From patchwork Fri Nov 8 05:51:37 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frode Nordahl X-Patchwork-Id: 1191671 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=canonical.com Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 478TtP6cYhz9sP3 for ; Fri, 8 Nov 2019 16:51:57 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id E29F5CB6; Fri, 8 Nov 2019 05:51:54 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 3444CC91 for ; Fri, 8 Nov 2019 05:51:53 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id F3EB9710 for ; Fri, 8 Nov 2019 05:51:50 +0000 (UTC) Received: from mail-wr1-f72.google.com ([209.85.221.72]) by youngberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1iSxBV-0002ju-HE for ovs-dev@openvswitch.org; Fri, 08 Nov 2019 05:51:49 +0000 Received: by mail-wr1-f72.google.com with SMTP id z9so2619890wrq.11 for ; Thu, 07 Nov 2019 21:51:49 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=liZaA4ZXsqtewLH/56tC4EJrtxlTfdOVM/4JZ4mxwiQ=; b=oijIaxcVJhw9JRwPHppaxNijtOoDbJiPJaz4k/KX/lma88wZYIN7jWxM3KuPZgY5Ic UZA+oQM0RjcjIGWd2ZssbfJHomUh8924KueZ6JhqS54rb5gza9UFLy6UnLLIhLOV259k a50eUFBrn4ffTujEYnXRzKjH4mEdvNM0BN+/kX9iPK8QLz3ISr8sMBsA3o3KjYHLkFG+ rnmmZzZXSQecxfqE+I6QYKINwak6dSgw/GFrMU/T4624QUAZUi/3thMPtvxXL1BO9Yh7 +pQlYgKMOtmDTCniSDmvZBTJXqVRwkhAUk2hEZTPdch2QFUx5swai50ZS0a0TDilte12 zWPQ== X-Gm-Message-State: APjAAAXHp8PXxJFcqrUhrSvFeeifoAa52bz1KpAUJPZ5cc032SJY1mZC hc8gwbOOUdIMt8H1/EIuXrkroXtUhck6ykYAa+kdU2cCFUsEMxu9Z80v5aFMAX3Hf6kT0gWUH2Y tOic+waIXKjsverQUj5P766a503t2vg/j+jlAiVy+FFY0V1WPl9k= X-Received: by 2002:adf:f945:: with SMTP id q5mr6942777wrr.33.1573192309081; Thu, 07 Nov 2019 21:51:49 -0800 (PST) X-Google-Smtp-Source: APXvYqyN5BSDWhlaUBsbgi9e9x9qhB7H+VkdtGagppbjb/XnTT7OzGvH53YF/EEb/37cyfI4mhW+l1BcM+Ikr3U13Zo= X-Received: by 2002:adf:f945:: with SMTP id q5mr6942759wrr.33.1573192308779; Thu, 07 Nov 2019 21:51:48 -0800 (PST) MIME-Version: 1.0 From: Frode Nordahl Date: Fri, 8 Nov 2019 06:51:37 +0100 Message-ID: To: ovs-dev@openvswitch.org X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH ovn] docs: Add note about RBAC and remote ovn-northd connection X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Signed-off-by: Frode Nordahl Acked-by: Aliasgar Ginwala Submitted-at: https://github.com/ovn-org/ovn/pull/25 --- .../topics/role-based-access-control.rst | 7 ++++++ Documentation/tutorials/ovn-rbac.rst | 25 +++++++++++++++++++ 2 files changed, 32 insertions(+) -- 2.20.1 diff --git a/Documentation/topics/role-based-access-control.rst b/Documentation/topics/role-based-access-control.rst index 2acd1e88b..e13e2d5dc 100644 --- a/Documentation/topics/role-based-access-control.rst +++ b/Documentation/topics/role-based-access-control.rst @@ -82,6 +82,13 @@ command: $ ovn-sbctl set-connection role=ovn-controller ssl:192.168.0.1:6642 +.. note:: + + There is currently no pre-defined role for ovn-northd. You must configure + a separate listener on the OVN southbound database that ovn-northd can + connect to if your deployment topology require ovn-northd to connect to a + OVN southbound database instance on a remote machine. + Pre-defined Roles ----------------- This section describes roles that have been defined internally by OVS/OVN. diff --git a/Documentation/tutorials/ovn-rbac.rst b/Documentation/tutorials/ovn-rbac.rst index 22b169d6d..fc2de5d5d 100644 --- a/Documentation/tutorials/ovn-rbac.rst +++ b/Documentation/tutorials/ovn-rbac.rst @@ -132,3 +132,28 @@ Configuring RBAC /path/to/chassis_2-cert.pem /path/to/cacert.pem $ ovs-vsctl set open_vswitch . \ external_ids:ovn-remote=ssl:machine_3-ip:6642 + +The OVN central control daemon and RBAC +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The OVN central control daemon (`ovn-northd`) needs full write access to +the southbound database. When you have one machine hosting the central +components, `ovn-northd` can talk to the databases through a local unix +socket, bypassing the `ovn-controller` RBAC configured for the listener +at port '6642'. However, if you want to deploy multiple machines for +hosting the central components, `ovn-northd` will require a remote +connection to all of them. + +1. Configure the southbound database with a second SSL listener on a + separate port without RBAC enabled for use by `ovn-northd`. + + In `machine_3`:: + + $ ovn-sbctl -- --id=@conn_uuid create Connection \ + target="pssl\:16642" \ + -- add SB_Global . connections=@conn_uuid + + .. note:: + + Care should be taken to restrict access to the above mentioned port + so that only trusted machines can connect to it.