From patchwork Fri Jan 19 21:33:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Michelson X-Patchwork-Id: 1888675 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Ut9Vgpg4; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TGtCb05WLz1yWl for ; Sat, 20 Jan 2024 08:33:46 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id EC82683F3A; Fri, 19 Jan 2024 21:33:43 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org EC82683F3A Authentication-Results: smtp1.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Ut9Vgpg4 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EjY0OgqiHnAE; Fri, 19 Jan 2024 21:33:42 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp1.osuosl.org (Postfix) with ESMTPS id 6ED548264C; Fri, 19 Jan 2024 21:33:41 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 6ED548264C Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 4186EC0DD6; Fri, 19 Jan 2024 21:33:39 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 8FDE6C0037 for ; Fri, 19 Jan 2024 21:33:37 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 5E9FA42191 for ; Fri, 19 Jan 2024 21:33:37 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 5E9FA42191 Authentication-Results: smtp4.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=Ut9Vgpg4 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2d9YdBR3c6nU for ; Fri, 19 Jan 2024 21:33:36 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp4.osuosl.org (Postfix) with ESMTPS id E61734218B for ; Fri, 19 Jan 2024 21:33:35 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org E61734218B DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1705700014; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=Z2yPorA1yFQnA6w/AE5292GgvgGl7exY5UcibpOrlSQ=; b=Ut9Vgpg4eesbd2OXIs+OaGWCSwM7b9ye8i1L35i/1EOMb0qTzd05evjTtHBZWnRf1CHb/8 U+olLTwLVbmQkW86ttZ4UkHFpXu3iopzvQGawz9oS5eWcPzMrCJheeTorj7kFq/3vVhpz2 ZBpdvmad8jzqbLSn62ZyeOjuLqcw4U4= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-441-_zdzvkAMMNqfGf9lWkpjFQ-1; Fri, 19 Jan 2024 16:33:32 -0500 X-MC-Unique: _zdzvkAMMNqfGf9lWkpjFQ-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id A6FE2101A526 for ; Fri, 19 Jan 2024 21:33:32 +0000 (UTC) Received: from localhost.redhat.com (unknown [10.22.50.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id 25C1C40D1B60 for ; Fri, 19 Jan 2024 21:33:32 +0000 (UTC) From: Mark Michelson To: dev@openvswitch.org Date: Fri, 19 Jan 2024 16:33:28 -0500 Message-Id: <20240119213331.454896-1-mmichels@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn 1/4] rbac: MAC_Bindings can only be updated by the inserting chassis. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" With this change, a chassis may only update MAC Binding records that it has created. We achieve this by adding a "chassis_name" column to the MAC_Binding table, and having the chassis insert its name into this column when creating a new MAC_Binding. The "chassis_name" is now part of the rbac_auth structure for the MAC_Binding table. --- controller/pinctrl.c | 51 ++++++++++++++++++++++++++++++++------------ northd/ovn-northd.c | 2 +- ovn-sb.ovsschema | 7 +++--- ovn-sb.xml | 3 +++ 4 files changed, 45 insertions(+), 18 deletions(-) diff --git a/controller/pinctrl.c b/controller/pinctrl.c index 4992eab08..a00cdceea 100644 --- a/controller/pinctrl.c +++ b/controller/pinctrl.c @@ -180,6 +180,7 @@ struct pinctrl { bool mac_binding_can_timestamp; bool fdb_can_timestamp; bool dns_supports_ovn_owned; + bool mac_binding_has_chassis_name; }; static struct pinctrl pinctrl; @@ -204,7 +205,8 @@ static void run_put_mac_bindings( struct ovsdb_idl_txn *ovnsb_idl_txn, struct ovsdb_idl_index *sbrec_datapath_binding_by_key, struct ovsdb_idl_index *sbrec_port_binding_by_key, - struct ovsdb_idl_index *sbrec_mac_binding_by_lport_ip) + struct ovsdb_idl_index *sbrec_mac_binding_by_lport_ip, + const struct sbrec_chassis *chassis) OVS_REQUIRES(pinctrl_mutex); static void wait_put_mac_bindings(struct ovsdb_idl_txn *ovnsb_idl_txn); static void