| Message ID | 20221206145206.4113681-1-frode.nordahl@canonical.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [ovs-dev,v2] northd: Add missing RBAC rules for BFD table. | expand |
| Context | Check | Description |
|---|---|---|
| ovsrobot/apply-robot | success | apply and check: success |
| ovsrobot/github-robot-_Build_and_Test | success | github build: passed |
| ovsrobot/github-robot-_ovn-kubernetes | success | github build: passed |
On 12/6/22 15:52, Frode Nordahl wrote: > If a OVN deployment has OVN RBAC enabled for the southbound > database, enabling BFD would lead to permission errors. > > The data in the entries in the BFD table do not belong to any > given chassis and no column can provide authentication, but the > rules still need to be there for successful operation. > > Fixes: 117203584d98 ("controller: introduce BFD tx path in ovn-controller.") > Reported-at: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1995771 > Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> > --- Looks good to me, thanks! Acked-by: Dumitru Ceara <dceara@redhat.com>
On Tue, Dec 6, 2022 at 9:56 AM Dumitru Ceara <dceara@redhat.com> wrote: > > On 12/6/22 15:52, Frode Nordahl wrote: > > If a OVN deployment has OVN RBAC enabled for the southbound > > database, enabling BFD would lead to permission errors. > > > > The data in the entries in the BFD table do not belong to any > > given chassis and no column can provide authentication, but the > > rules still need to be there for successful operation. > > > > Fixes: 117203584d98 ("controller: introduce BFD tx path in ovn-controller.") > > Reported-at: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1995771 > > Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> > > --- > > Looks good to me, thanks! > > Acked-by: Dumitru Ceara <dceara@redhat.com> Thanks applied to main and branch-22.12. I'll backport until 22.03 soon. Thanks Numan > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 965353cd7..82d2874d6 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -125,6 +125,10 @@ static const char *rbac_igmp_group_auth[] = {""}; static const char *rbac_igmp_group_update[] = {"address", "chassis", "datapath", "ports"}; +static const char *rbac_bfd_auth[] = + {""}; +static const char *rbac_bfd_update[] = + {"status"}; static struct rbac_perm_cfg { const char *table; @@ -207,6 +211,14 @@ static struct rbac_perm_cfg { .update = rbac_igmp_group_update, .n_update = ARRAY_SIZE(rbac_igmp_group_update), .row = NULL + },{ + .table = "BFD", + .auth = rbac_bfd_auth, + .n_auth = ARRAY_SIZE(rbac_bfd_auth), + .insdel = false, + .update = rbac_bfd_update, + .n_update = ARRAY_SIZE(rbac_bfd_update), + .row = NULL },{ .table = NULL, .auth = NULL,
If a OVN deployment has OVN RBAC enabled for the southbound database, enabling BFD would lead to permission errors. The data in the entries in the BFD table do not belong to any given chassis and no column can provide authentication, but the rules still need to be there for successful operation. Fixes: 117203584d98 ("controller: introduce BFD tx path in ovn-controller.") Reported-at: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1995771 Signed-off-by: Frode Nordahl <frode.nordahl@canonical.com> --- northd/ovn-northd.c | 12 ++++++++++++ 1 file changed, 12 insertions(+)