[ovs-dev] [ovn] transaction error in ovn-controller with configured RBAC on branch-20.06

Thu, 03 Dec 2020 02:50:53 -0800 

Hi,

It seems, that I see regression with claim port functionality in my OVN 
installation between v20.06.2 and latest branch-20.06 (78174ea) on cluster with 
enabled rbac.

On v20.06.2 ovn-controller successfully claims port:

# ovn-controller --version
ovn-controller 20.06.2
Open vSwitch Library 2.13.0
OpenFlow versions 0x6:0x6


2020-12-02T18:25:28.787Z|00011|binding|INFO|Claiming lport eni-35AFCD00 for 
this chassis.
2020-12-02T18:25:28.787Z|00012|binding|INFO|eni-35AFCD00: Claiming 
0a:00:35:af:cd:00 192.168.0.5
2020-12-02T18:25:28.787Z|00013|binding|INFO|Claiming lport eni-3E9901E0 for 
this chassis.
2020-12-02T18:25:28.787Z|00014|binding|INFO|eni-3E9901E0: Claiming 
0a:00:3e:99:01:e0 192.168.0.4


Transaction request:

2020-12-02T18:50:36.128Z|01605|jsonrpc|DBG|ssl:X.X.X.X:6642: send request, 
method="transact", 
params=["OVN_Southbound",{"where":[["_uuid","==",["uuid","4e9bd54c-f083-45cd-93d3-a65f4d20d688"]]],"row":{"chassis":["uuid","9d414bfc-da12-487e-80a0-5c1f2a98a05a"]},"op":"update","table":"Port_Binding"}],
 id=310

# ovn-sbctl show | grep 04540082-b5b5-4ab5-9901-03ed445c772d -A 9
Chassis "04540082-b5b5-4ab5-9901-03ed445c772d"
    hostname: host.local
    Encap vxlan
        ip: "Y.Y.Y.Y"
        options: {csum="true"}
    Encap stt
        ip: "Y.Y.Y.Y"
        options: {csum="true"}
    Port_Binding eni-3E9901E0
    Port_Binding eni-35AFCD00


Then I run update OVN (doesn’t matter only ovn controller or full ovn 
installation):

# ovn-controller --version
ovn-controller 20.06.3
Open vSwitch Library 2.13.0
OpenFlow versions 0x6:0x6

ovn-controller is unable to claim lport:

2020-12-02T18:53:35.309Z|00043|binding|INFO|Claiming lport eni-3E9901E0 for 
this chassis.
2020-12-02T18:53:35.309Z|00044|binding|INFO|eni-3E9901E0: Claiming 
0a:00:3e:99:01:e0 192.168.0.4
2020-12-02T18:53:35.309Z|00045|binding|INFO|Claiming lport eni-DB28C420 for 
this chassis.
2020-12-02T18:53:35.309Z|00046|binding|INFO|eni-DB28C420: Claiming 
0a:00:db:28:c4:20 192.168.0.6
2020-12-02T18:53:35.309Z|00047|binding|INFO|Claiming lport eni-35AFCD00 for 
this chassis.
2020-12-02T18:53:35.309Z|00048|binding|INFO|eni-35AFCD00: Claiming 
0a:00:35:af:cd:00 192.168.0.5
2020-12-02T18:53:35.345Z|00049|ovsdb_idl|WARN|transaction error: 
{"details":"RBAC rules for client \"04540082-b5b5-4ab5-9901-03ed445c772d\" role 
\"ovn-controller\" prohibit modification of table 
\"Encap\".","error":"permission error"}
2020-12-02T18:53:35.345Z|00050|main|INFO|OVNSB commit failed, force recompute 
next time.