send_mac_binding_buffered_pkts(struct rconn *swconn) @@ -3591,6 +3593,13 @@ pinctrl_update(const struct ovsdb_idl *idl, const char *br_int_name) notify_pinctrl_handler(); } + bool mac_binding_has_chassis_name = + sbrec_server_has_mac_binding_table_col_chassis_name(idl); + if (mac_binding_has_chassis_name != pinctrl.mac_binding_has_chassis_name) { + pinctrl.mac_binding_has_chassis_name = mac_binding_has_chassis_name; + notify_pinctrl_handler(); + } + ovs_mutex_unlock(&pinctrl_mutex); } @@ -3621,7 +3630,8 @@ pinctrl_run(struct ovsdb_idl_txn *ovnsb_idl_txn, ovs_mutex_lock(&pinctrl_mutex); run_put_mac_bindings(ovnsb_idl_txn, sbrec_datapath_binding_by_key, sbrec_port_binding_by_key, - sbrec_mac_binding_by_lport_ip); + sbrec_mac_binding_by_lport_ip, + chassis); run_put_vport_bindings(ovnsb_idl_txn, sbrec_datapath_binding_by_key, sbrec_port_binding_by_key, chassis); send_garp_rarp_prepare(ovnsb_idl_txn, sbrec_port_binding_by_datapath, @@ -4285,7 +4295,8 @@ mac_binding_add_to_sb(struct ovsdb_idl_txn *ovnsb_idl_txn, const char *logical_port, const struct sbrec_datapath_binding *dp, struct eth_addr ea, const char *ip, - bool update_only) + bool update_only, + const struct sbrec_chassis *chassis) { /* Convert ethernet argument to string form for database. */ char mac_string[ETH_ADDR_STRLEN + 1]; @@ -4302,6 +4313,9 @@ mac_binding_add_to_sb(struct ovsdb_idl_txn *ovnsb_idl_txn, sbrec_mac_binding_set_logical_port(b, logical_port); sbrec_mac_binding_set_ip(b, ip); sbrec_mac_binding_set_datapath(b, dp); + if (pinctrl.mac_binding_has_chassis_name) { + sbrec_mac_binding_set_chassis_name(b, chassis->name); + } } if (strcmp(b->mac, mac_string)) { @@ -4323,7 +4337,8 @@ send_garp_locally(struct ovsdb_idl_txn *ovnsb_idl_txn, struct ovsdb_idl_index *sbrec_mac_binding_by_lport_ip, const struct hmap *local_datapaths, const struct sbrec_port_binding *in_pb, - struct eth_addr ea, ovs_be32 ip) + struct eth_addr ea, ovs_be32 ip, + const struct sbrec_chassis *chassis) { if (!ovnsb_idl_txn) { return; @@ -4351,7 +4366,7 @@ send_garp_locally(struct ovsdb_idl_txn *ovnsb_idl_txn, ip_format_masked(ip, OVS_BE32_MAX, &ip_s); mac_binding_add_to_sb(ovnsb_idl_txn, sbrec_mac_binding_by_lport_ip, remote->logical_port, remote->datapath, - ea, ds_cstr(&ip_s), update_only); + ea, ds_cstr(&ip_s), update_only, chassis); ds_destroy(&ip_s); } } @@ -4361,7 +4376,8 @@ run_put_mac_binding(struct ovsdb_idl_txn *ovnsb_idl_txn, struct ovsdb_idl_index *sbrec_datapath_binding_by_key, struct ovsdb_idl_index *sbrec_port_binding_by_key, struct ovsdb_idl_index *sbrec_mac_binding_by_lport_ip, - const struct mac_binding *mb) + const struct mac_binding *mb, + const struct sbrec_chassis *chassis) { /* Convert logical datapath and logical port key into lport. */ const struct sbrec_port_binding *pb = lport_lookup_by_key( @@ -4384,7 +4400,7 @@ run_put_mac_binding(struct ovsdb_idl_txn *ovnsb_idl_txn, ipv6_format_mapped(&mb->ip, &ip_s); mac_binding_add_to_sb(ovnsb_idl_txn, sbrec_mac_binding_by_lport_ip, pb->logical_port, pb->datapath, mb->mac, - ds_cstr(&ip_s), false); + ds_cstr(&ip_s), false, chassis); ds_destroy(&ip_s); } @@ -4394,7 +4410,8 @@ static void run_put_mac_bindings(struct ovsdb_idl_txn *ovnsb_idl_txn, struct ovsdb_idl_index *sbrec_datapath_binding_by_key, struct ovsdb_idl_index *sbrec_port_binding_by_key, - struct ovsdb_idl_index *sbrec_mac_binding_by_lport_ip) + struct ovsdb_idl_index *sbrec_mac_binding_by_lport_ip, + const struct sbrec_chassis *chassis) OVS_REQUIRES(pinctrl_mutex) { if (!ovnsb_idl_txn) { @@ -4409,7 +4426,8 @@ run_put_mac_bindings(struct ovsdb_idl_txn *ovnsb_idl_txn, run_put_mac_binding(ovnsb_idl_txn, sbrec_datapath_binding_by_key, sbrec_port_binding_by_key, - sbrec_mac_binding_by_lport_ip, mb); + sbrec_mac_binding_by_lport_ip, mb, + chassis); ovn_mac_binding_remove(mb, &put_mac_bindings); } } @@ -4552,7 +4570,8 @@ send_garp_rarp_update(struct ovsdb_idl_txn *ovnsb_idl_txn, const struct sbrec_port_binding *binding_rec, struct shash *nat_addresses, long long int garp_max_timeout, - bool