@@ -1005,6 +1005,16 @@ jsonrpc_session_get_name(const struct jsonrpc_session *s)
return reconnect_get_name(s->reconnect);
}
+const char *
+jsonrpc_session_get_id(const struct jsonrpc_session *s)
+{
+ if (s->rpc && s->rpc->stream) {
+ return stream_get_peer_id(s->rpc->stream);
+ } else {
+ return NULL;
+ }
+}
+
/* Always takes ownership of 'msg', regardless of success. */
int
jsonrpc_session_send(struct jsonrpc_session *s, struct jsonrpc_msg *msg)
@@ -130,5 +130,7 @@ void jsonrpc_session_set_probe_interval(struct jsonrpc_session *,
int probe_interval);
void jsonrpc_session_set_dscp(struct jsonrpc_session *,
uint8_t dscp);
+const char *jsonrpc_session_get_id(const struct jsonrpc_session *);
+
#endif /* jsonrpc.h */
@@ -167,6 +167,19 @@ ovsdb_internal_error(struct ovsdb_error *inner_error,
return error;
}
+struct ovsdb_error *ovsdb_perm_error(const char *details, ...)
+{
+ struct ovsdb_error *error;
+ va_list args;
+
+ va_start(args, details);
+ error = ovsdb_error_valist("permission error", details, args);
+ va_end(args);
+
+ return error;
+}
+
+
void
ovsdb_error_destroy(struct ovsdb_error *error)
{
@@ -41,6 +41,10 @@ struct ovsdb_error *ovsdb_internal_error(struct ovsdb_error *error,
OVS_PRINTF_FORMAT(4, 5)
OVS_WARN_UNUSED_RESULT;
+struct ovsdb_error *ovsdb_perm_error(const char *details, ...)
+ OVS_PRINTF_FORMAT(1, 2)
+ OVS_WARN_UNUSED_RESULT;
+
/* Returns a pointer to an ovsdb_error that represents an internal error for
* the current file name and line number with MSG as the associated message.
* The caller is responsible for freeing the internal error. */
@@ -24,6 +24,8 @@ ovsdb_libovsdb_la_SOURCES = \
ovsdb/monitor.h \
ovsdb/query.c \
ovsdb/query.h \
+ ovsdb/rbac.c \
+ ovsdb/rbac.h \
ovsdb/replication.c \
ovsdb/replication.h \
ovsdb/row.c \
@@ -32,6 +32,7 @@
#include "table.h"
#include "timeval.h"
#include "transaction.h"
+#include "rbac.h"
struct ovsdb_execution {
struct ovsdb *db;
@@ -39,6 +40,8 @@ struct ovsdb_execution {
struct ovsdb_txn *txn;
struct ovsdb_symbol_table *symtab;
bool durable;
+ const char *role;
+ const char *id;
/* Triggers. */
long long int elapsed_msec;
@@ -97,6 +100,7 @@ lookup_executor(const char *name, bool *read_only)
struct json *
ovsdb_execute(struct ovsdb *db, const struct ovsdb_session *session,
const struct json *params, bool read_only,
+ const char *role, const char *id,
long long int elapsed_msec, long long int *timeout_msec)
{
struct ovsdb_execution x;
@@ -126,6 +130,8 @@ ovsdb_execute(struct ovsdb *db, const struct ovsdb_session *session,
x.txn = ovsdb_txn_create(db);
x.symtab = ovsdb_symbol_table_create();
x.durable = false;
+ x.role = role;
+ x.id = id;
x.elapsed_msec = elapsed_msec;
x.timeout_msec = LLONG_MAX;
results = NULL;
@@ -305,6 +311,12 @@ ovsdb_execute_insert(struct ovsdb_execution *x, struct ovsdb_parser *parser,
return error;
}
+ if (!ovsdb_rbac_insert(x->db, table, x->role, x->id)) {
+ return ovsdb_perm_error("RBAC rules for client \"%s\" role \"%s\" "
+ "prohibit row insertion into table \"%s\".",
+ x->id, x->role, table->schema->name);
+ }
+
if (uuid_name) {
struct ovsdb_symbol *symbol;
@@ -410,6 +422,8 @@ struct update_row_cbdata {
struct ovsdb_txn *txn;
const struct ovsdb_row *row;
const struct ovsdb_column_set *columns;
+ const char *role;
+ const char *id;
};
static bool
@@ -470,7 +484,15 @@ ovsdb_execute_update(struct ovsdb_execution *x, struct ovsdb_parser *parser,
ur.txn = x->txn;
ur.row = row;
ur.columns = &columns;
- ovsdb_query(table, &condition, update_row_cb, &ur);
+ if (ovsdb_rbac_update(x->db, table, &columns, &condition, x->role,
+ x->id)) {
+ ovsdb_query(table, &condition, update_row_cb, &ur);
+ } else {
+ error = ovsdb_perm_error("RBAC rules for client \"%s\" role "
+ "\"%s\" prohibit modification of "
+ "table \"%s\".",
+ x->id, x->role, table->schema->name);
+ }
json_object_put(result, "count", json_integer_create(ur.n_matches));
}
@@ -529,7 +551,15 @@ ovsdb_execute_mutate(struct ovsdb_execution *x, struct ovsdb_parser *parser,
mr.txn = x->txn;
mr.mutations = &mutations;
mr.error = &error;
- ovsdb_query(table, &condition, mutate_row_cb, &mr);
+ if (ovsdb_rbac_mutate(x->db, table, &mutations, &condition, x->role,
+ x->id)) {
+ ovsdb_query(table, &condition, mutate_row_cb, &mr);
+ } else {
