[Bug 1913024] Re: RBAC Permissions too strict for Chassis_Private table
This bug was fixed in the package ovn - 20.12.0-0ubuntu3~cloud0 --- ovn (20.12.0-0ubuntu3~cloud0) focal-wallaby; urgency=medium . * New update for the Ubuntu Cloud Archive. . ovn (20.12.0-0ubuntu3) hirsute; urgency=medium . * Add RBAC rules for IGMP_Group table (LP: #1914988): - d/p/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch - d/p/lp-1914988-northd-Add-missing-RBAC-rules-for-FDB-table.patch - d/p/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch - d/p/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch - d/p/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch - d/p/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch - d/p/lp-1914988-tests-Make-certificate-generation-extendable.patch - d/p/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch * d/p/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch: Do not forward traffic from localport to localnet ports (LP: #1943266). * d/p/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch Update RBAC rules for Chassis_Private table (LP: #1913024). * d/p/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch Update RBAC rules for Port_Binding table (LP: #1917475). ** Changed in: cloud-archive/wallaby Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913024 Title: RBAC Permissions too strict for Chassis_Private table To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1913024/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1913024] Re: RBAC Permissions too strict for Chassis_Private table
This bug was fixed in the package ovn - 20.12.0-0ubuntu3 --- ovn (20.12.0-0ubuntu3) hirsute; urgency=medium * Add RBAC rules for IGMP_Group table (LP: #1914988): - d/p/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch - d/p/lp-1914988-northd-Add-missing-RBAC-rules-for-FDB-table.patch - d/p/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch - d/p/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch - d/p/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch - d/p/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch - d/p/lp-1914988-tests-Make-certificate-generation-extendable.patch - d/p/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch * d/p/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch: Do not forward traffic from localport to localnet ports (LP: #1943266). * d/p/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch Update RBAC rules for Chassis_Private table (LP: #1913024). * d/p/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch Update RBAC rules for Port_Binding table (LP: #1917475). -- Frode Nordahl Fri, 01 Oct 2021 09:42:00 +0200 ** Changed in: ovn (Ubuntu Hirsute) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913024 Title: RBAC Permissions too strict for Chassis_Private table To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1913024/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1913024] Re: RBAC Permissions too strict for Chassis_Private table
Verified successfully on hirsute-proposed and wallaby-proposed. Please see test results at https://bugs.launchpad.net/cloud- archive/+bug/1914988. ** Changed in: cloud-archive Status: Fix Committed => Fix Released ** Tags removed: verification-needed verification-needed-hirsute verification-wallaby-needed ** Tags added: verification-done verification-done-hirsute verification-wallaby-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913024 Title: RBAC Permissions too strict for Chassis_Private table To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1913024/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1913024] Re: RBAC Permissions too strict for Chassis_Private table
Hello Frode, or anyone else affected, Accepted ovn into hirsute-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ovn/20.12.0-0ubuntu3 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- hirsute to verification-done-hirsute. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-hirsute. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: ovn (Ubuntu Hirsute) Status: Triaged => Fix Committed ** Tags added: verification-needed verification-needed-hirsute -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913024 Title: RBAC Permissions too strict for Chassis_Private table To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1913024/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1913024] Re: RBAC Permissions too strict for Chassis_Private table
** Also affects: cloud-archive Importance: Undecided Status: New ** Also affects: cloud-archive/wallaby Importance: Undecided Status: New ** Changed in: cloud-archive Status: New => Fix Released ** Changed in: cloud-archive Status: Fix Released => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913024 Title: RBAC Permissions too strict for Chassis_Private table To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1913024/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1913024] Re: RBAC Permissions too strict for Chassis_Private table
** Merge proposal linked: https://code.launchpad.net/~fnordahl/ubuntu/+source/ovn/+git/ovn/+merge/409046 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913024 Title: RBAC Permissions too strict for Chassis_Private table To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1913024/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1913024] Re: RBAC Permissions too strict for Chassis_Private table
** Description changed: - After introduction of the Chassis_Private table in OVN 20.09, CMS'es do - expect data plane daemons to be able to write to the external_ids - column. + [Impact] + The OpenStack metadata service will not work after upgrade to Hirsute. + + [Test Plan] + Execute the gate tests for the neutron-api-plugin-ovn charm, which performs a full cloud deployment and confirms