garp_continuous) + bool garp_continuous, + const struct sbrec_chassis *chassis) { volatile struct garp_rarp_data *garp_rarp = NULL; @@ -4592,7 +4611,8 @@ send_garp_rarp_update(struct ovsdb_idl_txn *ovnsb_idl_txn, send_garp_locally(ovnsb_idl_txn, sbrec_mac_binding_by_lport_ip, local_datapaths, binding_rec, laddrs->ea, - laddrs->ipv4_addrs[i].addr); + laddrs->ipv4_addrs[i].addr, + chassis); } free(name); @@ -4661,7 +4681,8 @@ send_garp_rarp_update(struct ovsdb_idl_txn *ovnsb_idl_txn, binding_rec->tunnel_key); if (ip) { send_garp_locally(ovnsb_idl_txn, sbrec_mac_binding_by_lport_ip, - local_datapaths, binding_rec, laddrs.ea, ip); + local_datapaths, binding_rec, laddrs.ea, ip, + chassis); } destroy_lport_addresses(&laddrs); @@ -6080,7 +6101,8 @@ send_garp_rarp_prepare(struct ovsdb_idl_txn *ovnsb_idl_txn, send_garp_rarp_update(ovnsb_idl_txn, sbrec_mac_binding_by_lport_ip, local_datapaths, pb, &nat_addresses, - garp_max_timeout, garp_continuous); + garp_max_timeout, garp_continuous, + chassis); } } @@ -6092,7 +6114,8 @@ send_garp_rarp_prepare(struct ovsdb_idl_txn *ovnsb_idl_txn, if (pb) { send_garp_rarp_update(ovnsb_idl_txn, sbrec_mac_binding_by_lport_ip, local_datapaths, pb, &nat_addresses, - garp_max_timeout, garp_continuous); + garp_max_timeout, garp_continuous, + chassis); } } diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index f3868068d..f51dbecb4 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -109,7 +109,7 @@ static const char *rbac_port_binding_update[] = "options"}; static const char *rbac_mac_binding_auth[] = - {""}; + {"chassis_name"}; static const char *rbac_mac_binding_update[] = {"logical_port", "ip", "mac", "datapath", "timestamp"}; diff --git a/ovn-sb.ovsschema b/ovn-sb.ovsschema index 72e230b75..9cf91c8f7 100644 --- a/ovn-sb.ovsschema +++ b/ovn-sb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Southbound", - "version": "20.30.0", - "cksum": "2972392849 31172", + "version": "20.31.0", + "cksum": "3395536250 31224", "tables": { "SB_Global": { "columns": { @@ -286,7 +286,8 @@ "mac": {"type": "string"}, "timestamp": {"type": {"key": "integer"}}, "datapath": {"type": {"key": {"type": "uuid", - "refTable": "Datapath_Binding"}}}}, + "refTable": "Datapath_Binding"}}}, + "chassis_name": {"type": "string"}}, "indexes": [["logical_port", "ip"]], "isRoot": true}, "DHCP_Options": { diff --git a/ovn-sb.xml b/ovn-sb.xml index e393f92b3..411074083 100644 --- a/ovn-sb.xml +++ b/ovn-sb.xml @@ -3925,6 +3925,9 @@ tcp.flags = RST; The logical datapath to which the logical port belongs. + + The name of the chassis that inserted this record. + From patchwork Fri Jan 19 21:33:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Michelson X-Patchwork-Id: 1888674 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ZeWcrW77; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TGtCY1Zzcz1yWl for ; Sat, 20 Jan 2024 08:33:43 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 0D8094395F; Fri, 19 Jan 2024 21:33:41 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 0D8094395F Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ZeWcrW77 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hK4l6Ac5fUjy; Fri, 19 Jan 2024 21:33:39 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTPS id C2617401B1; Fri, 19 Jan 2024 21:33:38 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org C2617401B1 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 94AE3C0077; Fri, 19 Jan 2024 21:33:38 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 48B8BC0037 for ; Fri, 19 Jan 2024 21:33:37 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 1EAC660BE5 for ; Fri, 19 Jan 2024 21:33:37 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 1EAC660BE5 Authentication-Results: smtp3.