From patchwork Tue Dec  6 14:52:06 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Frode Nordahl <frode.nordahl@canonical.com>
X-Patchwork-Id: 1712777
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=e8ajxk/p;
	dkim-atps=neutral
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4NRNg72B2bz23p3
	for <incoming@patchwork.ozlabs.org>; Wed,  7 Dec 2022 01:52:19 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by smtp2.osuosl.org (Postfix) with ESMTP id 21FC840A09;
	Tue,  6 Dec 2022 14:52:17 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 21FC840A09
Authentication-Results: smtp2.osuosl.org;
	dkim=fail reason="signature verification failed" (2048-bit key)
 header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256
 header.s=20210705 header.b=e8ajxk/p
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp2.osuosl.org ([127.0.0.1])
	by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id xRpx4_yXhECn; Tue,  6 Dec 2022 14:52:16 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
	by smtp2.osuosl.org (Postfix) with ESMTPS id 486B140185;
	Tue,  6 Dec 2022 14:52:15 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 486B140185
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id 29A0FC0033;
	Tue,  6 Dec 2022 14:52:15 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 7BC3DC002D
 for <dev@openvswitch.org>; Tue,  6 Dec 2022 14:52:14 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp3.osuosl.org (Postfix) with ESMTP id 5714960FEC
 for <dev@openvswitch.org>; Tue,  6 Dec 2022 14:52:14 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 5714960FEC
Authentication-Results: smtp3.osuosl.org;
 dkim=pass (2048-bit key) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=e8ajxk/p
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp3.osuosl.org ([127.0.0.1])
 by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id OOn9DVPJQDZV for <dev@openvswitch.org>;
 Tue,  6 Dec 2022 14:52:13 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 12761605B3
Received: from smtp-relay-canonical-1.canonical.com
 (smtp-relay-canonical-1.canonical.com [185.125.188.121])
 by smtp3.osuosl.org (Postfix) with ESMTPS id 12761605B3
 for <dev@openvswitch.org>; Tue,  6 Dec 2022 14:52:12 +0000 (UTC)
Received: from frode-threadripper.. (2.general.frode.uk.vpn [10.172.193.251])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id A85D041CDF
 for <dev@openvswitch.org>; Tue,  6 Dec 2022 14:52:07 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1670338327;
 bh=IomMtGNkGG+jb9fw7Jz4sXlmoVjocBrWYmtlubm39Mc=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=e8ajxk/pFjPX/vVfyIxuSqW6jhKMgNiBbY8DllZPVcUYE63sQLJu9Ri881K8+nq+g
 uZShbhEuCLga1kV4MjM3APDqNIrmSXRIuJZGpz89utYr3+//6/IpZmtWxVAOv0Jmjq
 lzaN753nJDJO/s48bud4bMdOp/yPdNTyP4q9gxG2Tq6T7H2bU8I0HMmaXQYyViVMev
 /l/rjrurB67/8WSybrhSqyTgQuBZTGPXDXZZ+21IYvaoycWyXzVacZN/fJnQHDE2XN
 evvDAgJIqRpl/PdKvJAReYaICUwzAetLBbHPVKVMrWZrfJ1gurAbVWy9tPqpAfTKOE
 75jpgHjoM7fXA==
From: Frode Nordahl <frode.nordahl@canonical.com>
To: dev@openvswitch.org
Date: Tue,  6 Dec 2022 15:52:06 +0100
Message-Id: <20221206145206.4113681-1-frode.nordahl@canonical.com>
X-Mailer: git-send-email 2.37.2
In-Reply-To: <f30eb752-f7ab-7fb8-9331-02b0e0c418f9@redhat.com>
References: <f30eb752-f7ab-7fb8-9331-02b0e0c418f9@redhat.com>
MIME-Version: 1.0
Subject: [ovs-dev] [PATCH ovn v2] northd: Add missing RBAC rules for BFD
	table.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

If a OVN deployment has OVN RBAC enabled for the southbound
database, enabling BFD would lead to permission errors.

The data in the entries in the BFD table do not belong to any
given chassis and no column can provide authentication, but the
rules still need to be there for successful operation.

Fixes: 117203584d98 ("controller: introduce BFD tx path in ovn-controller.")
Reported-at: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1995771
Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com>
Acked-by: Dumitru Ceara <dceara@redhat.com>
---
 northd/ovn-northd.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index 965353cd7..82d2874d6 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -125,6 +125,10 @@ static const char *rbac_igmp_group_auth[] =
     {""};
 static const char *rbac_igmp_group_update[] =
     {"address", "chassis", "datapath", "ports"};
+static const char *rbac_bfd_auth[] =
+    {""};
+static const char *rbac_bfd_update[] =
+    {"status"};
 
 static struct rbac_perm_cfg {
     const char *table;
@@ -207,6 +211,14 @@ static struct rbac_perm_cfg {
         .update = rbac_igmp_group_update,
         .n_update = ARRAY_SIZE(rbac_igmp_group_update),
         .row = NULL
+    },{
+        .table = "BFD",
+        .auth = rbac_bfd_auth,
+        .n_auth = ARRAY_SIZE(rbac_bfd_auth),
+        .insdel = false,
+        .update = rbac_bfd_update,
+        .n_update = ARRAY_SIZE(rbac_bfd_update),
+        .row = NULL
     },{
         .table = NULL,
         .auth = NULL,