Message ID | 1599497925-2680-1-git-send-email-dceara@redhat.com |
---|---|
State | Accepted |
Headers | show |
Series | [ovs-dev] ovn-northd: Fix chassis/chassis_private RBAC. | expand |
On Mon, Sep 7, 2020 at 10:29 PM Dumitru Ceara <dceara@redhat.com> wrote: > Steps to reproduce the issue: > > $ make sandbox > $ ovs-vsctl set open . external_ids:system-id=new-chassis > > Fixes: 94a32fca2d2b ("chassis: Fix the way encaps are updated for a > chassis record.") > Fixes: 5344f24ecb1a ("ovn-controller: Refactor chassis.c to abstract the > string parsing") > Signed-off-by: Dumitru Ceara <dceara@redhat.com> > Hi Dumitru, I applied this patch to master. Earlier after running "make sandbox", ovn-controller was not able to create a chassis row. This is fixed now. However after applying, I just noticed that when I run the below 2 commands, the second one fails ovs-vsctl set open . external_ids:system-id=ch-1 ovs-vsctl set open . external_ids:system-id=ch-2 *** 2020-09-08T07:50:20.385Z|00022|ovsdb_idl|WARN|transaction error: {"details":"RBAC rules for client \"chassis-1\" role \"ovn-controller\" prohibit modification of table \"Encap\".","error":"permission error"} 2020-09-08T07:50:32.260Z|00023|ovsdb_idl|WARN|transaction error: {"details":"RBAC rules for client \"chassis-1\" role \"ovn-controller\" prohibit modification of table \"Chassis\".","error":"permission error"} *** Thanks Numan > --- > northd/ovn-northd.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c > index 3de7161..6927934 100644 > --- a/northd/ovn-northd.c > +++ b/northd/ovn-northd.c > @@ -12034,17 +12034,17 @@ static const char *rbac_chassis_auth[] = > {"name"}; > static const char *rbac_chassis_update[] = > {"nb_cfg", "external_ids", "encaps", "vtep_logical_switches", > - "other_config"}; > + "other_config", "name"}; > > static const char *rbac_chassis_private_auth[] = > {"name"}; > static const char *rbac_chassis_private_update[] = > - {"nb_cfg", "chassis"}; > + {"nb_cfg", "chassis", "name"}; > > static const char *rbac_encap_auth[] = > {"chassis_name"}; > static const char *rbac_encap_update[] = > - {"type", "options", "ip"}; > + {"type", "options", "ip", "chassis_name"}; > > static const char *rbac_port_binding_auth[] = > {""}; > -- > 1.8.3.1 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > >
On 9/8/20 9:53 AM, Numan Siddique wrote: > > > On Mon, Sep 7, 2020 at 10:29 PM Dumitru Ceara <dceara@redhat.com > <mailto:dceara@redhat.com>> wrote: > > Steps to reproduce the issue: > > $ make sandbox > $ ovs-vsctl set open . external_ids:system-id=new-chassis > > Fixes: 94a32fca2d2b ("chassis: Fix the way encaps are updated for a > chassis record.") > Fixes: 5344f24ecb1a ("ovn-controller: Refactor chassis.c to abstract > the string parsing") > Signed-off-by: Dumitru Ceara <dceara@redhat.com > <mailto:dceara@redhat.com>> > > > Hi Dumitru, > > I applied this patch to master. Earlier after running "make sandbox", > ovn-controller was not able to create a chassis row. This is fixed now. > > However after applying, I just noticed that when I run the below 2 > commands, the second one fails > > ovs-vsctl set open . external_ids:system-id=ch-1 > ovs-vsctl set open . external_ids:system-id=ch-2 > > *** > 2020-09-08T07:50:20.385Z|00022|ovsdb_idl|WARN|transaction error: > {"details":"RBAC rules for client \"chassis-1\" role \"ovn-controller\" > prohibit modification of table \"Encap\".","error":"permission error"} > 2020-09-08T07:50:32.260Z|00023|ovsdb_idl|WARN|transaction error: > {"details":"RBAC rules for client \"chassis-1\" role \"ovn-controller\" > prohibit modification of table \"Chassis\".","error":"permission error"} > *** > > Thanks > Numan > Hi Numan, As pointed out by Han on the other thread, changing system-id will not work out of the box with RBAC enabled. The user will have to change SSL certificates to match the new chassis-id. Old Chassis/Chassis_private records will have to be manually deleted. I'm not sure how we could fix this. Regards, Dumitru
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 3de7161..6927934 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -12034,17 +12034,17 @@ static const char *rbac_chassis_auth[] = {"name"}; static const char *rbac_chassis_update[] = {"nb_cfg", "external_ids", "encaps", "vtep_logical_switches", - "other_config"}; + "other_config", "name"}; static const char *rbac_chassis_private_auth[] = {"name"}; static const char *rbac_chassis_private_update[] = - {"nb_cfg", "chassis"}; + {"nb_cfg", "chassis", "name"}; static const char *rbac_encap_auth[] = {"chassis_name"}; static const char *rbac_encap_update[] = - {"type", "options", "ip"}; + {"type", "options", "ip", "chassis_name"}; static const char *rbac_port_binding_auth[] = {""};
Steps to reproduce the issue: $ make sandbox $ ovs-vsctl set open . external_ids:system-id=new-chassis Fixes: 94a32fca2d2b ("chassis: Fix the way encaps are updated for a chassis record.") Fixes: 5344f24ecb1a ("ovn-controller: Refactor chassis.c to abstract the string parsing") Signed-off-by: Dumitru Ceara <dceara@redhat.com> --- northd/ovn-northd.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)