two instances can spawn, get metadata and communicate with each other. + + [Regression Potential] + The patch has already been available in the upstream branch-20.12 and has been released in our Focal packages as part of the 20.03.2 point release update for some time. + + [Original Bug Description] + After introduction of the Chassis_Private table in OVN 20.09, CMS'es do expect data plane daemons to be able to write to the external_ids column. However the current RBAC permissions do not allow for this. Running with this patch for ovn-northd fixes the problem: diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 27df6a379..d332721cd 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -12951,7 +12951,7 @@ static const char *rbac_chassis_update[] = - static const char *rbac_chassis_private_auth[] = - {"name"}; - static const char *rbac_chassis_private_update[] = + static const char *rbac_chassis_private_auth[] = + {"name"}; + static const char *rbac_chassis_private_update[] = -{"nb_cfg", "nb_cfg_timestamp", "chassis"}; +{"nb_cfg", "nb_cfg_timestamp", "chassis", "external_ids"}; - - static const char *rbac_encap_auth[] = - {"chassis_name"}; + + static const char *rbac_encap_auth[] = + {"chassis_name"}; For completeness I will include output from a OpenStack neutron-ovn-metadata-agent daemon when running without the fix: 2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command Traceback (most recent call last): 2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/command.py", line 40, in execute 2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command t.add(self) 2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command File "/usr/lib/python3.8/contextlib.py", line 120, in __exit__ 2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command next(self.gen) 2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command File "/usr/lib/python3/dist-packages/ovsdbapp/api.py", line 119, in transaction 2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command del self._nested_txns_map[cur_thread_id] 2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command File "/usr/lib/python3/dist-packages/ovsdbapp/api.py", line 69, in __exit__ 2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command self.result = self.commit() 2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/transaction.py", line 62, in commit 2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command raise result.ex 2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/connection.py", line 122, in run 2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command txn.results.put(txn.do_commit()) 2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/transaction.py", line 118, in do_commit 2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command raise RuntimeError(msg) 2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command RuntimeError: OVSDB Error: {"details":"RBAC rules for client \"ps5-ra4-n2.maas\" role \"ovn-controller\" prohibit modification of table \"Chassis_Private\".","error":"permission error"} - 2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command + 2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command 2021-01-25 08:06:51.334 1763580 CRITICAL neutron [-] Unhandled error: RuntimeError: OVSDB Error: {"details":"RBAC rules for client \"ps5-ra4-n2.maas\" role \"ovn-controller\" prohibit modification of table \"Chassis_Private\".","error":"permission error"} 2021-01-25 08:06:51.334 1763580 ERROR neutron Traceback (most recent call last): 2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/bin/neutron-ovn-metadata-agent", line 10, in 2021-01-25 08:06:51.334 1763580 ERROR neutron sys.exit(main()) 2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/python3/dist-packages/neutron/cmd/eventlet/agents/ovn_metadata.py", line 17, in main 2021-01-25 08:06:51.334 1763580 ERROR neutron metadata_agent.main() 2021-01-25 08:06:51.334 1763580 ERROR neutron
[Bug 1913024] Re: RBAC Permissions too strict for Chassis_Private table
** Also affects: ovn (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: ovn (Ubuntu Hirsute) Importance: Undecided Status: New ** Also affects: ovn (Ubuntu Impish) Importance: High Status: Fix Committed ** Changed in: ovn (Ubuntu Impish) Status: Fix Committed => Fix Released ** Changed in: ovn (Ubuntu Hirsute) Status: New => Triaged ** Changed in: ovn (Ubuntu Focal) Status: New => Fix Released ** Changed in: ovn (Ubuntu Hirsute) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913024 Title: RBAC Permissions too strict for Chassis_Private table To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1913024/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1913024] Re: RBAC Permissions too strict for Chassis_Private table
** Changed in: ovn (Ubuntu) Status: Triaged => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913024 Title: RBAC Permissions too strict for Chassis_Private table To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1913024/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1913024] Re: RBAC Permissions too strict for Chassis_Private table
** Changed in: ovn (Ubuntu) Status: New => Triaged ** Changed in: ovn (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913024 Title: RBAC Permissions too strict for Chassis_Private table To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1913024/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1913024] Re: RBAC Permissions too strict for Chassis_Private table
https://patchwork.ozlabs.org/project/ovn/patch/20210125210727.1c45186...@whitealder.osuosl.org/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1913024 Title: RBAC Permissions too strict for Chassis_Private table To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1913024/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs