> From: "Ben Pfaff" <b...@ovn.org> > To: "Lance Richardson" <lrich...@redhat.com> > Cc: d...@openvswitch.org > Sent: Saturday, 6 May, 2017 12:41:37 AM > Subject: Re: [ovs-dev] [PATCH 4/6] ovsdb: add support for role-based access > controls > > On Mon, May 01, 2017 at 10:13:21AM -0400, Lance Richardson wrote: > > Add suport for ovsdb RBAC (role-based access control). This includes: > > > > - Support for "RBAC_Role" table. A db schema containing a table > > by this name will enable role-based access controls using > > this table for RBAC role configuration. > > > > The "RBAC_Role" table has one row per role, with each row having a > > "name" column (role name) and a "permissions" column (map of > > table name to UUID of row in separate permission table.) The > > permission table has one row per access control configuration, > > with the following columns: > > "name" - name of table to which this row applies > > "authorization" - set of column names and column:key pairs > > to be compared against client ID to > > determine authorization status > > "insert_delete" - boolean, true if insertions and > > authorized deletions are allowed. > > "update" - Set of columns and column:key pairs for > > which authorized updates are allowed. > > - Support for a new "role" column in the remote configuration > > table. > > - Logic for applying the RBAC role and permission tables, in > > combination with session role from the remote connection table > > and client id, to determine whether operations modifying database > > contents should be permitted. > > > > Signed-off-by: Lance Richardson <lrich...@redhat.com> > > This is really nice. Thank you for investing time in this! I've had my > doubts, repeatedly, about the value of access control in OVSDB, but the > OVN use case has finally convinced, and I really appreciate the work > you've done to make it happen. >
Thank you very much! > As a high-level comment, it looks to me like documentation is missing > for the ways that this affects the schema and the wire protocol. We try > to document those kinds of changes, relative to the RFC 7074 > specification, in ovsdb/ovsdb-server.1.in. > OK, I will address that in the next version. > I'm appending an incremental patch that I suggest folding in. It is > mostly little style points I noticed. I also fixed a few minor bugs I > noticed, and I added a new --rbac-role option to ovsdb-tool to allow > users to test without firing up an OVSDB server. > OK, makes sense. > I fussed with the style on ovsdb_util_read_map_string_uuid_column() > enough that the bug fix might not be obvious: it assumed that > column->type.value.u.uuid.refTable is nonnull, even though that might > not be the case. > > Thanks! > _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
