From patchwork Tue Jan 30 21:08:05 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mark Michelson <mmichels@redhat.com>
X-Patchwork-Id: 1893112
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=GErJmdBX;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=140.211.166.133; helo=smtp2.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)
Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4TPd7M4vFyz1yQ0
	for <incoming@patchwork.ozlabs.org>; Wed, 31 Jan 2024 08:08:31 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by smtp2.osuosl.org (Postfix) with ESMTP id 31CC542EC6;
	Tue, 30 Jan 2024 21:08:26 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 31CC542EC6
Authentication-Results: smtp2.osuosl.org;
	dkim=fail reason="signature verification failed" (1024-bit key)
 header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=GErJmdBX
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp2.osuosl.org ([127.0.0.1])
	by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id Wr6q5RFwv5sG; Tue, 30 Jan 2024 21:08:25 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
	by smtp2.osuosl.org (Postfix) with ESMTPS id F1E6142EAE;
	Tue, 30 Jan 2024 21:08:23 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org F1E6142EAE
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id 043A7C0DD5;
	Tue, 30 Jan 2024 21:08:23 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])
 by lists.linuxfoundation.org (Postfix) with ESMTP id EDD83C0037
 for <dev@openvswitch.org>; Tue, 30 Jan 2024 21:08:18 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp4.osuosl.org (Postfix) with ESMTP id BC45B409C3
 for <dev@openvswitch.org>; Tue, 30 Jan 2024 21:08:18 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org BC45B409C3
Authentication-Results: smtp4.osuosl.org;
 dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com
 header.a=rsa-sha256 header.s=mimecast20190719 header.b=GErJmdBX
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp4.osuosl.org ([127.0.0.1])
 by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id NZ526eZM2U_D for <dev@openvswitch.org>;
 Tue, 30 Jan 2024 21:08:17 +0000 (UTC)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by smtp4.osuosl.org (Postfix) with ESMTPS id 7091B409C2
 for <dev@openvswitch.org>; Tue, 30 Jan 2024 21:08:17 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 7091B409C2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1706648895;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=Mpieb/Tvk2JtRbMluGo5BTPFdEzQgM5DrGYwVCVV0e8=;
 b=GErJmdBXnTDaDuId2SrhwNJL1hssHYL1WFo+kBiXRqvWLpvuaDkAWXvgg/0vWi6LLAKBLh
 fpDRBJolAl461QaXjCPHG7a+TKUIJ5OoZQ4kEKejsaQkbJvpPM+voJ1u9LTy3GyDpK7LCw
 m27J8M24mri+K7IaHzuTETC7WkLFmTM=
Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73])
 by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,
 cipher=TLS_AES_256_GCM_SHA384) id us-mta-66-S55vVzeXP6-jEyILNz5V9w-1; Tue,
 30 Jan 2024 16:08:14 -0500
X-MC-Unique: S55vVzeXP6-jEyILNz5V9w-1
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com
 [10.11.54.8])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D73E51C05158
 for <dev@openvswitch.org>; Tue, 30 Jan 2024 21:08:13 +0000 (UTC)
Received: from localhost.redhat.com (unknown [10.22.50.4])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 2F8ADC2590D
 for <dev@openvswitch.org>; Tue, 30 Jan 2024 21:08:12 +0000 (UTC)
From: Mark Michelson <mmichels@redhat.com>
To: dev@openvswitch.org
Date: Tue, 30 Jan 2024 16:08:05 -0500
Message-ID: <20240130210810.548338-3-mmichels@redhat.com>
In-Reply-To: <20240130210810.548338-1-mmichels@redhat.com>
References: <20240130210810.548338-1-mmichels@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.8
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Subject: [ovs-dev] [PATCH ovn v2 3/3] rbac: Only allow relevant chassis to
	update BFD.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

This adds a new "chassis_name" column to the BFD table. ovn-northd sets
this to the logical port's chassis name when creating the BFD record.
RBAC has been updated so that chassis may only update their own records.

