This series implements role-based access control infrastructure for
ovsdb-server, and uses that infrastructure to apply role-based access
controls to the OVN_Southbound database. This implementation follows
the outline discussed at:
https://mail.openvswitch.org/pipermail/ovs-dev/2017-March/329801.html
With this series applied, enabling role-based ACLs is a matter of:
- Configuring southbound ovsdb-server and ovn-controller to use SSL,
configuring an ovn-controller "role" for SSL connections via e.g.:
ovn-sbctl set-connection role=ovn-controller pssl:6642
- Using unique certificates for each ovn-controller with a unique
CN for each chassis, generated e.g. via:
ovs-pki -B 1024 req+sign chassis1 switch
ovs-pki -B 1024 req+sign chassis2 switch
ovs-pki -B 1024 req+sign chassis3 switch
- Starting the southbound ovsdb-server with the "--rbac" command-line
option:
--rbac=db:OVN_Southbound,RBAC_Role
This series is posted as RFC mainly to solicit high-level feedback about
the approach, although feedback about implementation details would also
be welcome. Outstanding work items:
- Unit test for authorization from map.
- Update man page for ovsdb-server --rbac option.
- Add security section to ovn-architecture document to describe how
SSL and RBAC can be applied.
- Add section to ovn-northd man page describing how northd configures
RBAC for the southbound db.
- Evaluate other methods for enabling RBAC enforcement in ovsdb-server,
see https://mail.openvswitch.org/pipermail/ovs-dev/2017-April/330718.html
- Add "chassis" column to OVN southbound Encap table to allow more
effective RBAC.
Lance Richardson (5):
stream: store stream peer id with stream state
ovsdb: refactor utility functions into separate file
ovsdb: add support for role-based access controls
ovn: add rbac tables to ovn southbound schema
ovn-sbctl: support setting rbac role for remote connections
lib/jsonrpc.c | 10 ++
lib/jsonrpc.h | 2 +
lib/ovsdb-error.c | 13 ++
lib/ovsdb-error.h | 4 +
lib/stream-provider.h | 1 +
lib/stream-ssl.c | 51 ++++++
lib/stream.c | 16 ++
lib/stream.h | 3 +
ovn/northd/ovn-northd.c | 190 ++++++++++++++++++++
ovn/ovn-sb.ovsschema | 28 ++-
ovn/ovn-sb.xml | 39 ++++
ovn/utilities/ovn-sbctl.c | 12 +-
ovsdb/automake.mk | 6 +-
ovsdb/execution.c | 41 ++++-
ovsdb/jsonrpc-server.c | 6 +-
ovsdb/jsonrpc-server.h | 1 +
ovsdb/mutation.c | 2 +
ovsdb/mutation.h | 5 +-
ovsdb/ovsdb-server.c | 247 ++++++++-----------------
ovsdb/ovsdb-tool.c | 2 +-
ovsdb/ovsdb-util.c | 235 ++++++++++++++++++++++++
ovsdb/ovsdb-util.h | 51 ++++++
ovsdb/ovsdb.h | 1 +
ovsdb/rbac.c | 449 ++++++++++++++++++++++++++++++++++++++++++++++
ovsdb/rbac.h | 36 ++++
ovsdb/trigger.c | 8 +-
ovsdb/trigger.h | 5 +-
tests/automake.mk | 1 +
tests/ovsdb-rbac.at | 253 ++++++++++++++++++++++++++
tests/ovsdb.at | 1 +
tests/test-ovsdb.c | 5 +-
31 files changed, 1533 insertions(+), 191 deletions(-)
create mode 100644 ovsdb/ovsdb-util.c
create mode 100644 ovsdb/ovsdb-util.h
create mode 100644 ovsdb/rbac.c
create mode 100644 ovsdb/rbac.h
create mode 100644 tests/ovsdb-rbac.at
--
2.7.4
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
