Message ID | 20210211095546.6DFBF87364@whitealder.osuosl.org |
---|---|
State | Accepted |
Headers | show |
Series | [ovs-dev] Add IGMP_Group to ovn-controller RBAC | expand |
Thank you Pedro, We built a test package [0] with this patch and received confirmation it solved the problem. Acked-by: Frode Nordahl <frode.nordahl@canonical.com> 0: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 On Thu, Feb 11, 2021 at 10:55 AM Pedro Guimaraes <pedro.guimaraes@canonical.com> wrote: > > If RBAC and IGMP snooping are enabled, ovn-controllers need to > be able to register new entries to table IGMP_Group as requests > are detected. > > For that, ovn-controllers need to have read/write access to > IGMP_Group table. > > Signed-off-by: Pedro Guimaraes <pedro.guimaraes@canonical.com> > Reported-at: https://github.com/ovn-org/ovn/issues/77 > --- > northd/ovn-northd.c | 12 ++++++++++++ > ovn-architecture.7.xml | 16 ++++++++++++++++ > 2 files changed, 28 insertions(+) > > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c > index b2b5f6a1b..39d798782 100644 > --- a/northd/ovn-northd.c > +++ b/northd/ovn-northd.c > @@ -13009,6 +13009,10 @@ static const char *rbac_svc_monitor_auth[] = > {""}; > static const char *rbac_svc_monitor_auth_update[] = > {"status"}; > +static const char *rbac_igmp_group_auth[] = > + {""}; > +static const char *rbac_igmp_group_update[] = > + {"address", "chassis", "datapath", "ports"}; > > static struct rbac_perm_cfg { > const char *table; > @@ -13067,6 +13071,14 @@ static struct rbac_perm_cfg { > .update = rbac_svc_monitor_auth_update, > .n_update = ARRAY_SIZE(rbac_svc_monitor_auth_update), > .row = NULL > + },{ > + .table = "IGMP_Group", > + .auth = rbac_igmp_group_auth, > + .n_auth = ARRAY_SIZE(rbac_igmp_group_auth), > + .insdel = true, > + .update = rbac_igmp_group_update, > + .n_update = ARRAY_SIZE(rbac_igmp_group_update), > + .row = NULL > },{ > .table = NULL, > .auth = NULL, > diff --git a/ovn-architecture.7.xml b/ovn-architecture.7.xml > index e5c9f9549..0eef9b739 100644 > --- a/ovn-architecture.7.xml > +++ b/ovn-architecture.7.xml > @@ -2597,6 +2597,22 @@ > modified by ovn-controller. > </p> > </dd> > + > + <dt><code>IGMP_Group</code></dt> > + <dd> > + <p> > + <code>Authorization</code>: disabled (all clients are considered > + to be authorized). > + </p> > + <p> > + <code>Insert/Delete</code>: row insertion/deletion are permitted. > + </p> > + <p> > + <code>Update</code>: The columns <code>address</code>, > + <code>chassis</code>, <code>datapath</code>, and > + <code>ports</code> may be modified by ovn-controller. > + </p> > + </dd> > </dl> > > <p> > -- > 2.30.0 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev -- Frode Nordahl
On Thu, Feb 11, 2021 at 4:59 PM Frode Nordahl <frode.nordahl@canonical.com> wrote: > > Thank you Pedro, > > We built a test package [0] with this patch and received confirmation > it solved the problem. > > Acked-by: Frode Nordahl <frode.nordahl@canonical.com> Thanks for the patch. I applied this patch to master. Numan > > 0: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988 > > > On Thu, Feb 11, 2021 at 10:55 AM Pedro Guimaraes > <pedro.guimaraes@canonical.com> wrote: > > > > If RBAC and IGMP snooping are enabled, ovn-controllers need to > > be able to register new entries to table IGMP_Group as requests > > are detected. > > > > For that, ovn-controllers need to have read/write access to > > IGMP_Group table. > > > > Signed-off-by: Pedro Guimaraes <pedro.guimaraes@canonical.com> > > Reported-at: https://github.com/ovn-org/ovn/issues/77 > > --- > > northd/ovn-northd.c | 12 ++++++++++++ > > ovn-architecture.7.xml | 16 ++++++++++++++++ > > 2 files changed, 28 insertions(+) > > > > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c > > index b2b5f6a1b..39d798782 100644 > > --- a/northd/ovn-northd.c > > +++ b/northd/ovn-northd.c > > @@ -13009,6 +13009,10 @@ static const char *rbac_svc_monitor_auth[] = > > {""}; > > static const char *rbac_svc_monitor_auth_update[] = > > {"status"}; > > +static const char *rbac_igmp_group_auth[] = > > + {""}; > > +static const char *rbac_igmp_group_update[] = > > + {"address", "chassis", "datapath", "ports"}; > > > > static struct rbac_perm_cfg { > > const char *table; > > @@ -13067,6 +13071,14 @@ static struct rbac_perm_cfg { > > .update = rbac_svc_monitor_auth_update, > > .n_update = ARRAY_SIZE(rbac_svc_monitor_auth_update), > > .row = NULL > > + },{ > > + .table = "IGMP_Group", > > + .auth = rbac_igmp_group_auth, > > + .n_auth = ARRAY_SIZE(rbac_igmp_group_auth), > > + .insdel = true, > > + .update = rbac_igmp_group_update, > > + .n_update = ARRAY_SIZE(rbac_igmp_group_update), > > + .row = NULL > > },{ > > .table = NULL, > > .auth = NULL, > > diff --git a/ovn-architecture.7.xml b/ovn-architecture.7.xml > > index e5c9f9549..0eef9b739 100644 > > --- a/ovn-architecture.7.xml > > +++ b/ovn-architecture.7.xml > > @@ -2597,6 +2597,22 @@ > > modified by ovn-controller. > > </p> > > </dd> > > + > > + <dt><code>IGMP_Group</code></dt> > > + <dd> > > + <p> > > + <code>Authorization</code>: disabled (all clients are considered > > + to be authorized). > > + </p> > > + <p> > > + <code>Insert/Delete</code>: row insertion/deletion are permitted. > > + </p> > > + <p> > > + <code>Update</code>: The columns <code>address</code>, > > + <code>chassis</code>, <code>datapath</code>, and > > + <code>ports</code> may be modified by ovn-controller. > > + </p> > > + </dd> > > </dl> > > > > <p> > > -- > > 2.30.0 > > > > _______________________________________________ > > dev mailing list > > dev@openvswitch.org > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > > > -- > Frode Nordahl > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index b2b5f6a1b..39d798782 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -13009,6 +13009,10 @@ static const char *rbac_svc_monitor_auth[] = {""}; static const char *rbac_svc_monitor_auth_update[] = {"status"}; +static const char *rbac_igmp_group_auth[] = + {""}; +static const char *rbac_igmp_group_update[] = + {"address", "chassis", "datapath", "ports"}; static struct rbac_perm_cfg { const char *table; @@ -13067,6 +13071,14 @@ static struct rbac_perm_cfg { .update = rbac_svc_monitor_auth_update, .n_update = ARRAY_SIZE(rbac_svc_monitor_auth_update), .row = NULL + },{ + .table = "IGMP_Group", + .auth = rbac_igmp_group_auth, + .n_auth = ARRAY_SIZE(rbac_igmp_group_auth), + .insdel = true, + .update = rbac_igmp_group_update, + .n_update = ARRAY_SIZE(rbac_igmp_group_update), + .row = NULL },{ .table = NULL, .auth = NULL, diff --git a/ovn-architecture.7.xml b/ovn-architecture.7.xml index e5c9f9549..0eef9b739 100644 --- a/ovn-architecture.7.xml +++ b/ovn-architecture.7.xml @@ -2597,6 +2597,22 @@ modified by ovn-controller. </p> </dd> + + <dt><code>IGMP_Group</code></dt> + <dd> + <p> + <code>Authorization</code>: disabled (all clients are considered + to be authorized). + </p> + <p> + <code>Insert/Delete</code>: row insertion/deletion are permitted. + </p> + <p> + <code>Update</code>: The columns <code>address</code>, + <code>chassis</code>, <code>datapath</code>, and + <code>ports</code> may be modified by ovn-controller. + </p> + </dd> </dl> <p>
If RBAC and IGMP snooping are enabled, ovn-controllers need to be able to register new entries to table IGMP_Group as requests are detected. For that, ovn-controllers need to have read/write access to IGMP_Group table. Signed-off-by: Pedro Guimaraes <pedro.guimaraes@canonical.com> Reported-at: https://github.com/ovn-org/ovn/issues/77 --- northd/ovn-northd.c | 12 ++++++++++++ ovn-architecture.7.xml | 16 ++++++++++++++++ 2 files changed, 28 insertions(+)