[ovs-dev,RFC,v2,0/5] role-based access controls for ovsdb-server, ovn-sb

Submitted by Lance Richardson on April 13, 2017, 3:37 p.m.

Details

Message ID 1787784822.14606329.1492097874478.JavaMail.zimbra@redhat.com
State Superseded
Headers show

Commit Message

Lance Richardson April 13, 2017, 3:37 p.m.
> From: "Lance Richardson" <lrichard@redhat.com>
> To: dev@openvswitch.org, blp@ovn.org, russell@ovn.org, "mickeys dev" <mickeys.dev@gmail.com>
> Sent: Thursday, 13 April, 2017 11:00:21 AM
> Subject: [ovs-dev] [RFC v2 0/5] role-based access controls for ovsdb-server,	ovn-sb
> 
> This series implements role-based access control infrastructure for
> ovsdb-server, and uses that infrastructure to apply role-based access
> controls to the OVN_Southbound database. This implementation follows
> the outline discussed at:
> 
>      https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/329801.html
> 
> With this series applied, enabling role-based ACLs is a matter of:
> 
>     - Configuring southbound ovsdb-server and ovn-controller to use SSL,
>       configuring an ovn-controller "role" for SSL connections via e.g.:
>          ovn-sbctl set-connection role=ovn-controller pssl:6642
>     - Using unique certificates for each ovn-controller with a unique
>       CN for each chassis, generated e.g. via:
>          ovs-pki -B 1024 req+sign chassis1 switch
>          ovs-pki -B 1024 req+sign chassis2 switch
>          ovs-pki -B 1024 req+sign chassis3 switch
>     - Starting the southbound ovsdb-server with the "--rbac" command-line
>       option:
>          --rbac=db:OVN_Southbound,RBAC_Role
> 

Here are the local modifications I've been using to exercise ovn with
rbac enabled in the sandbox environment:

Patch hide | download patch | download mbox

diff --git a/tutorial/ovs-sandbox b/tutorial/ovs-sandbox                                                                                  
index 3da1c48..04f46c6 100755
--- a/tutorial/ovs-sandbox
+++ b/tutorial/ovs-sandbox
@@ -337,7 +337,7 @@  if $ovn; then
         $OVS_PKI -B 1024 init
         $OVS_PKI -B 1024 req+sign ovnsb switch
         $OVS_PKI -B 1024 req+sign ovnnb switch
-        $OVS_PKI -B 1024 req+sign ovn-controller switch
+        $OVS_PKI -B 1024 req+sign chassis-1 switch
     fi
 fi
 rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir --pidfile -vconsole:off --log-file \
@@ -351,7 +351,7 @@  if $ovn; then
         --certificate=db:OVN_Northbound,SSL,certificate \
         --ca-cert=db:OVN_Northbound,SSL,ca_cert \
         --remote=punix:"$sandbox"/ovnnb_db.sock $ovsdb_nb_server_args
-    rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir \
+    rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir --rbac=db:OVN_Southbound,RBAC_Role \
         --pidfile="$sandbox"/ovnsb_db.pid -vconsole:off \
         --log-file="$sandbox"/ovnsb_db.log \
         --remote=db:OVN_Southbound,SB_Global,connections \
@@ -395,7 +395,7 @@  if $ovn; then
     ovn-nbctl init
     ovn-sbctl init
 
-    ovs-vsctl set open . external-ids:system-id=56b18105-5706-46ef-80c4-ff20979ab068
+    ovs-vsctl set open . external-ids:system-id=chassis-1
     ovs-vsctl set open . external-ids:hostname=sandbox
     ovs-vsctl set open . external-ids:ovn-encap-type=geneve
     ovs-vsctl set open . external-ids:ovn-encap-ip=127.0.0.1
@@ -404,9 +404,9 @@  if $ovn; then
         ovn-nbctl set-ssl $sandbox/ovnnb-privkey.pem  $sandbox/ovnnb-cert.pem $sandbox/pki/switchca/cacert.pem
         ovn-nbctl set-connection pssl:6641
         ovn-sbctl set-ssl $sandbox/ovnsb-privkey.pem  $sandbox/ovnsb-cert.pem $sandbox/pki/switchca/cacert.pem
-        ovn-sbctl set-connection pssl:6642
+        ovn-sbctl set-connection role=ovn-controller pssl:6642
         ovs-vsctl set open . external-ids:ovn-remote=ssl:127.0.0.1:6642
-        OVN_CTRLR_PKI="-p $sandbox/ovn-controller-privkey.pem -c $sandbox/ovn-controller-cert.pem -C $sandbox/pki/switchca/cacert.pem"
+        OVN_CTRLR_PKI="-p $sandbox/chassis-1-privkey.pem -c $sandbox/chassis-1-cert.pem -C $sandbox/pki/switchca/cacert.pem"
     else
         ovs-vsctl set open . external-ids:ovn-remote=unix:"$sandbox"/ovnsb_db.sock
         OVN_CTRLR_PKI=""