+ error = ovsdb_perm_error("RBAC rules for client \"%s\" role "
+ "\"%s\" prohibit mutate operation on "
+ "table \"%s\".",
+ x->id, x->role, table->schema->name);
+ }
json_object_put(result, "count", json_integer_create(mr.n_matches));
}
@@ -579,8 +609,15 @@ ovsdb_execute_delete(struct ovsdb_execution *x, struct ovsdb_parser *parser,
dr.n_matches = 0;
dr.table = table;
dr.txn = x->txn;
- ovsdb_query(table, &condition, delete_row_cb, &dr);
+ if (ovsdb_rbac_delete(x->db, table, &condition, x->role, x->id)) {
+ ovsdb_query(table, &condition, delete_row_cb, &dr);
+ } else {
+ error = ovsdb_perm_error("RBAC rules for client \"%s\" role "
+ "\"%s\" prohibit row deletion from "
+ "table \"%s\".",
+ x->id, x->role, table->schema->name);
+ }
json_object_put(result, "count", json_integer_create(dr.n_matches));
}
@@ -128,6 +128,7 @@ struct ovsdb_jsonrpc_remote {
struct ovs_list sessions; /* List of "struct ovsdb_jsonrpc_session"s. */
uint8_t dscp;
bool read_only;
+ char *role;
};
static struct ovsdb_jsonrpc_remote *ovsdb_jsonrpc_server_add_remote(
@@ -270,6 +271,7 @@ ovsdb_jsonrpc_server_add_remote(struct ovsdb_jsonrpc_server *svr,
ovs_list_init(&remote->sessions);
remote->dscp = options->dscp;
remote->read_only = options->read_only;
+ remote->role = options->role ? xstrdup(options->role) : NULL;
shash_add(&svr->remotes, name, remote);
if (!listener) {
@@ -287,6 +289,7 @@ ovsdb_jsonrpc_server_del_remote(struct shash_node *node)
ovsdb_jsonrpc_session_close_all(remote);
pstream_close(remote->listener);
shash_delete(&remote->server->remotes, node);
+ free(remote->role);
free(remote);
}
@@ -1038,7 +1041,8 @@ ovsdb_jsonrpc_trigger_create(struct ovsdb_jsonrpc_session *s, struct ovsdb *db,
/* Insert into trigger table. */
t = xmalloc(sizeof *t);
ovsdb_trigger_init(&s->up, db, &t->trigger, params, time_msec(),
- s->read_only);
+ s->read_only, s->remote->role,
+ jsonrpc_session_get_id(s->js));
t->id = id;
hmap_insert(&s->triggers, &t->hmap_node, hash);
@@ -37,6 +37,7 @@ struct ovsdb_jsonrpc_options {
int probe_interval; /* Max idle time before probing, in msec. */
bool read_only; /* Only read-only transactions are allowed. */
int dscp; /* Dscp value for manager connections */
+ char *role; /* Role, for role-based access controls */
};
struct ovsdb_jsonrpc_options *
ovsdb_jsonrpc_default_options(const char *target);
@@ -683,7 +683,7 @@ add_manager_options(struct shash *remotes, const struct ovsdb_row *row)
struct ovsdb_jsonrpc_options *options;
long long int max_backoff, probe_interval;
bool read_only;
- const char *target, *dscp_string;
+ const char *target, *dscp_string, *role;
if (!ovsdb_util_read_string_column(row, "target", &target) || !target) {
VLOG_INFO_RL(&rl, "Table `%s' has missing or invalid `target' column",
@@ -702,6 +702,10 @@ add_manager_options(struct shash *remotes, const struct ovsdb_row *row)
if (ovsdb_util_read_bool_column(row, "read_only", &read_only)) {
options->read_only = read_only;
}
+ free(options->role);
+ if (ovsdb_util_read_string_column(row, "role", &role) && role) {
+ options->role = xstrdup(role);
+ }
options->dscp = DSCP_DEFAULT;
dscp_string = ovsdb_util_read_map_string_column(row, "other_config",
@@ -1350,6 +1354,7 @@ parse_options(int *argcp, char **argvp[],
OPT_SYNC_FROM,
OPT_SYNC_EXCLUDE,
OPT_ACTIVE,
+ OPT_RBAC,
VLOG_OPTION_ENUMS,
DAEMON_OPTION_ENUMS,
SSL_OPTION_ENUMS,
@@ -366,7 +366,7 @@ transact(bool read_only, int argc, char *argv[])
check_ovsdb_error(ovsdb_file_open(db_file_name, read_only, &db, NULL));
request = parse_json(transaction);
- result = ovsdb_execute(db, NULL, request, false, 0, NULL);
+ result = ovsdb_execute(db, NULL, request, false, NULL, NULL, 0, NULL);
json_destroy(request);
print_and_free_json(result);
@@ -88,6 +88,44 @@ ovsdb_util_read_map_string_column(const struct ovsdb_row *row,
return atom_value ? atom_value->string : NULL;
}
+/* Read string-uuid key-values from a map. Returns the row associated with
+ * 'key', if found, or NULL */
+const struct ovsdb_row *
+ovsdb_util_read_map_string_uuid_column(const struct ovsdb_row *row,
+ const char *column_name,
+ const char *key)
+{
+ union ovsdb_atom *atom_key = NULL, *atom_value = NULL;
+ const struct ovsdb_table *ref_table;
+ const struct ovsdb_column *column;
+ const struct ovsdb_datum *datum;
+ size_t i;
+
+ column = ovsdb_table_schema_get_column(row->table->schema, column_name);
+ if (!column ||
+ column->type.key.type != OVSDB_TYPE_STRING ||
+ column->type.value.type != OVSDB_TYPE_UUID) {
+ return NULL;
+ }
+
+ datum = &row->fields[column->index];
+
+ for (i = 0; i < datum->n; i++) {
+ atom_key = &datum->keys[i];
+ if (!strcmp(atom_key->string, key)) {
+ atom_value = &datum->values[i];
+ break;
+ }
+ }
+
+ if (!atom_value) {
+ return NULL;
+ }
+ ref_table = column->type.value.u.uuid.refTable;
+ return ovsdb_table_get_row(ref_table, &atom_value->uuid);
+}
+
+
const union ovsdb_atom *
ovsdb_util_read_column(const struct ovsdb_row *row, const char *column_name,
enum ovsdb_atomic_type type)
@@ -25,6 +25,10 @@ struct ovsdb_datum *ovsdb_util_get_datum(struct ovsdb_row *row,
const char *ovsdb_util_read_map_string_column(const struct ovsdb_row *row,
const char *column_name,
const char *key);
+const struct ovsdb_row *ovsdb_util_read_map_string_uuid_column(
+ const struct ovsdb_row *r,
+ const char *column_name,
+ const char *key);
const union ovsdb_atom *ovsdb_util_read_column(const struct ovsdb_row *row,
const char *column_name,
enum ovsdb_atomic_type type);
@@ -351,6 +351,9 @@ ovsdb_create(struct ovsdb_schema *schema)
}
}
+ /* Use RBAC roles table if present. */
+ db->rbac_role = ovsdb_get_table(db, "RBAC_Role");
+
return db;
}
@@ -62,6 +62,8 @@ struct ovsdb {
/* Triggers. */
struct ovs_list triggers; /* Contains "struct ovsdb_trigger"s. */
bool run_triggers;
+
+ struct ovsdb_table *rbac_role;
};
struct ovsdb *ovsdb_create(struct ovsdb_schema *);
@@ -73,6 +75,7 @@ struct ovsdb_table *ovsdb_get_table(const struct ovsdb *, const char *);
struct json *ovsdb_execute(struct ovsdb *, const struct ovsdb_session *,
const struct json *params, bool read_only,
+ const char *role, const char *id,
long long int elapsed_msec,
long long int *timeout_msec);
new file mode 100644
@@ -0,0 +1,443 @@
+/*
+ * Copyright (c) 2017 Red Hat, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <config.h>
+#include <limits.h>
+
+#include "column.h"
+#include "condition.h"
+#include "file.h"
+#include "mutation.h"
+#include "ovsdb-data.h"
+#include "ovsdb-error.h"
+#include "ovsdb-parser.h"
+#include "ovsdb.h"
+#include "query.h"
+#include "row.h"
+#include "server.h"
+#include "table.h"
+#include "timeval.h"
+#include "transaction.h"
+#include "ovsdb-util.h"
+#include "condition.h"
+#include "rbac.h"
+#include "openvswitch/vlog.h"
+
+VLOG_DEFINE_THIS_MODULE(ovsdb_rbac);
+
+static const struct ovsdb_row *
+ovsdb_find_row_by_string_key(const struct ovsdb_table *table,
+ const char *column_name,
+ const char *key)
+{
+ const struct ovsdb_column *column;
+ const struct ovsdb_row *row;
+
+ column = ovsdb_table_schema_get_column(table->schema, column_name);
+
+ if (column) {
+ HMAP_FOR_EACH (row, hmap_node, &table->rows) {
+ const struct ovsdb_datum *datum;
+ size_t i;
+
+ datum = &row->fields[column->index];
+ for (i = 0; i < datum->n; i++) {
+ if (datum->keys[i].string[0] &&
+ !strcmp(key, datum->keys[i].string)) {
+ return row;
+ }
+ }
+ }
+ }
+ return NULL;
+}
+
+static const struct ovsdb_row *
+ovsdb_rbac_lookup_perms(const struct ovsdb *db, const char *role,
+ const char *table)
+{
+ static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
+ const struct ovsdb_row *role_row, *perm_row;
+ const struct ovsdb_column *column;
+
+ /* Lookup role in roles table */
+ role_row = ovsdb_find_row_by_string_key(db->rbac_role, "name", role);
+ if (!role_row) {
+ VLOG_INFO_RL(&rl, "rbac: role \"%s\" not found in rbac roles table",
+ role);
+ return NULL;
+ }
+
+ /* Find row in permissions column for table from "permissions" column */
+ column = ovsdb_table_schema_get_column(role_row->table->schema,
+ "permissions");
+ if (!column) {
+ VLOG_INFO_RL(&rl, "rbac: \"permissions\" column not present in rbac "
+ "roles table");
+ return NULL;
+ }
+ perm_row = ovsdb_util_read_map_string_uuid_column(role_row, "permissions",
+ table);
+
+ return perm_row;
+}
+
+static bool
+ovsdb_rbac_authorized(const struct ovsdb_row *perms,
+ const char *id,
+ const struct ovsdb_row *row)
+{
+ static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
+ const struct ovsdb_datum *datum;
+ size_t i;
+