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=ZeWcrW77 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SnTDNIKOvfgu for ; Fri, 19 Jan 2024 21:33:36 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp3.osuosl.org (Postfix) with ESMTPS id 4647660B8A for ; Fri, 19 Jan 2024 21:33:36 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 4647660B8A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1705700015; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=IDXtXYNCeZaOl+5L48H0h9zn8RNNIO8sy5yYOHcZUoU=; b=ZeWcrW77ZBKVg4YhOU+e8z+UKeEKcTiJro4VUbL4KrXHHHgqcJTh6sHn/btsw9ZH76uKGm 244m4nDe4a52c9ecUbyBoIw+w9aWNJMvMp5aNmNq0NaVe7Zcw4w2EhYxJiV8mXUNAS4WOc zEJoxBEiq0uxzXJlGg7ldZY8mNPrhS8= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-120-4qApb784M7qRxsrJkC7VDw-1; Fri, 19 Jan 2024 16:33:33 -0500 X-MC-Unique: 4qApb784M7qRxsrJkC7VDw-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 5CADC8353E4 for ; Fri, 19 Jan 2024 21:33:33 +0000 (UTC) Received: from localhost.redhat.com (unknown [10.22.50.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id EBBD040D1B61 for ; Fri, 19 Jan 2024 21:33:32 +0000 (UTC) From: Mark Michelson To: dev@openvswitch.org Date: Fri, 19 Jan 2024 16:33:29 -0500 Message-Id: <20240119213331.454896-2-mmichels@redhat.com> In-Reply-To: <20240119213331.454896-1-mmichels@redhat.com> References: <20240119213331.454896-1-mmichels@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn 2/4] rbac: Only allow relevant chassis to update service monitors. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Service monitors already had the restriction that chassis could not insert or delete records. However, there was nothing restricting chassis from updating records for service monitors that are relevant to other chassis. This change adds a new "chassis_name" column to the Service_Monitor table. ovn-northd will set this column to the chassis on which the relevant logical port is bound. This way, only that particular chassis can update the status of the service monitor. --- northd/northd.c | 19 +++++++++++++++++-- northd/ovn-northd.c | 2 +- ovn-sb.ovsschema | 5 +++-- ovn-sb.xml | 4 ++++ 4 files changed, 25 insertions(+), 5 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index 952f8200d..9821fcef5 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -3841,13 +3841,19 @@ static struct service_monitor_info * create_or_get_service_mon(struct ovsdb_idl_txn *ovnsb_txn, struct hmap *monitor_map, const char *ip, const char *logical_port, - uint16_t service_port, const char *protocol) + uint16_t service_port, const char *protocol, + const char *chassis_name) { struct service_monitor_info *mon_info = get_service_mon(monitor_map, ip, logical_port, service_port, protocol); if (mon_info) { + if (chassis_name && strcmp(mon_info->sbrec_mon->chassis_name, + chassis_name)) { + sbrec_service_monitor_set_chassis_name(mon_info->sbrec_mon, + chassis_name); + } return mon_info; } @@ -3862,6 +3868,9 @@ create_or_get_service_mon(struct ovsdb_idl_txn *ovnsb_txn, sbrec_service_monitor_set_port(sbrec_mon, service_port); sbrec_service_monitor_set_logical_port(sbrec_mon, logical_port); sbrec_service_monitor_set_protocol(sbrec_mon, protocol); + if (chassis_name) { + sbrec_service_monitor_set_chassis_name(sbrec_mon, chassis_name); + } mon_info = xzalloc(sizeof *mon_info); mon_info->sbrec_mon = sbrec_mon; hmap_insert(monitor_map, &mon_info->hmap_node, hash); @@ -3904,12 +3913,18 @@ ovn_lb_svc_create(struct ovsdb_idl_txn *ovnsb_txn, protocol = "tcp"; } + const char *chassis_name = NULL; + if (op->sb && op->sb->chassis) { + chassis_name = op->sb->chassis->name; + } + struct service_monitor_info *mon_info = create_or_get_service_mon(ovnsb_txn, monitor_map, backend->ip_str, backend_nb->logical_port, backend->port, - protocol); + protocol, + chassis_name); ovs_assert(mon_info); sbrec_service_monitor_set_options( mon_info->sbrec_mon, &lb_vip_nb->lb_health_check->options); diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index f51dbecb4..ef580b561 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -114,7 +114,7 @@ static const char *rbac_mac_binding_update[] = {"logical_port", "ip", "mac", "datapath", "timestamp"}; static const char *rbac_svc_monitor_auth[] = - {""}; + {"chassis_name"}; static