[ovs-dev,ovn] docs: Add note about RBAC and remote ovn-northd connection
diff mbox series

Message ID 20191108105243.3712809-1-numans@ovn.org
State Not Applicable
Headers show
  • [ovs-dev,ovn] docs: Add note about RBAC and remote ovn-northd connection
Related show

Commit Message

Numan Siddique Nov. 8, 2019, 10:52 a.m. UTC
From: Frode Nordahl <frode.nordahl@canonical.com>

Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com>
Acked-by: Aliasgar Ginwala <aginwala@ebay.com>
 .../topics/role-based-access-control.rst      |  7 ++++++
 Documentation/tutorials/ovn-rbac.rst          | 25 +++++++++++++++++++
 2 files changed, 32 insertions(+)


0-day Robot Nov. 8, 2019, 11 a.m. UTC | #1
Bleep bloop.  Greetings Numan Siddique, I am a robot and I have tried out your patch.
Thanks for your contribution.

I encountered some error that I wasn't expecting.  See the details below.

ERROR: Committer Numan Siddique <numans@ovn.org> needs to sign off.
Lines checked: 66, Warnings: 0, Errors: 1

Please check this out.  If you feel there has been an error, please email aconole@redhat.com

0-day Robot

diff mbox series

diff --git a/Documentation/topics/role-based-access-control.rst b/Documentation/topics/role-based-access-control.rst
index 2acd1e88b..e13e2d5dc 100644
--- a/Documentation/topics/role-based-access-control.rst
+++ b/Documentation/topics/role-based-access-control.rst
@@ -82,6 +82,13 @@  command:
    $ ovn-sbctl set-connection role=ovn-controller ssl:
+.. note::
+   There is currently no pre-defined role for ovn-northd. You must configure
+   a separate listener on the OVN southbound database that ovn-northd can
+   connect to if your deployment topology require ovn-northd to connect to a
+   OVN southbound database instance on a remote machine.
 Pre-defined Roles
 This section describes roles that have been defined internally by OVS/OVN.
diff --git a/Documentation/tutorials/ovn-rbac.rst b/Documentation/tutorials/ovn-rbac.rst
index 22b169d6d..fc2de5d5d 100644
--- a/Documentation/tutorials/ovn-rbac.rst
+++ b/Documentation/tutorials/ovn-rbac.rst
@@ -132,3 +132,28 @@  Configuring RBAC
                     /path/to/chassis_2-cert.pem /path/to/cacert.pem
       $ ovs-vsctl set open_vswitch . \
+The OVN central control daemon and RBAC
+The OVN central control daemon (`ovn-northd`) needs full write access to
+the southbound database. When you have one machine hosting the central
+components, `ovn-northd` can talk to the databases through a local unix
+socket, bypassing the `ovn-controller` RBAC configured for the listener
+at port '6642'. However, if you want to deploy multiple machines for
+hosting the central components, `ovn-northd` will require a remote
+connection to all of them.
+1. Configure the southbound database with a second SSL listener on a
+   separate port without RBAC enabled for use by `ovn-northd`.
+   In `machine_3`::
+      $ ovn-sbctl -- --id=@conn_uuid create Connection \
+          target="pssl\:16642" \
+          -- add  SB_Global . connections=@conn_uuid
+   .. note::
+     Care should be taken to restrict access to the above mentioned port
+     so that only trusted machines can connect to it.