+ datum = ovsdb_util_get_datum(CONST_CAST(struct ovsdb_row *, perms),
+ "authorization",
+ OVSDB_TYPE_STRING, OVSDB_TYPE_VOID, UINT_MAX);
+
+ if (!datum) {
+ VLOG_INFO_RL(&rl, "rbac: error reading authorization column");
+ return false;
+ }
+
+ for (i = 0; i < datum->n; i++) {
+ char *name = datum->keys[i].string;
+ const char *value = NULL;
+ bool is_map;
+
+ if (name[0] == '\0') {
+ /* empty string means all are authorized */
+ return true;
+ }
+
+ is_map = strchr(name, ':') != NULL;
+
+ if (is_map) {
+ char *tmp = xstrdup(name);
+ char *col_name, *key, *save_ptr = NULL;
+ col_name = strtok_r(name, ":", &save_ptr);
+ key = strtok_r(NULL, ":", &save_ptr);
+
+ if (col_name && key) {
+ value = ovsdb_util_read_map_string_column(row, col_name, key);
+ }
+ free(tmp);
+ } else {
+ ovsdb_util_read_string_column(row, name, &value);
+ }
+ if (value && !strcmp(value, id)) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
+bool
+ovsdb_rbac_insert(const struct ovsdb *db, const struct ovsdb_table *table,
+ const char *role, const char *id)
+{
+ const struct ovsdb_table_schema *ts = table->schema;
+ const struct ovsdb_row *perms;
+ bool insdel;
+
+ if (!db->rbac_role || !role || *role == '\0') {
+ return true;
+ }
+
+ if (!id) {
+ goto denied;
+ }
+
+ perms = ovsdb_rbac_lookup_perms(db, role, ts->name);
+
+ if (!perms) {
+ goto denied;
+ }
+
+ if (!ovsdb_util_read_bool_column(perms, "insert_delete", &insdel)) {
+ return false;
+ }
+
+ if (insdel) {
+ return true;
+ }
+
+denied:
+ return false;
+}
+
+struct rbac_delete_cbdata {
+ const struct ovsdb_table *table;
+ const struct ovsdb_row *perms;
+ const char *role;
+ const char *id;
+ bool permitted;
+};
+
+static bool
+rbac_delete_cb(const struct ovsdb_row *row, void *rd_)
+{
+ struct rbac_delete_cbdata *rd = rd_;
+ bool insdel;
+
+ if (!ovsdb_rbac_authorized(rd->perms, rd->id, row)) {
+ goto denied;
+ }
+
+ if (!ovsdb_util_read_bool_column(rd->perms, "insert_delete", &insdel)) {
+ goto denied;
+ }
+
+ if (!insdel) {
+ goto denied;
+ }
+ return true;
+
+denied:
+ rd->permitted = false;
+ return false;
+}
+
+bool
+ovsdb_rbac_delete(const struct ovsdb *db, struct ovsdb_table *table,
+ struct ovsdb_condition *condition,
+ const char *role, const char *id)
+{
+ const struct ovsdb_table_schema *ts = table->schema;
+ const struct ovsdb_row *perms;
+ struct rbac_delete_cbdata rd;
+
+ if (!db->rbac_role || !role || *role == '\0') {
+ return true;
+ }
+ if (!id) {
+ goto denied;
+ }
+
+ perms = ovsdb_rbac_lookup_perms(db, role, ts->name);
+
+ if (!perms) {
+ goto denied;
+ }
+
+ rd.permitted = true;
+ rd.perms = perms;
+ rd.table = table;
+ rd.role = role;
+ rd.id = id;
+
+ ovsdb_query(table, condition, rbac_delete_cb, &rd);
+
+ if (rd.permitted) {
+ return true;
+ }
+
+denied:
+ return false;
+}
+
+struct rbac_update_cbdata {
+ const struct ovsdb_table *table;
+ const struct ovsdb_column_set *columns; /* columns to be modified */
+ const struct ovsdb_datum *modifiable; /* modifiable column names */
+ const struct ovsdb_row *perms;
+ const char *role;
+ const char *id;
+ bool permitted;
+};
+
+static bool
+rbac_column_modification_permitted(const struct ovsdb_column *column,
+ const struct ovsdb_datum *modifiable)
+{
+ size_t i;
+
+ for (i = 0; i < modifiable->n; i++) {
+ char *name = modifiable->keys[i].string;
+
+ if (!strcmp(name, column->name)) {
+ return true;
+ }
+ }
+ return false;
+}
+
+static bool
+rbac_update_cb(const struct ovsdb_row *row, void *ru_)
+{
+ struct rbac_update_cbdata *ru = ru_;
+ size_t i;
+
+ if (!ovsdb_rbac_authorized(ru->perms, ru->id, row)) {
+ goto denied;
+ }
+
+ for (i = 0; i < ru->columns->n_columns; i++) {
+ const struct ovsdb_column *column = ru->columns->columns[i];
+
+ if (!rbac_column_modification_permitted(column, ru->modifiable)) {
+ goto denied;
+ }
+ }
+ return true;
+
+denied:
+ ru->permitted = false;
+ return false;
+}
+
+bool
+ovsdb_rbac_update(const struct ovsdb *db,
+ struct ovsdb_table *table,
+ struct ovsdb_column_set *columns,
+ struct ovsdb_condition *condition,
+ const char *role, const char *id)
+{
+ static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
+ const struct ovsdb_table_schema *ts = table->schema;
+ const struct ovsdb_datum *datum;
+ const struct ovsdb_row *perms;
+ struct rbac_update_cbdata ru;
+
+ if (!db->rbac_role || !role || *role == '\0') {
+ return true;
+ }
+ if (!id) {
+ goto denied;
+ }
+
+ perms = ovsdb_rbac_lookup_perms(db, role, ts->name);
+
+ if (!perms) {
+ goto denied;
+ }
+
+ datum = ovsdb_util_get_datum(CONST_CAST(struct ovsdb_row *, perms),
+ "update",
+ OVSDB_TYPE_STRING, OVSDB_TYPE_VOID, UINT_MAX);
+
+ if (!datum) {
+ VLOG_INFO_RL(&rl, "ovsdb_rbac_update: could not read \"update\" "
+ "column");
+ goto denied;
+ }
+
+ ru.table = table;
+ ru.columns = columns;
+ ru.role = role;
+ ru.id = id;
+ ru.perms = perms;
+ ru.modifiable = datum;
+ ru.permitted = true;
+
+ ovsdb_query(table, condition, rbac_update_cb, &ru);
+
+ if (ru.permitted) {
+ return true;
+ }
+
+denied:
+ return false;
+}
+
+struct rbac_mutate_cbdata {
+ const struct ovsdb_table *table;
+ const struct ovsdb_mutation_set *mutations; /* columns to be mutated */
+ const struct ovsdb_datum *modifiable; /* modifiable column names */
+ const struct ovsdb_row *perms;
+ const char *role;
+ const char *id;
+ bool permitted;
+};
+
+static bool
+rbac_mutate_cb(const struct ovsdb_row *row, void *rm_)
+{
+ struct rbac_mutate_cbdata *rm = rm_;
+ size_t i;
+
+ if (!ovsdb_rbac_authorized(rm->perms, rm->id, row)) {
+ goto denied;
+ }
+
+ for (i = 0; i < rm->mutations->n_mutations; i++) {
+ const struct ovsdb_column *column = rm->mutations->mutations[i].column;
+
+ if (!rbac_column_modification_permitted(column, rm->modifiable)) {
+ goto denied;
+ }
+ }
+
+ return true;
+
+denied:
+ rm->permitted = false;
+ return false;
+}
+
+bool
+ovsdb_rbac_mutate(const struct ovsdb *db,
+ struct ovsdb_table *table,
+ struct ovsdb_mutation_set *mutations,
+ struct ovsdb_condition *condition,
+ const char *role, const char *id)
+{
+ static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
+ const struct ovsdb_table_schema *ts = table->schema;
+ const struct ovsdb_datum *datum;
+ const struct ovsdb_row *perms;
+ struct rbac_mutate_cbdata rm;
+
+ if (!db->rbac_role || !role || *role == '\0') {
+ return true;
+ }
+ if (!id) {
+ goto denied;
+ }
+
+ perms = ovsdb_rbac_lookup_perms(db, role, ts->name);
+
+ if (!perms) {
+ goto denied;
+ }
+
+ datum = ovsdb_util_get_datum(CONST_CAST(struct ovsdb_row *, perms),
+ "update",
+ OVSDB_TYPE_STRING, OVSDB_TYPE_VOID, UINT_MAX);
+
+ if (!datum) {
+ VLOG_INFO_RL(&rl, "ovsdb_rbac_mutate: could not read \"update\" "
+ "column");
+ goto denied;
+ }
+
+ rm.table = table;
+ rm.mutations = mutations;
+ rm.role = role;
+ rm.id = id;
+ rm.perms = perms;
+ rm.modifiable = datum;
+ rm.permitted = true;
+
+ ovsdb_query(table, condition, rbac_mutate_cb, &rm);
+
+ if (rm.permitted) {
+ return true;
+ }
+
+denied:
+ return false;
+}
new file mode 100644
@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 2017 Red Hat, Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef OVSDB_RBAC_H
+#define OVSDB_RBAC_H 1
+struct ovsdb_mutation_set;
+
+bool ovsdb_rbac_insert(const struct ovsdb *,
+ const struct ovsdb_table *,
+ const char *, const char *);
+bool ovsdb_rbac_delete(const struct ovsdb *,
+ struct ovsdb_table *table,
+ struct ovsdb_condition *condition,
+ const char *role, const char *id);
+bool ovsdb_rbac_update(const struct ovsdb *,
+ struct ovsdb_table *table,
+ struct ovsdb_column_set *columns,
+ struct ovsdb_condition *condition,
+ const char *role, const char *id);
+bool ovsdb_rbac_mutate(const struct ovsdb *,
+ struct ovsdb_table *table,
+ struct ovsdb_mutation_set *mutations,
+ struct ovsdb_condition *condition,
+ const char *role, const char *id);
+#endif /* ovsdb/rbac.h */
@@ -32,7 +32,8 @@ void
ovsdb_trigger_init(struct ovsdb_session *session, struct ovsdb *db,
struct ovsdb_trigger *trigger,
struct json *request, long long int now,
- bool read_only)
+ bool read_only, const char *role,
+ const char *id)
{
trigger->session = session;
trigger->db = db;
@@ -42,6 +43,8 @@ ovsdb_trigger_init(struct ovsdb_session *session, struct ovsdb *db,
trigger->created = now;
trigger->timeout_msec = LLONG_MAX;
trigger->read_only = read_only;
+ trigger->role = role ? xstrdup(role): NULL;
+ trigger->id = id ? xstrdup(id): NULL;
ovsdb_trigger_try(trigger, now);
}
@@ -51,6 +54,8 @@ ovsdb_trigger_destroy(struct ovsdb_trigger *trigger)
ovs_list_remove(&trigger->node);