const char *rbac_svc_monitor_auth_update[] = {"status"}; static const char *rbac_igmp_group_auth[] = diff --git a/ovn-sb.ovsschema b/ovn-sb.ovsschema index 9cf91c8f7..563d1a215 100644 --- a/ovn-sb.ovsschema +++ b/ovn-sb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Southbound", - "version": "20.31.0", - "cksum": "3395536250 31224", + "version": "20.32.0", + "cksum": "482767101 31276", "tables": { "SB_Global": { "columns": { @@ -510,6 +510,7 @@ "logical_port": {"type": "string"}, "src_mac": {"type": "string"}, "src_ip": {"type": "string"}, + "chassis_name": {"type": "string"}, "status": { "type": {"key": {"type": "string", "enum": ["set", ["online", "offline", "error"]]}, diff --git a/ovn-sb.xml b/ovn-sb.xml index 411074083..046913201 100644 --- a/ovn-sb.xml +++ b/ovn-sb.xml @@ -4818,6 +4818,10 @@ tcp.flags = RST; Source IPv4 address to use in the service monitor packet. + + The name of the chassis where the logical port is bound. + + The interval, in seconds, between service monitor checks. From patchwork Fri Jan 19 21:33:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Michelson X-Patchwork-Id: 1888676 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=FUyJ7vJj; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TGtCf57Kvz1yWl for ; Sat, 20 Jan 2024 08:33:50 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 6837E8455A; Fri, 19 Jan 2024 21:33:45 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 6837E8455A Authentication-Results: smtp1.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=FUyJ7vJj X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rk_QsQlqRAmn; Fri, 19 Jan 2024 21:33:44 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp1.osuosl.org (Postfix) with ESMTPS id D907E8230A; Fri, 19 Jan 2024 21:33:42 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org D907E8230A Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 10A57C0DDB; Fri, 19 Jan 2024 21:33:40 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 3EBCAC0037 for ; Fri, 19 Jan 2024 21:33:38 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 1ADE582171 for ; Fri, 19 Jan 2024 21:33:38 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 1ADE582171 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eaVelcO09aft for ; Fri, 19 Jan 2024 21:33:36 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp1.osuosl.org (Postfix) with ESMTPS id BDC2C82150 for ; Fri, 19 Jan 2024 21:33:36 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org BDC2C82150 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1705700015; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ieMmX4hTTgR4S16ptOJIuZV1Z2S6NnLGE4RXSuU2ORU=; b=FUyJ7vJju5KODmqKqJuo9/c1fTcFdF3l1tdX/wNYmbrf/OUhxtZrNQMeY5DaVAxma9WiDU qHlGeWd3HxDKzFCsnRZc3dlJ7Czoj/RwICLKqhc0Skph7l2tQQSfODYlQ/e5Y7NWXmG5Mb gmOeExKx8m/I4O5SCAPVM2w286BCBuA= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-595-kCitp7UJPMiXT5KatwfLNg-1; Fri, 19 Jan 2024 16:33:34 -0500 X-MC-Unique: kCitp7UJPMiXT5KatwfLNg-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id E262C380627A for ; Fri, 19 Jan 2024 21:33:33 +0000 (UTC) Received: from localhost.redhat.com (unknown [10.22.50.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9542C40D1B60 for ; Fri, 19 Jan 2024 21:33:33 +0000 (UTC) From: Mark Michelson To: dev@openvswitch.org Date: Fri, 19 Jan 2024 16:33:30 -0500 Message-Id: <20240119213331.454896-3-mmichels@redhat.com> In-Reply-To: <20240119213331.454896-1-mmichels@redhat.com> References: <20240119213331.454896-1-mmichels@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn 3/4] rbac: Restrict IGMP_Group updates to relevant chassis. