 AM Frode Nordahl > wrote: > >> Hello all, >> >> TL;DR; When enabling the `ovn-controller` role on the SB DB >> `ovsdb-server` listener, `ovn-northd` no longer has the necessary access to >> do its job when you are unable to use the local unix socket for its >> connection to the database. >> >> AFAICT there is no northd-specifc or admin type role available, have I >> missed something? >> >> I have worked around the issue by enabling a separate listener on a >> different port on the Southbound ovsdb-servers so that `ovn-northd` can >> connect to that. >> >> >> I have a OVN deployment with central components spread across three >> machines, there is an instance of the Northbound and Southbound >> `ovsdb-server` on each of them which are clustered, and there is also an >> instance of `ovn-northd` on each of them. >> >> The deployment is TLS-enabled and I have enabled RBAC. >> >> Since the DBs are clustered I have no control of which machine will be >> the leader, and it may be that one machine has the leader for the >> Northbound DB and a different machine has the leader of the Southbound DB. >> >> Because of this ovn-northd is unable to talk to the databases through a >> local unix socket and must use a TLS-enabled connection to the DBs, and >> herein lies the problem. >> >> >> I peeked at the RBAC implementation, and it appears to me that the >> permission system is tied to having specific columns in each table that >> maps to the name of the client that wants permission. On the surface this >> appears to not fit with `ovn-northd`'s needs as I would think it would need >> full access to all tables perhaps based on a centrally managed set of >> hostnames. >> >> -- >> Frode Nordahl >> >> ___ >> discuss mailing list >> disc...@openvswitch.org >> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss >> > ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] OVN RBAC role for ovn-northd?
Hi: It is a known fact and have-been discussed before. We use the same workaround as you mentioned. Alternatively, you can also set role="" and it will work for both northd and ovn-controller instead of separate listeners which is also a security loop-hole. In short, some work is needed here to handle rbac for northd. On Thu, Nov 7, 2019 at 9:47 AM Frode Nordahl wrote: > Hello all, > > TL;DR; When enabling the `ovn-controller` role on the SB DB `ovsdb-server` > listener, `ovn-northd` no longer has the necessary access to do its job > when you are unable to use the local unix socket for its connection to the > database. > > AFAICT there is no northd-specifc or admin type role available, have I > missed something? > > I have worked around the issue by enabling a separate listener on a > different port on the Southbound ovsdb-servers so that `ovn-northd` can > connect to that. > > > I have a OVN deployment with central components spread across three > machines, there is an instance of the Northbound and Southbound > `ovsdb-server` on each of them which are clustered, and there is also an > instance of `ovn-northd` on each of them. > > The deployment is TLS-enabled and I have enabled RBAC. > > Since the DBs are clustered I have no control of which machine will be the > leader, and it may be that one machine has the leader for the Northbound DB > and a different machine has the leader of the Southbound DB. > > Because of this ovn-northd is unable to talk to the databases through a > local unix socket and must use a TLS-enabled connection to the DBs, and > herein lies the problem. > > > I peeked at the RBAC implementation, and it appears to me that the > permission system is tied to having specific columns in each table that > maps to the name of the client that wants permission. On the surface this > appears to not fit with `ovn-northd`'s needs as I would think it would need > full access to all tables perhaps based on a centrally managed set of > hostnames. > > -- > Frode Nordahl > > ___ > discuss mailing list > disc...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
[ovs-discuss] OVN RBAC role for ovn-northd?
Hello all, TL;DR; When enabling the `ovn-controller` role on the SB DB `ovsdb-server` listener, `ovn-northd` no longer has the necessary access to do its job when you are unable to use the local unix socket for its connection to the database. AFAICT there is no northd-specifc or admin type role available, have I missed something? I have worked around the issue by enabling a separate listener on a different port on the Southbound ovsdb-servers so that `ovn-northd` can connect to that. I have a OVN deployment with central components spread across three machines, there is an instance of the Northbound and Southbound `ovsdb-server` on each of them which are clustered, and there is also an instance of `ovn-northd` on each of them. The deployment is TLS-enabled and I have enabled RBAC. Since the DBs are clustered I have no control of which machine will be the leader, and it may be that one machine has the leader for the Northbound DB and a different machine has the leader of the Southbound DB. Because of this ovn-northd is unable to talk to the databases through a local unix socket and must use a TLS-enabled connection to the DBs, and herein lies the problem. I peeked at the RBAC implementation, and it appears to me that the permission system is tied to having specific columns in each table that maps to the name of the client that wants permission. On the surface this appears to not fit with `ovn-northd`'s needs as I would think it would need full access to all tables perhaps based on a centrally managed set of hostnames. -- Frode Nordahl ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
