diff mbox series

[ovs-dev] Add IGMP_Group to ovn-controller RBAC

Message ID 20210211095546.6DFBF87364@whitealder.osuosl.org
State Accepted
Headers show
Series [ovs-dev] Add IGMP_Group to ovn-controller RBAC | expand

Commit Message

Pedro Guimaraes Feb. 7, 2021, 3:07 p.m. UTC
If RBAC and IGMP snooping are enabled, ovn-controllers need to
be able to register new entries to table IGMP_Group as requests
are detected.

For that, ovn-controllers need to have read/write access to
IGMP_Group table.

Signed-off-by: Pedro Guimaraes <pedro.guimaraes@canonical.com>
Reported-at: https://github.com/ovn-org/ovn/issues/77
---
 northd/ovn-northd.c    | 12 ++++++++++++
 ovn-architecture.7.xml | 16 ++++++++++++++++
 2 files changed, 28 insertions(+)

Comments

Frode Nordahl Feb. 11, 2021, 11:29 a.m. UTC | #1
Thank you Pedro,

We built a test package [0] with this patch and received confirmation
it solved the problem.

Acked-by: Frode Nordahl <frode.nordahl@canonical.com>

0: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988


On Thu, Feb 11, 2021 at 10:55 AM Pedro Guimaraes
<pedro.guimaraes@canonical.com> wrote:
>
> If RBAC and IGMP snooping are enabled, ovn-controllers need to
> be able to register new entries to table IGMP_Group as requests
> are detected.
>
> For that, ovn-controllers need to have read/write access to
> IGMP_Group table.
>
> Signed-off-by: Pedro Guimaraes <pedro.guimaraes@canonical.com>
> Reported-at: https://github.com/ovn-org/ovn/issues/77
> ---
>  northd/ovn-northd.c    | 12 ++++++++++++
>  ovn-architecture.7.xml | 16 ++++++++++++++++
>  2 files changed, 28 insertions(+)
>
> diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
> index b2b5f6a1b..39d798782 100644
> --- a/northd/ovn-northd.c
> +++ b/northd/ovn-northd.c
> @@ -13009,6 +13009,10 @@ static const char *rbac_svc_monitor_auth[] =
>      {""};
>  static const char *rbac_svc_monitor_auth_update[] =
>      {"status"};
> +static const char *rbac_igmp_group_auth[] =
> +    {""};
> +static const char *rbac_igmp_group_update[] =
> +    {"address", "chassis", "datapath", "ports"};
>
>  static struct rbac_perm_cfg {
>      const char *table;
> @@ -13067,6 +13071,14 @@ static struct rbac_perm_cfg {
>          .update = rbac_svc_monitor_auth_update,
>          .n_update = ARRAY_SIZE(rbac_svc_monitor_auth_update),
>          .row = NULL
> +    },{
> +        .table = "IGMP_Group",
> +        .auth = rbac_igmp_group_auth,
> +        .n_auth = ARRAY_SIZE(rbac_igmp_group_auth),
> +        .insdel = true,
> +        .update = rbac_igmp_group_update,
> +        .n_update = ARRAY_SIZE(rbac_igmp_group_update),
> +        .row = NULL
>      },{
>          .table = NULL,
>          .auth = NULL,
> diff --git a/ovn-architecture.7.xml b/ovn-architecture.7.xml
> index e5c9f9549..0eef9b739 100644
> --- a/ovn-architecture.7.xml
> +++ b/ovn-architecture.7.xml
> @@ -2597,6 +2597,22 @@
>          modified by ovn-controller.
>        </p>
>      </dd>
> +
> +    <dt><code>IGMP_Group</code></dt>
> +    <dd>
> +      <p>
> +        <code>Authorization</code>: disabled (all clients are considered
> +        to be authorized).
> +      </p>
> +      <p>
> +        <code>Insert/Delete</code>: row insertion/deletion are permitted.
> +      </p>
> +      <p>
> +        <code>Update</code>: The columns <code>address</code>,
> +        <code>chassis</code>, <code>datapath</code>, and
> +        <code>ports</code> may be modified by ovn-controller.
> +      </p>
> +    </dd>
>    </dl>
>
>    <p>
> --
> 2.30.0
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev



--
Frode Nordahl
Numan Siddique Feb. 12, 2021, 8:51 a.m. UTC | #2
On Thu, Feb 11, 2021 at 4:59 PM Frode Nordahl
<frode.nordahl@canonical.com> wrote:
>
> Thank you Pedro,
>
> We built a test package [0] with this patch and received confirmation
> it solved the problem.
>
> Acked-by: Frode Nordahl <frode.nordahl@canonical.com>


Thanks for the patch. I applied this patch to master.