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" RBAC did not restrict which chassis could update IGMP_Groups. With this change, we add a new "chassis_name" column to IGMP_Group. This may seem odd since there is already a "chassis" column in IGMP_Group. But RBAC specifically works by string matching based on the certificate common name. Therefore, we need to have a chassis_name string column instead of a chassis UUID column. --- controller/ip-mcast.c | 20 ++++++++++++++------ controller/ip-mcast.h | 6 ++++-- controller/pinctrl.c | 16 +++++++++++++--- northd/ovn-northd.c | 2 +- ovn-sb.ovsschema | 7 ++++--- ovn-sb.xml | 5 +++++ 6 files changed, 41 insertions(+), 15 deletions(-) diff --git a/controller/ip-mcast.c b/controller/ip-mcast.c index a870fb29e..6150cece0 100644 --- a/controller/ip-mcast.c +++ b/controller/ip-mcast.c @@ -38,7 +38,8 @@ static struct sbrec_igmp_group * igmp_group_create_(struct ovsdb_idl_txn *idl_txn, const char *addr_str, const struct sbrec_datapath_binding *datapath, - const struct sbrec_chassis *chassis); + const struct sbrec_chassis *chassis, + bool igmp_group_has_chassis_name); struct ovsdb_idl_index * igmp_group_index_create(struct ovsdb_idl *idl) @@ -86,7 +87,8 @@ struct sbrec_igmp_group * igmp_group_create(struct ovsdb_idl_txn *idl_txn, const struct in6_addr *address, const struct sbrec_datapath_binding *datapath, - const struct sbrec_chassis *chassis) + const struct sbrec_chassis *chassis, + bool igmp_group_has_chassis_name) { char addr_str[INET6_ADDRSTRLEN]; @@ -94,16 +96,18 @@ igmp_group_create(struct ovsdb_idl_txn *idl_txn, return NULL; } - return igmp_group_create_(idl_txn, addr_str, datapath, chassis); + return igmp_group_create_(idl_txn, addr_str, datapath, chassis, + igmp_group_has_chassis_name); } struct sbrec_igmp_group * igmp_mrouter_create(struct ovsdb_idl_txn *idl_txn, const struct sbrec_datapath_binding *datapath, - const struct sbrec_chassis *chassis) + const struct sbrec_chassis *chassis, + bool igmp_group_has_chassis_name) { return igmp_group_create_(idl_txn, OVN_IGMP_GROUP_MROUTERS, datapath, - chassis); + chassis, igmp_group_has_chassis_name); } void @@ -249,13 +253,17 @@ static struct sbrec_igmp_group * igmp_group_create_(struct ovsdb_idl_txn *idl_txn, const char *addr_str, const struct sbrec_datapath_binding *datapath, - const struct sbrec_chassis *chassis) + const struct sbrec_chassis *chassis, + bool igmp_group_has_chassis_name) { struct sbrec_igmp_group *g = sbrec_igmp_group_insert(idl_txn); sbrec_igmp_group_set_address(g, addr_str); sbrec_igmp_group_set_datapath(g, datapath); sbrec_igmp_group_set_chassis(g, chassis); + if (igmp_group_has_chassis_name) { + sbrec_igmp_group_set_chassis_name(g, chassis->name); + } return g; } diff --git a/controller/ip-mcast.h b/controller/ip-mcast.h index 326f39db1..a2d531097 100644 --- a/controller/ip-mcast.h +++ b/controller/ip-mcast.h @@ -39,11 +39,13 @@ struct sbrec_igmp_group *igmp_group_create( struct ovsdb_idl_txn *idl_txn, const struct in6_addr *address, const struct sbrec_datapath_binding *datapath, - const struct sbrec_chassis *chassis); + const struct sbrec_chassis *chassis, + bool igmp_group_has_chassis_name); struct sbrec_igmp_group *igmp_mrouter_create( struct ovsdb_idl_txn *idl_txn, const struct sbrec_datapath_binding *datapath, - const struct sbrec_chassis *chassis); + const struct sbrec_chassis *chassis, + bool igmp_group_has_chassis_name); void igmp_group_update_ports(const struct sbrec_igmp_group *g, struct ovsdb_idl_index *datapaths, diff --git a/controller/pinctrl.c b/controller/pinctrl.c index a00cdceea..1e3df02af 100644 --- a/controller/pinctrl.c +++ b/controller/pinctrl.c @@ -181,6 +181,7 @@ struct pinctrl { bool fdb_can_timestamp; bool dns_supports_ovn_owned; bool mac_binding_has_chassis_name; + bool igmp_group_has_chassis_name; }; static struct pinctrl pinctrl; @@ -3600,6 +3601,13 @@ pinctrl_update(const struct ovsdb_idl *idl, const char *br_int_name) notify_pinctrl_handler(); } + bool igmp_group_has_chassis_name = + sbrec_server_has_igmp_group_table_col_chassis_name(idl); + if (igmp_group_has_chassis_name != pinctrl.igmp_group_has_chassis_name) { + pinctrl.igmp_group_has_chassis_name = igmp_group_has_chassis_name; + notify_pinctrl_handler(); + } + ovs_mutex_unlock(&pinctrl_mutex); } @@ -5417,8 +5425,9 @@ ip_mcast_sync(struct ovsdb_idl_txn *ovnsb_idl_txn, sbrec_igmp = igmp_group_lookup(sbrec_igmp_groups, &mc_group->addr, local_dp->datapath, chassis); if (!sbrec_igmp) { - sbrec_igmp = igmp_group_create(ovnsb_idl_txn, &mc_group->addr, - local_dp->datapath, chassis); + sbrec_igmp = igmp_group_create( + ovnsb_idl_txn, &mc_group->addr, local_dp->datapath, + chassis, pinctrl.igmp_group_has_chassis_name); } igmp_group_update_ports(sbrec_igmp, sbrec_datapath_binding_by_key, @@ -5433,7 +5442,8 @@ ip_mcast_sync(struct ovsdb_idl_txn *ovnsb_idl_txn, if (!sbrec_ip_mrouter) { sbrec_ip_mrouter = igmp_mrouter_create(ovnsb_idl_txn, local_dp->datapath, - chassis); + chassis, + pinctrl.igmp_group_has_chassis_name); } igmp_mrouter_update_ports(sbrec_ip_mrouter, sbrec_datapath_binding_by_key, diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index ef580b561..8f70d5241 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -118,7 +118,7 @@ static const char *rbac_svc_monitor_auth[] = static const char *rbac_svc_monitor_auth_update[] = {"status"}; static const char *rbac_igmp_group_auth[] = - {""}; + {"chassis_name"}; static const char *rbac_igmp_group_update[] = {"address", "chassis", "datapath", "ports"}; static const char *rbac_bfd_auth[] = diff --git a/ovn-sb.ovsschema b/ovn-sb.ovsschema index 563d1a215..0e601f4e3 100644 --- a/ovn-sb.ovsschema +++ b/ovn-sb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Southbound", - "version": "20.32.0", - "cksum": "482767101 31276", + "version": "20.33.0", + "cksum": "3042447672 31328", "tables": { "SB_Global": { "columns": { @@ -494,7 +494,8 @@ "ports": {"type": {"key": {"type": "uuid", "refTable": "Port_Binding", "refType": "weak"}, - "min": 0, "max": "unlimited"}}}, + "min": 0, "max": "unlimited"}}, + "chassis_name": {"type": "string"}}, "indexes": [["address", "datapath", "chassis"]], "isRoot": true}, "Service_Monitor": { diff --git a/ovn-sb.xml b/ovn-sb.xml index 046913201..833e53114 100644 --- a/ovn-sb.xml +++ b/ovn-sb.xml @@ -4770,6 +4770,11 @@ tcp.flags = RST; The destination port bindings for this IGMP group. + + + The chassis that inserted this record. This column is used for RBAC + purposes only. +
From patchwork Fri Jan 19 21:33:31 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mark Michelson X-Patchwork-Id: 1888677 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=gmGPmJeb; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TGtCg5fhyz1yWl for ; Sat, 20 Jan 2024 08:33:51 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 6C23242E1F; Fri, 19 Jan 2024 21:33:48 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 6C23242E1F Authentication-Results: smtp4.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=gmGPmJeb X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WxBz38yv4d2j; Fri, 19 Jan 2024 21:33:46 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp4.osuosl.org (Postfix) with ESMTPS id CB56242E20; Fri, 19 Jan 2024 21:33:44 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org CB56242E20 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 37EBCC0DD0; Fri, 19 Jan 2024 21:33:42 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 0AD29C0DDA for ; Fri, 19 Jan 2024 21:33:40 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id CB6404393C for ; Fri, 19 Jan 2024 21:33:39 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org CB6404393C Authentication-Results: smtp2.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=gmGPmJeb X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mr-z0y16fyvp for ; Fri, 19 Jan 2024 21:33:38 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by smtp2.osuosl.org (Postfix) with ESMTPS id AB04B40042 for ; Fri, 19 Jan 2024 21:33:37 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org AB04B40042 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1705700016; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=9sRAM887+Fd0BxzIjAIMLcNyKy/1mDnSDAXkMZNsnTU=; b=gmGPmJebHDxBIVL82PC+T5c1tjQ4lA38O/Z3o8S4U+SR54nyyHBbn8p/CCvrJA1R/JhGAM Zoae/2j8kByGSsZeSDZW1rX7oUygsjVlVSkr4DNgjoyjktxfGrNihyU7b9LR9XIjicyxeS