From patchwork Thu Apr 13 15:37:54 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lance Richardson X-Patchwork-Id: 750496 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3w3lL11wrDz9sN9 for ; Fri, 14 Apr 2017 01:38:01 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 67873955; Thu, 13 Apr 2017 15:37:58 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 1599E89C for ; Thu, 13 Apr 2017 15:37:57 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 9F4481E6 for ; Thu, 13 Apr 2017 15:37:55 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id F26E3C009DEE; Thu, 13 Apr 2017 15:37:54 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com F26E3C009DEE Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=lrichard@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com F26E3C009DEE Received: from colo-mx.corp.redhat.com (unknown [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E2F3181B7F; Thu, 13 Apr 2017 15:37:54 +0000 (UTC) Received: from zmail26.collab.prod.int.phx2.redhat.com (zmail26.collab.prod.int.phx2.redhat.com [10.5.83.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id D44515ED63; Thu, 13 Apr 2017 15:37:54 +0000 (UTC) Date: Thu, 13 Apr 2017 11:37:54 -0400 (EDT) From: Lance Richardson To: dev@openvswitch.org, blp@ovn.org, russell@ovn.org, mickeys dev Message-ID: <1787784822.14606329.1492097874478.JavaMail.zimbra@redhat.com> In-Reply-To: <20170413150026.394-1-lrichard@redhat.com> References: <20170413150026.394-1-lrichard@redhat.com> MIME-Version: 1.0 X-Originating-IP: [10.10.120.23, 10.4.195.3] Thread-Topic: role-based access controls for ovsdb-server, ovn-sb Thread-Index: nP6fdYU8zDYxt9wTpWpjjZOqzNReqA== X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Thu, 13 Apr 2017 15:37:55 +0000 (UTC) X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RP_MATCHES_RCVD autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [ovs-dev] [RFC v2 0/5] role-based access controls for ovsdb-server, ovn-sb X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org > From: "Lance Richardson" > To: dev@openvswitch.org, blp@ovn.org, russell@ovn.org, "mickeys dev" > Sent: Thursday, 13 April, 2017 11:00:21 AM > Subject: [ovs-dev] [RFC v2 0/5] role-based access controls for ovsdb-server, ovn-sb > > This series implements role-based access control infrastructure for > ovsdb-server, and uses that infrastructure to apply role-based access > controls to the OVN_Southbound database. This implementation follows > the outline discussed at: > > https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/329801.html > > With this series applied, enabling role-based ACLs is a matter of: > > - Configuring southbound ovsdb-server and ovn-controller to use SSL, > configuring an ovn-controller "role" for SSL connections via e.g.: > ovn-sbctl set-connection role=ovn-controller pssl:6642 > - Using unique certificates for each ovn-controller with a unique > CN for each chassis, generated e.g. via: > ovs-pki -B 1024 req+sign chassis1 switch > ovs-pki -B 1024 req+sign chassis2 switch > ovs-pki -B 1024 req+sign chassis3 switch > - Starting the southbound ovsdb-server with the "--rbac" command-line > option: > --rbac=db:OVN_Southbound,RBAC_Role > Here are the local modifications I've been using to exercise ovn with rbac enabled in the sandbox environment: diff --git a/tutorial/ovs-sandbox b/tutorial/ovs-sandbox index 3da1c48..04f46c6 100755 --- a/tutorial/ovs-sandbox +++ b/tutorial/ovs-sandbox @@ -337,7 +337,7 @@ if $ovn; then $OVS_PKI -B 1024 init $OVS_PKI -B 1024 req+sign ovnsb switch $OVS_PKI -B 1024 req+sign ovnnb switch - $OVS_PKI -B 1024 req+sign ovn-controller switch + $OVS_PKI -B 1024 req+sign chassis-1 switch fi fi rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir --pidfile -vconsole:off --log-file \ @@ -351,7 +351,7 @@ if $ovn; then --certificate=db:OVN_Northbound,SSL,certificate \ --ca-cert=db:OVN_Northbound,SSL,ca_cert \ --remote=punix:"$sandbox"/ovnnb_db.sock $ovsdb_nb_server_args - rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir \ + rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir --rbac=db:OVN_Southbound,RBAC_Role \ --pidfile="$sandbox"/ovnsb_db.pid -vconsole:off \ --log-file="$sandbox"/ovnsb_db.log \ --remote=db:OVN_Southbound,SB_Global,connections \ @@ -395,7 +395,7 @@ if $ovn; then ovn-nbctl init ovn-sbctl init - ovs-vsctl set open . external-ids:system-id=56b18105-5706-46ef-80c4-ff20979ab068 + ovs-vsctl set open . external-ids:system-id=chassis-1 ovs-vsctl set open . external-ids:hostname=sandbox ovs-vsctl set open . external-ids:ovn-encap-type=geneve ovs-vsctl set open . external-ids:ovn-encap-ip=127.0.0.1 @@ -404,9 +404,9 @@ if $ovn; then ovn-nbctl set-ssl $sandbox/ovnnb-privkey.pem $sandbox/ovnnb-cert.pem $sandbox/pki/switchca/cacert.pem ovn-nbctl set-connection pssl:6641 ovn-sbctl set-ssl $sandbox/ovnsb-privkey.pem $sandbox/ovnsb-cert.pem $sandbox/pki/switchca/cacert.pem - ovn-sbctl set-connection pssl:6642 + ovn-sbctl set-connection role=ovn-controller pssl:6642 ovs-vsctl set open . external-ids:ovn-remote=ssl:127.0.0.1:6642 - OVN_CTRLR_PKI="-p $sandbox/ovn-controller-privkey.pem -c $sandbox/ovn-controller-cert.pem -C $sandbox/pki/switchca/cacert.pem" + OVN_CTRLR_PKI="-p $sandbox/chassis-1-privkey.pem -c $sandbox/chassis-1-cert.pem -C $sandbox/pki/switchca/cacert.pem" else ovs-vsctl set open . external-ids:ovn-remote=unix:"$sandbox"/ovnsb_db.sock OVN_CTRLR_PKI=""