Numan

>
> 0: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988
>
>
> On Thu, Feb 11, 2021 at 10:55 AM Pedro Guimaraes
> <pedro.guimaraes@canonical.com> wrote:
> >
> > If RBAC and IGMP snooping are enabled, ovn-controllers need to
> > be able to register new entries to table IGMP_Group as requests
> > are detected.
> >
> > For that, ovn-controllers need to have read/write access to
> > IGMP_Group table.
> >
> > Signed-off-by: Pedro Guimaraes <pedro.guimaraes@canonical.com>
> > Reported-at: https://github.com/ovn-org/ovn/issues/77
> > ---
> >  northd/ovn-northd.c    | 12 ++++++++++++
> >  ovn-architecture.7.xml | 16 ++++++++++++++++
> >  2 files changed, 28 insertions(+)
> >
> > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
> > index b2b5f6a1b..39d798782 100644
> > --- a/northd/ovn-northd.c
> > +++ b/northd/ovn-northd.c
> > @@ -13009,6 +13009,10 @@ static const char *rbac_svc_monitor_auth[] =
> >      {""};
> >  static const char *rbac_svc_monitor_auth_update[] =
> >      {"status"};
> > +static const char *rbac_igmp_group_auth[] =
> > +    {""};
> > +static const char *rbac_igmp_group_update[] =
> > +    {"address", "chassis", "datapath", "ports"};
> >
> >  static struct rbac_perm_cfg {
> >      const char *table;
> > @@ -13067,6 +13071,14 @@ static struct rbac_perm_cfg {
> >          .update = rbac_svc_monitor_auth_update,
> >          .n_update = ARRAY_SIZE(rbac_svc_monitor_auth_update),
> >          .row = NULL
> > +    },{
> > +        .table = "IGMP_Group",
> > +        .auth = rbac_igmp_group_auth,
> > +        .n_auth = ARRAY_SIZE(rbac_igmp_group_auth),
> > +        .insdel = true,
> > +        .update = rbac_igmp_group_update,
> > +        .n_update = ARRAY_SIZE(rbac_igmp_group_update),
> > +        .row = NULL
> >      },{
> >          .table = NULL,
> >          .auth = NULL,
> > diff --git a/ovn-architecture.7.xml b/ovn-architecture.7.xml
> > index e5c9f9549..0eef9b739 100644
> > --- a/ovn-architecture.7.xml
> > +++ b/ovn-architecture.7.xml
> > @@ -2597,6 +2597,22 @@
> >          modified by ovn-controller.
> >        </p>
> >      </dd>
> > +
> > +    <dt><code>IGMP_Group</code></dt>
> > +    <dd>
> > +      <p>
> > +        <code>Authorization</code>: disabled (all clients are considered
> > +        to be authorized).
> > +      </p>
> > +      <p>
> > +        <code>Insert/Delete</code>: row insertion/deletion are permitted.
> > +      </p>
> > +      <p>
> > +        <code>Update</code>: The columns <code>address</code>,
> > +        <code>chassis</code>, <code>datapath</code>, and
> > +        <code>ports</code> may be modified by ovn-controller.
> > +      </p>
> > +    </dd>
> >    </dl>
> >
> >    <p>
> > --
> > 2.30.0
> >
> > _______________________________________________
> > dev mailing list
> > dev@openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
>
>
> --
> Frode Nordahl
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
diff mbox series

Patch

diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index b2b5f6a1b..39d798782 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -13009,6 +13009,10 @@  static const char *rbac_svc_monitor_auth[] =
     {""};
 static const char *rbac_svc_monitor_auth_update[] =
     {"status"};
+static const char *rbac_igmp_group_auth[] =
+    {""};
+static const char *rbac_igmp_group_update[] =
+    {"address", "chassis", "datapath", "ports"};
 
 static struct rbac_perm_cfg {
     const char *table;
@@ -13067,6 +13071,14 @@  static struct rbac_perm_cfg {
         .update = rbac_svc_monitor_auth_update,
         .n_update = ARRAY_SIZE(rbac_svc_monitor_auth_update),
         .row = NULL
+    },{
+        .table = "IGMP_Group",
+        .auth = rbac_igmp_group_auth,
+        .n_auth = ARRAY_SIZE(rbac_igmp_group_auth),
+        .insdel = true,
+        .update = rbac_igmp_group_update,
+        .n_update = ARRAY_SIZE(rbac_igmp_group_update),
+        .row = NULL
     },{
         .table = NULL,
         .auth = NULL,
diff --git a/ovn-architecture.7.xml b/ovn-architecture.7.xml
index e5c9f9549..0eef9b739 100644
--- a/ovn-architecture.7.xml
+++ b/ovn-architecture.7.xml
@@ -2597,6 +2597,22 @@ 
         modified by ovn-controller.
       </p>
     </dd>
+
+    <dt><code>IGMP_Group</code></dt>
+    <dd>
+      <p>
+        <code>Authorization</code>: disabled (all clients are considered
+        to be authorized).
+      </p>
+      <p>
+        <code>Insert/Delete</code>: row insertion/deletion are permitted.
+      </p>
+      <p>
+        <code>Update</code>: The columns <code>address</code>,
+        <code>chassis</code>, <code>datapath</code>, and
+        <code>ports</code> may be modified by ovn-controller.
+      </p>
+    </dd>
   </dl>
 
   <p>