Message ID | cc031153a958e05e8406dacd5a64eddfdeb700e5.1614945892.git.frode.nordahl@canonical.com |
---|---|
State | Accepted |
Headers | show |
Series | Fix missing RBAC rules and enable testing | expand |
On Fri, Mar 5, 2021 at 5:49 PM Frode Nordahl <frode.nordahl@canonical.com> wrote: > > This patch summarizes a series of fixes to the C northd for missing > or out of date RBAC rules and updates the DDlog version of Northd > accordingly. > > Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> Hi Frode, Thanks for the patch series. I applied the patches 1 to 5 of this series to master and backported 1-4 patches to branch-21.03. I have also backported some of the patches down to 20.03. I need to apply a couple of patches down to the 20.03 branch. I will do that in some time. For the patches 6-9, I have not looked at them yet. I'd appreciate it if others want to review them. Thanks Numan > --- > northd/ovn_northd.dl | 24 ++++++++++++++++++++++-- > 1 file changed, 22 insertions(+), 2 deletions(-) > > diff --git a/northd/ovn_northd.dl b/northd/ovn_northd.dl > index 4482cffc0..8bc6dd9f6 100644 > --- a/northd/ovn_northd.dl > +++ b/northd/ovn_northd.dl > @@ -1257,7 +1257,8 @@ sb::Out_RBAC_Permission ( > .authorization = set_singleton("name"), > .insert_delete = true, > .update = ["nb_cfg", "external_ids", "encaps", > - "vtep_logical_switches", "other_config"].to_set() > + "vtep_logical_switches", "other_config", > + "transport_zones"].to_set() > ). > > sb::Out_RBAC_Permission ( > @@ -1281,7 +1282,7 @@ sb::Out_RBAC_Permission ( > .table = "Port_Binding", > .authorization = set_singleton(""), > .insert_delete = false, > - .update = ["chassis", "up"].to_set() > + .update = ["chassis", "encap", "up", "virtual_parent"].to_set() > ). > > sb::Out_RBAC_Permission ( > @@ -1308,6 +1309,23 @@ sb::Out_RBAC_Permission ( > .update = ["address", "chassis", "datapath", "ports"].to_set() > ). > > +sb::Out_RBAC_Permission ( > + ._uuid = 128'h2e5cbf3d_26f6_4f8a_9926_d6f77f61654f, > + .table = "Controller_Event", > + .authorization = set_singleton(""), > + .insert_delete = true, > + .update = ["chassis", "event_info", "event_type", > + "seq_num"].to_set() > +). > + > +sb::Out_RBAC_Permission ( > + ._uuid = 128'hb70964fc_322f_4ae5_aee4_ff6afadcc126, > + .table = "FDB", > + .authorization = set_singleton(""), > + .insert_delete = true, > + .update = ["dp_key", "mac", "port_key"].to_set() > +). > + > /* > * RBAC_Role: fixed > */ > @@ -1317,7 +1335,9 @@ sb::Out_RBAC_Role ( > .permissions = [ > "Chassis" -> 128'h7df3749a_1754_4a78_afa4_3abf526fe510, > "Chassis_Private" -> 128'h07e623f7_137c_4a11_9084_3b3f89cb4a54, > + "Controller_Event" -> 128'h2e5cbf3d_26f6_4f8a_9926_d6f77f61654f, > "Encap" -> 128'h94bec860_431e_4d95_82e7_3b75d8997241, > + "FDB" -> 128'hb70964fc_322f_4ae5_aee4_ff6afadcc126, > "Port_Binding" -> 128'hd8ceff1a_2b11_48bd_802f_4a991aa4e908, > "MAC_Binding" -> 128'h6ffdc696_8bfb_4d82_b620_a00d39270b2f, > "Service_Monitor"-> 128'h39231c7e_4bf1_41d0_ada4_1d8a319c0da3] > -- > 2.30.0 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
diff --git a/northd/ovn_northd.dl b/northd/ovn_northd.dl index 4482cffc0..8bc6dd9f6 100644 --- a/northd/ovn_northd.dl +++ b/northd/ovn_northd.dl @@ -1257,7 +1257,8 @@ sb::Out_RBAC_Permission ( .authorization = set_singleton("name"), .insert_delete = true, .update = ["nb_cfg", "external_ids", "encaps", - "vtep_logical_switches", "other_config"].to_set() + "vtep_logical_switches", "other_config", + "transport_zones"].to_set() ). sb::Out_RBAC_Permission ( @@ -1281,7 +1282,7 @@ sb::Out_RBAC_Permission ( .table = "Port_Binding", .authorization = set_singleton(""), .insert_delete = false, - .update = ["chassis", "up"].to_set() + .update = ["chassis", "encap", "up", "virtual_parent"].to_set() ). sb::Out_RBAC_Permission ( @@ -1308,6 +1309,23 @@ sb::Out_RBAC_Permission ( .update = ["address", "chassis", "datapath", "ports"].to_set() ). +sb::Out_RBAC_Permission ( + ._uuid = 128'h2e5cbf3d_26f6_4f8a_9926_d6f77f61654f, + .table = "Controller_Event", + .authorization = set_singleton(""), + .insert_delete = true, + .update = ["chassis", "event_info", "event_type", + "seq_num"].to_set() +). + +sb::Out_RBAC_Permission ( + ._uuid = 128'hb70964fc_322f_4ae5_aee4_ff6afadcc126, + .table = "FDB", + .authorization = set_singleton(""), + .insert_delete = true, + .update = ["dp_key", "mac", "port_key"].to_set() +). + /* * RBAC_Role: fixed */ @@ -1317,7 +1335,9 @@ sb::Out_RBAC_Role ( .permissions = [ "Chassis" -> 128'h7df3749a_1754_4a78_afa4_3abf526fe510, "Chassis_Private" -> 128'h07e623f7_137c_4a11_9084_3b3f89cb4a54, + "Controller_Event" -> 128'h2e5cbf3d_26f6_4f8a_9926_d6f77f61654f, "Encap" -> 128'h94bec860_431e_4d95_82e7_3b75d8997241, + "FDB" -> 128'hb70964fc_322f_4ae5_aee4_ff6afadcc126, "Port_Binding" -> 128'hd8ceff1a_2b11_48bd_802f_4a991aa4e908, "MAC_Binding" -> 128'h6ffdc696_8bfb_4d82_b620_a00d39270b2f, "Service_Monitor"-> 128'h39231c7e_4bf1_41d0_ada4_1d8a319c0da3]
This patch summarizes a series of fixes to the C northd for missing or out of date RBAC rules and updates the DDlog version of Northd accordingly. Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> --- northd/ovn_northd.dl | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-)