Signed-off-by: Mark Michelson <mmichels@redhat.com>
Acked-by: Ales Musil <amusil@redhat.com>
---
v1 -> v2:
    * Rebased on current main
---
 northd/northd.c     | 9 ++++++++-
 northd/ovn-northd.c | 2 +-
 ovn-sb.ovsschema    | 7 ++++---
 ovn-sb.xml          | 4 ++++
 4 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/northd/northd.c b/northd/northd.c
index 2a2fab231..51622c302 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -10912,6 +10912,7 @@ build_bfd_table(struct ovsdb_idl_txn *ovnsb_txn,
             nbrec_bfd_set_status(nb_bt, "admin_down");
         }
 
+        struct ovn_port *op = ovn_port_find(lr_ports, nb_bt->logical_port);
         bfd_e = bfd_port_lookup(&sb_only, nb_bt->logical_port, nb_bt->dst_ip);
         if (!bfd_e) {
             int udp_src = bfd_get_unused_port(bfd_src_ports);
@@ -10925,6 +10926,9 @@ build_bfd_table(struct ovsdb_idl_txn *ovnsb_txn,
             sbrec_bfd_set_disc(sb_bt, 1 + random_uint32());
             sbrec_bfd_set_src_port(sb_bt, udp_src);
             sbrec_bfd_set_status(sb_bt, nb_bt->status);
+            if (op && op->sb && op->sb->chassis) {
+                sbrec_bfd_set_chassis_name(sb_bt, op->sb->chassis->name);
+            }
 
             int min_tx = nb_bt->n_min_tx ? nb_bt->min_tx[0] : BFD_DEF_MINTX;
             sbrec_bfd_set_min_tx(sb_bt, min_tx);
@@ -10943,6 +10947,10 @@ build_bfd_table(struct ovsdb_idl_txn *ovnsb_txn,
                 }
             }
             build_bfd_update_sb_conf(nb_bt, bfd_e->sb_bt);
+            if (op && op->sb && op->sb->chassis &&
+                strcmp(op->sb->chassis->name, sb_bt->chassis_name)) {
+                sbrec_bfd_set_chassis_name(sb_bt, op->sb->chassis->name);
+            }
 
             hmap_remove(&sb_only, &bfd_e->hmap_node);
             bfd_e->ref = false;
@@ -10951,7 +10959,6 @@ build_bfd_table(struct ovsdb_idl_txn *ovnsb_txn,
             hmap_insert(bfd_connections, &bfd_e->hmap_node, hash);
         }
 
-        struct ovn_port *op = ovn_port_find(lr_ports, nb_bt->logical_port);
         if (op) {
             op->has_bfd = true;
         }
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index 90a6d62b1..fdd5939e5 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -122,7 +122,7 @@ static const char *rbac_igmp_group_auth[] =
 static const char *rbac_igmp_group_update[] =
     {"address", "chassis", "datapath", "ports"};
 static const char *rbac_bfd_auth[] =
-    {""};
+    {"chassis_name"};
 static const char *rbac_bfd_update[] =
     {"status"};
 
diff --git a/ovn-sb.ovsschema b/ovn-sb.ovsschema
index b42f18b04..84ae09515 100644
--- a/ovn-sb.ovsschema
+++ b/ovn-sb.ovsschema
@@ -1,7 +1,7 @@
 {
     "name": "OVN_Southbound",
-    "version": "20.32.0",
-    "cksum": "1262133774 31276",
+    "version": "20.33.0",
+    "cksum": "4076371179 31328",
     "tables": {
         "SB_Global": {
             "columns": {
@@ -578,7 +578,8 @@
                              "min": 0, "max": "unlimited"}},
                 "options": {
                     "type": {"key": "string", "value": "string",
-                             "min": 0, "max": "unlimited"}}},
+                             "min": 0, "max": "unlimited"}},
+                "chassis_name": {"type": "string"}},
             "indexes": [["logical_port", "dst_ip", "src_port", "disc"]],
             "isRoot": true},
         "FDB": {
diff --git a/ovn-sb.xml b/ovn-sb.xml
index 2de7228e7..1b18a27a0 100644
--- a/ovn-sb.xml
+++ b/ovn-sb.xml
@@ -4989,6 +4989,10 @@ tcp.flags = RST;
         receiving system in Asynchronous mode.
       </column>
 
+      <column name="chassis_name">
+        The name of the chassis where the logical port is bound.
+      </column>
+
       <column name="options">
         Reserved for future use.
       </column>