json_destroy(trigger->request);
json_destroy(trigger->result);
+ free(trigger->role);
+ free(trigger->id);
}
bool
@@ -114,6 +119,7 @@ ovsdb_trigger_try(struct ovsdb_trigger *t, long long int now)
{
t->result = ovsdb_execute(t->db, t->session,
t->request, t->read_only,
+ t->role, t->id,
now - t->created, &t->timeout_msec);
if (t->result) {
ovsdb_trigger_complete(t);
@@ -30,12 +30,15 @@ struct ovsdb_trigger {
long long int created; /* Time created. */
long long int timeout_msec; /* Max wait duration. */
bool read_only; /* Database is in read only mode. */
+ char *role; /* Role, for role-based access controls. */
+ char *id; /* ID, for role-based access controls. */
};
void ovsdb_trigger_init(struct ovsdb_session *, struct ovsdb *,
struct ovsdb_trigger *,
struct json *request, long long int now,
- bool read_only);
+ bool read_only, const char *role,
+ const char *id);
void ovsdb_trigger_destroy(struct ovsdb_trigger *);
bool ovsdb_trigger_is_complete(const struct ovsdb_trigger *);
@@ -82,6 +82,7 @@ TESTSUITE_AT = \
tests/ovsdb-monitor.at \
tests/ovsdb-idl.at \
tests/ovsdb-lock.at \
+ tests/ovsdb-rbac.at \
tests/ovs-vsctl.at \
tests/ovs-xapi-sync.at \
tests/stp.at \
new file mode 100644
@@ -0,0 +1,252 @@
+AT_BANNER([OVSDB -- ovsdb-server rbac])
+
+AT_SETUP([ovsdb-server/rbac 2])
+AT_KEYWORDS([ovsdb server rbac])
+AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
+
+RBAC_PKIDIR="$(pwd)"
+RBAC_PKI="sh $abs_top_srcdir/utilities/ovs-pki.in --dir=$RBAC_PKIDIR/pki --log=$RBAC_PKIDIR/rbac-pki.log"
+$RBAC_PKI -B 1024 init
+$RBAC_PKI -B 1024 req+sign ovsdb-server switch
+$RBAC_PKI -B 1024 -u req+sign client-1 switch
+$RBAC_PKI -B 1024 -u req+sign client-2 switch
+
+AT_DATA([schema],
+ [[{"name": "mydb",
+ "tables": {
+ "Root": {
+ "columns": {
+ "connections": {
+ "type": {
+ "key": {"type": "uuid", "refTable": "Connection"},
+ "min": 0,
+ "max": "unlimited"}}},
+ "isRoot": true},
+ "Connection": {
+ "columns": {
+ "target": {
+ "type": "string"},
+ "role": {
+ "type": "string"}}},
+ "RBAC_Role": {
+ "columns": {
+ "name": {"type": "string"},
+ "permissions": {
+ "type": {"key": {"type": "string"},
+ "value": {"type": "uuid",
+ "refTable": "RBAC_Permission",
+ "refType": "weak"},
+ "min": 0, "max": "unlimited"}}},
+ "isRoot": true},
+ "RBAC_Permission": {
+ "columns": {
+ "table": {"type": "string"},
+ "authorization": {"type": {"key": "string",
+ "min": 0,
+ "max": "unlimited"}},
+ "insert_delete": {"type": "boolean"},
+ "update" : {"type": {"key": "string",
+ "min": 0,
+ "max": "unlimited"}}},
+ "isRoot": true},
+ "fixed_colors": {
+ "columns": {
+ "name": {"type": "string"},
+ "value": {"type": "integer"}},
+ "indexes": [["name"]],
+ "isRoot": true},
+ "user_colors": {
+ "columns": {
+ "creator": {"type": "string"},
+ "name": {"type": "string"},
+ "value": {"type": "integer"}},
+ "indexes": [["name"]],
+ "isRoot": true}
+ },
+ "version": "5.1.3",
+ "cksum": "12345678 9"
+}
+]])
+
+AT_CHECK([ovsdb-tool create db schema], [0], [ignore], [ignore])
+AT_CHECK(
+ [[ovsdb-tool transact db \
+ '["mydb",
+ {"op": "insert",
+ "table": "Root",
+ "row": {
+ "connections": ["set", [["named-uuid", "x"]]]}},
+ {"op": "insert",
+ "table": "Connection",
+ "uuid-name": "x",
+ "row": {"target": "pssl:0:127.0.0.1",
+ "role": "testrole"}},
+ {"op": "insert",
+ "table": "fixed_colors",
+ "row": {"name": "red",
+ "value": '16711680'}},
+ {"op": "insert",
+ "table": "RBAC_Role",
+ "row": {"name": "testrole",
+ "permissions": ["map", [["user_colors", ["named-uuid", "y"]]]]}},
+ {"op": "insert",
+ "table": "RBAC_Permission",
+ "uuid-name": "y",
+ "row": {"authorization": "creator",
+ "insert_delete": true,
+ "table": "fixed_colors",
+ "update": ["set", ["name", "value"]]}}
+]']], [0], [ignore], [ignore])
+
+AT_CHECK([ovsdb-server --log-file --detach --no-chdir --pidfile --remote=db:mydb,Root,connections \
+ --private-key=$RBAC_PKIDIR/ovsdb-server-privkey.pem \
+ --certificate=$RBAC_PKIDIR/ovsdb-server-cert.pem \
+ --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
+ db], [0], [ignore], [ignore])
+PARSE_LISTENING_PORT([ovsdb-server.log], [SSL_PORT])
+
+# Test 1:
+# Attempt to insert a row into the "fixed_colors" table. This should
+# fail as there are no permissions for role "testrole" for this table.
+AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
+ --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
+ --certificate=$RBAC_PKIDIR/client-1-cert.pem \
+ --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
+ ['["mydb",
+ {"op": "insert",
+ "table": "fixed_colors",
+ "row": {"name": "chartreuse", "value": '8388352'}}
+ ]']], [0], [stdout], [ignore])
+cat stdout >> output
+AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"details":"RBAC rules for client \"client-1\" role \"testrole\" prohibit row insertion into table \"fixed_colors\".","error":"permission error"}]]
+], [ignore])
+
+# Test 2:
+# Attempt to insert a row into the "user_colors" table. This should
+# succeed since role "testrole" has permissions for this table that
+# allow row insertion.
+AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
+ --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
+ --certificate=$RBAC_PKIDIR/client-1-cert.pem \
+ --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
+ ['["mydb",
+ {"op": "insert",
+ "table": "user_colors",
+ "row": {"creator": "client-1", "name": "chartreuse", "value": '8388352'}}
+ ]']], [0], [stdout], [ignore])
+cat stdout >> output
+AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"uuid":["uuid","<0>"]}]]
+], [ignore])
+
+# Test 3:
+# Attempt to update a column in the "user_colors" table. This should
+# succeed since role "testrole" has permissions for this table that
+# allow update of the "value" column when ID is equal to the value in
+# the "creator" column.
+AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
+ --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
+ --certificate=$RBAC_PKIDIR/client-1-cert.pem \
+ --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
+ ['["mydb",
+ {"op": "update",
+ "table": "user_colors",
+ "where": [["name", "==", "chartreuse"]],
+ "row": {"value": '8388353'}}
+ ]']], [0], [stdout], [ignore])
+cat stdout >> output
+AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"count":1}]]
+], [ignore])
+
+# Test 4:
+# Attempt to update a column in the "user_colors" table. Same as
+# previous test, but with a different client ID. This should fail
+# the RBAC authorization test because "client-2" does not match the
+# "creator" column for this row.
+AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
+ --private-key=$RBAC_PKIDIR/client-2-privkey.pem \
+ --certificate=$RBAC_PKIDIR/client-2-cert.pem \
+ --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
+ ['["mydb",
+ {"op": "update",
+ "table": "user_colors",
+ "where": [["name", "==", "chartreuse"]],
+ "row": {"value": '8388354'}}
+ ]']], [0], [stdout], [ignore])
+cat stdout >> output
+AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit modification of table \"user_colors\".","error":"permission error"}]]
+], [ignore])
+
+# Test 5:
+# Attempt to mutate a column in the "user_colors" table. This should
+# succeed since role "testrole" has permissions for this table that
+# allow update of the "value" column when ID is equal to the value in
+# the "creator" column.
+AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
+ --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
+ --certificate=$RBAC_PKIDIR/client-1-cert.pem \
+ --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
+ ['["mydb",
+ {"op": "mutate",
+ "table": "user_colors",
+ "where": [["name", "==", "chartreuse"]],
+ "mutations": [["value", "+=", '10']]}
+ ]']], [0], [stdout], [ignore])
+cat stdout >> output
+AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"count":1}]]
+], [ignore])
+
+# Test 6:
+# Attempt to mutate a column in the "user_colors" table. Same as
+# previous test, but with a different client ID. This should fail
+# the RBAC authorization test because "client-2" does not match the
+# "creator" column for this row.
+AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
+ --private-key=$RBAC_PKIDIR/client-2-privkey.pem \
+ --certificate=$RBAC_PKIDIR/client-2-cert.pem \
+ --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
+ ['["mydb",
+ {"op": "mutate",
+ "table": "user_colors",
+ "where": [["name", "==", "chartreuse"]],
+ "mutations": [["value", "+=", '10']]}
+ ]']], [0], [stdout], [ignore])
+cat stdout >> output
+AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit mutate operation on table \"user_colors\".","error":"permission error"}]]
+], [ignore])
+
+# Test 7:
+# Attempt to delete a row from the "user_colors" table. This should fail
+# the RBAC authorization test because "client-2" does not match the
+# "creator" column for this row.
+AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
+ --private-key=$RBAC_PKIDIR/client-2-privkey.pem \
+ --certificate=$RBAC_PKIDIR/client-2-cert.pem \
+ --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
+ ['["mydb",
+ {"op": "delete",
+ "table": "user_colors",
+ "where": [["name", "==", "chartreuse"]]}
+ ]']], [0], [stdout], [ignore])
+cat stdout >> output
+AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit row deletion from table \"user_colors\".","error":"permission error"}]]
+], [ignore])
+
+# Test 8:
+# Attempt to delete a row from the "user_colors" table. This should pass
+# the RBAC authorization test because "client-1" does matches the
+# "creator" column for this row.
+AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
+ --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
+ --certificate=$RBAC_PKIDIR/client-1-cert.pem \
+ --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
+ ['["mydb",
+ {"op": "delete",
+ "table": "user_colors",
+ "where": [["name", "==", "chartreuse"]]}
+ ]']], [0], [stdout], [ignore])
+cat stdout >> output
+AT_CHECK([${PERL} $srcdir/uuidfilt.pl stdout], [0], [[[{"count":1}]]
+], [ignore])
+
+OVSDB_SERVER_SHUTDOWN
+AT_CLEANUP
@@ -148,3 +148,4 @@ m4_include([tests/ovsdb-server.at])
m4_include([tests/ovsdb-monitor.at])
m4_include([tests/ovsdb-idl.at])
m4_include([tests/ovsdb-lock.at])
+m4_include([tests/ovsdb-rbac.at])
@@ -1435,7 +1435,7 @@ do_execute__(struct ovs_cmdl_context *ctx, bool ro)
char *s;
params = parse_json(ctx->argv[i]);
- result = ovsdb_execute(db, NULL, params, ro, 0, NULL);
+ result = ovsdb_execute(db, NULL, params, ro, NULL, NULL, 0, NULL);
s = json_to_string(result, JSSF_SORT);
printf("%s\n", s);
free(s);
@@ -1513,7 +1513,8 @@ do_trigger(struct ovs_cmdl_context *ctx)
json_destroy(params);
} else {
struct test_trigger *t = xmalloc(sizeof *t);
- ovsdb_trigger_init(&session, db, &t->trigger, params, now, false);
+ ovsdb_trigger_init(&session, db, &t->trigger, params, now, false,
+ NULL, NULL);
t->number = number++;
if (ovsdb_trigger_is_complete(&t->trigger)) {
do_trigger_dump(t, now, "immediate");
Add suport for ovsdb RBAC (role-based access control). This includes: - Support for "RBAC_Role" table, db containing a table by this name will enable role-based access controls and use this table for RBAC role configuration. This table has one row per role, with each row having a "name" column (role name) and a "permissions" column (map of table name to UUID of row in separate permission table.) The permission table has one row per access control configuration, with columns: "name" - name of table to which this row applies "authorization" - set of column names and column:key pairs to be compared against client ID to determine authorization status "insert_delete" - boolean, true if insertions and authorized deletions are allowed. "update" - Set of columns and column:key pairs for which authorized updates are allowed. - Support for a new "role" column in the remote configuration table. - Logic for applying the RBAC role and permission tables, in combination with session role and client id, to determine whether operations modifying database contents should be permitted. Signed-off-by: Lance Richardson <lrichard@redhat.com> --- v2: - Added ovsdb_perm_error() to format permission error strings. - Re-implemented RBAC enforcing code to apply RBAC rules to entire delete/update/mutate operation before applying any changes to avoid partial updates. - Implemented basic unit tests for RBAC enforcement. v3: Eliminated "--rbac=" command-line option to ovsdb-server. Now the table named "RBAC_Role" (if present) will be used as the RBAC role table. lib/jsonrpc.c | 10 ++ lib/jsonrpc.h | 2 + lib/ovsdb-error.c | 13 ++ lib/ovsdb-error.h | 4 + ovsdb/automake.mk | 2 + ovsdb/execution.c | 43 ++++- ovsdb/jsonrpc-server.c | 6 +- ovsdb/jsonrpc-server.h | 1 + ovsdb/ovsdb-server.c | 7 +- ovsdb/ovsdb-tool.c | 2 +- ovsdb/ovsdb-util.c | 38 +++++ ovsdb/ovsdb-util.h | 4 + ovsdb/ovsdb.c | 3 + ovsdb/ovsdb.h | 3 + ovsdb/rbac.c | 443 +++++++++++++++++++++++++++++++++++++++++++++++++ ovsdb/rbac.h | 38 +++++ ovsdb/trigger.c | 8 +- ovsdb/trigger.h | 5 +- tests/automake.mk | 1 + tests/ovsdb-rbac.at | 252 ++++++++++++++++++++++++++++ tests/ovsdb.at | 1 + tests/test-ovsdb.c | 5 +- 22 files changed, 881 insertions(+), 10 deletions(-) create mode 100644 ovsdb/rbac.c create mode 100644 ovsdb/rbac.h create mode 100644 tests/ovsdb-rbac.at