From patchwork Fri Dec 2 16:21:45 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frode Nordahl X-Patchwork-Id: 1711481 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=jZsorr+m; dkim-atps=neutral Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4NNyrM62fVz23nC for ; Sat, 3 Dec 2022 03:21:55 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 6D9BD821D1; Fri, 2 Dec 2022 16:21:53 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 6D9BD821D1 Authentication-Results: smtp1.osuosl.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=jZsorr+m X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SI5d20FUmysl; Fri, 2 Dec 2022 16:21:52 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp1.osuosl.org (Postfix) with ESMTPS id A3900821CD; Fri, 2 Dec 2022 16:21:51 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org A3900821CD Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 80351C0032; Fri, 2 Dec 2022 16:21:51 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 5D2CEC002D for ; Fri, 2 Dec 2022 16:21:50 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 24E9160B48 for ; Fri, 2 Dec 2022 16:21:50 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 24E9160B48 Authentication-Results: smtp3.osuosl.org; dkim=pass (2048-bit key) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=jZsorr+m X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qjbnG8MuK9Qg for ; Fri, 2 Dec 2022 16:21:49 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org D766960B35 Received: from smtp-relay-canonical-0.canonical.com (smtp-relay-canonical-0.canonical.com [185.125.188.120]) by smtp3.osuosl.org (Postfix) with ESMTPS id D766960B35 for ; Fri, 2 Dec 2022 16:21:48 +0000 (UTC) Received: from frode-threadripper.. (ti0189a330-0102.bb.online.no [88.91.31.103]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id 48D413F12A for ; Fri, 2 Dec 2022 16:21:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1669998106; bh=GPFIVA/SpdhCevaRvEfCkNijCJuvm0NaeeZmg1EQg60=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=jZsorr+m7JZqUvudKIdTCZoMsCNKQPV73Jhnv9xjVQ7a5HOg9g0pBsfosLlGi0lMi zwR/i8MmFdhnvwSmy0wcAjIkYfp03QRCh1cflOZISpfzE5X+8KbPCQSS1KXwmrvEdZ Nzci+O15R28dkRTaNZRpz0Yq5W+tw9hma7Odv/F6QrP6ICGnCp+KLqMTQW96WzewjT 0P13aJ1gxsdZr5YkXhK127YsW1dbb0Q0u72VMJI/gfevxZoTq99s9tg2fIcSoHhpTQ tkYyTa8cnbyR9PGHrgx6uKa0iDh8xky1FfZQ7QR50T34zXLItKlB+vO9k8heoVEBmw s0/r0V02YgA3g== From: Frode Nordahl To: dev@openvswitch.org Date: Fri, 2 Dec 2022 17:21:45 +0100 Message-Id: <20221202162145.1870691-1-frode.nordahl@canonical.com> X-Mailer: git-send-email 2.37.2 MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn] northd: Add missing RBAC rules for BFD table. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" If a OVN deployment has OVN RBAC enabled for the southbound database, enabling BFD would lead to permission errors. The data in the entries in the BFD table do not belong to any given chassis and no column can provide authentication, but the rules still need to be there for successful operation. Fixes: 117203584d98 ("controller: introduce BFD tx path in ovn-controller.") Reported-at: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1995771 Signed-off-by: Frode Nordahl --- northd/ovn-northd.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 965353cd7..89d8c7172 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -125,6 +125,11 @@ static const char *rbac_igmp_group_auth[] = {""}; static const char *rbac_igmp_group_update[] = {"address", "chassis", "datapath", "ports"}; +static const char *rbac_bfd_auth[] = + {""}; +static const char *rbac_bfd_update[] = + {"src_port", "disc", "logical_port", "dst_ip", "min_tx", "min_rx", + "detect_mult", "status", "external_ids", "options"}; static struct rbac_perm_cfg { const char *table; @@ -207,6 +212,14 @@ static struct rbac_perm_cfg { .update = rbac_igmp_group_update, .n_update = ARRAY_SIZE(rbac_igmp_group_update), .row = NULL + },{ + .table = "BFD", + .auth = rbac_bfd_auth, + .n_auth = ARRAY_SIZE(rbac_bfd_auth), + .insdel = true, + .update = rbac_bfd_update, + .n_update = ARRAY_SIZE(rbac_bfd_update), + .row = NULL },{ .table = NULL, .auth = NULL,