QqHUYhPpOj2FQhQ8gl74X94lcAMO6ik= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-379--_TPiNZiOJimy2PE2MNkXw-1; Fri, 19 Jan 2024 16:33:34 -0500 X-MC-Unique: -_TPiNZiOJimy2PE2MNkXw-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 8C385800074 for ; Fri, 19 Jan 2024 21:33:34 +0000 (UTC) Received: from localhost.redhat.com (unknown [10.22.50.17]) by smtp.corp.redhat.com (Postfix) with ESMTP id 28ECE40D1B60 for ; Fri, 19 Jan 2024 21:33:34 +0000 (UTC) From: Mark Michelson To: dev@openvswitch.org Date: Fri, 19 Jan 2024 16:33:31 -0500 Message-Id: <20240119213331.454896-4-mmichels@redhat.com> In-Reply-To: <20240119213331.454896-1-mmichels@redhat.com> References: <20240119213331.454896-1-mmichels@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.2 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH ovn 4/4] rbac: Only allow relevant chassis to update BFD. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" This adds a new "chassis_name" column to the BFD table. ovn-northd sets this to the logical port's chassis name when creating the BFD record. RBAC has been updated so that chassis may only update their own records. --- northd/northd.c | 9 ++++++++- northd/ovn-northd.c | 2 +- ovn-sb.ovsschema | 5 +++-- ovn-sb.xml | 4 ++++ 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index 9821fcef5..793fc13f5 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -10808,6 +10808,7 @@ build_bfd_table(struct ovsdb_idl_txn *ovnsb_txn, nbrec_bfd_set_status(nb_bt, "admin_down"); } + struct ovn_port *op = ovn_port_find(lr_ports, nb_bt->logical_port); bfd_e = bfd_port_lookup(&sb_only, nb_bt->logical_port, nb_bt->dst_ip); if (!bfd_e) { int udp_src = bfd_get_unused_port(bfd_src_ports); @@ -10821,6 +10822,9 @@ build_bfd_table(struct ovsdb_idl_txn *ovnsb_txn, sbrec_bfd_set_disc(sb_bt, 1 + random_uint32()); sbrec_bfd_set_src_port(sb_bt, udp_src); sbrec_bfd_set_status(sb_bt, nb_bt->status); + if (op && op->sb && op->sb->chassis) { + sbrec_bfd_set_chassis_name(sb_bt, op->sb->chassis->name); + } int min_tx = nb_bt->n_min_tx ? nb_bt->min_tx[0] : BFD_DEF_MINTX; sbrec_bfd_set_min_tx(sb_bt, min_tx); @@ -10839,6 +10843,10 @@ build_bfd_table(struct ovsdb_idl_txn *ovnsb_txn, } } build_bfd_update_sb_conf(nb_bt, bfd_e->sb_bt); + if (op && op->sb && op->sb->chassis && + strcmp(op->sb->chassis->name, sb_bt->chassis_name)) { + sbrec_bfd_set_chassis_name(sb_bt, op->sb->chassis->name); + } hmap_remove(&sb_only, &bfd_e->hmap_node); bfd_e->ref = false; @@ -10847,7 +10855,6 @@ build_bfd_table(struct ovsdb_idl_txn *ovnsb_txn, hmap_insert(bfd_connections, &bfd_e->hmap_node, hash); } - struct ovn_port *op = ovn_port_find(lr_ports, nb_bt->logical_port); if (op) { op->has_bfd = true; } diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 8f70d5241..c11744b3f 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -122,7 +122,7 @@ static const char *rbac_igmp_group_auth[] = static const char *rbac_igmp_group_update[] = {"address", "chassis", "datapath", "ports"}; static const char *rbac_bfd_auth[] = - {""}; + {"chassis_name"}; static const char *rbac_bfd_update[] = {"status"}; diff --git a/ovn-sb.ovsschema b/ovn-sb.ovsschema index 0e601f4e3..26c9ae75f 100644 --- a/ovn-sb.ovsschema +++ b/ovn-sb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Southbound", "version": "20.33.0", - "cksum": "3042447672 31328", + "cksum": "4078434013 31380", "tables": { "SB_Global": { "columns": { @@ -579,7 +579,8 @@ "min": 0, "max": "unlimited"}}, "options": { "type": {"key": "string", "value": "string", - "min": 0, "max": "unlimited"}}}, + "min": 0, "max": "unlimited"}}, + "chassis_name": {"type": "string"}}, "indexes": [["logical_port", "dst_ip", "src_port", "disc"]], "isRoot": true}, "FDB": { diff --git a/ovn-sb.xml b/ovn-sb.xml index 833e53114..629c78095 100644 --- a/ovn-sb.xml +++ b/ovn-sb.xml @@ -4992,6 +4992,10 @@ tcp.flags = RST; receiving system in Asynchronous mode. + + The name of the chassis where the logical port is bound. + + Reserved for future use.