Transaction request (added encap table modification comparing to previous 
version):

2020-12-02T18:57:33.661Z|20500|jsonrpc|DBG|ssl:X.X.X.X:6642: send request, 
method="transact", 
params=["OVN_Southbound",{"where":[["_uuid","==",["uuid","9a397740-4072-4853-9b75-9cc120fe4b34"]]],"row":{"chassis":["uuid","e1436af9-4a15-4480-937e-7584e64033a3"]},"op":"update","table":"Port_Binding"},{"where":[["_uuid","==",["uuid","7ec10f55-c89a-4fd3-a2ab-8ac22f845c85"]]],"row":{"chassis_name":"04540082-b5b5-4ab5-9901-03ed445c772d"},"op":"update","table":"Encap"},{"where":[["_uuid","==",["uuid","256d47ca-ef69-4d75-b967-7ab19bd413a7"]]],"row":{"chassis_name":"04540082-b5b5-4ab5-9901-03ed445c772d"},"op":"update","table":"Encap"},{"where":[["_uuid","==",["uuid","34856b67-7f15-44d3-8071-e20ae0f6029f"]]],"row":{"chassis":["uuid","e1436af9-4a15-4480-937e-7584e64033a3"]},"op":"update","table":"Port_Binding"}],
 id=113


I’ve configured rbac consulting with this instruction: 
https://docs.ovn.org/en/latest/tutorials/ovn-rbac.html

Some rbac-related parameters:

# ovn-sbctl list connection
_uuid               : 4940feb2-c4ae-47d9-ade7-6f25c26a2a71
external_ids        : {}
inactivity_probe    : []
is_connected        : false
max_backoff         : []
other_config        : {}
read_only           : false
role                : ""
status              : {}
target              : "pssl:16642"

_uuid               : ed9366ef-e352-4210-998f-655f648d638d
external_ids        : {}
inactivity_probe    : []
is_connected        : false
max_backoff         : []
other_config        : {}
read_only           : false
role                : ovn-controller
status              : {}
target              : "pssl:6642"
# ovn-sbctl list rbac_role
_uuid               : 91e9fee1-4aff-4d94-93bf-d4c5119a0dd2
name                : ovn-controller
permissions         : {Chassis=4a0070bf-1327-4c4d-a7be-83cf91fa1e42, 
Encap=91da95b4-4eaf-4659-b803-789c72ea3fad, 
MAC_Binding=660466ef-f0f0-4e58-8be1-a6d16a640ef9, 
Port_Binding=046836f0-caf1-4d22-88b3-a1d9562d2b58, 
Service_Monitor=dabca251-6c8e-4953-8769-88f687285a60}
# ovn-sbctl list rbac_permission
_uuid               : 91da95b4-4eaf-4659-b803-789c72ea3fad
authorization       : [chassis_name]
insert_delete       : true
table               : Encap
update              : [ip, options, type]

_uuid               : 046836f0-caf1-4d22-88b3-a1d9562d2b58
authorization       : [""]
insert_delete       : false
table               : Port_Binding
update              : [chassis]

_uuid               : dabca251-6c8e-4953-8769-88f687285a60
authorization       : [""]
insert_delete       : false
table               : Service_Monitor
update              : [status]

_uuid               : 660466ef-f0f0-4e58-8be1-a6d16a640ef9
authorization       : [""]
insert_delete       : true
table               : MAC_Binding
update              : [datapath, ip, logical_port, mac]

_uuid               : 4a0070bf-1327-4c4d-a7be-83cf91fa1e42
authorization       : [name]
insert_delete       : true
table               : Chassis
update              : [encaps, external_ids, nb_cfg, other_config, 
vtep_logical_switches]


# ovs-vsctl get open . external-ids:system-id
"04540082-b5b5-4ab5-9901-03ed445c772d"
# ovs-vsctl get-ssl
Private key: 
/var/lib/openvswitch/pki/host/04540082-b5b5-4ab5-9901-03ed445c772d-privkey.pem
Certificate: 
/var/lib/openvswitch/pki/host/04540082-b5b5-4ab5-9901-03ed445c772d-cert.pem
CA Certificate: /var/lib/openvswitch/pki/host/cacert.pem
Bootstrap: false
# openssl x509 -noout -subject -in 
/var/lib/openvswitch/pki/host/04540082-b5b5-4ab5-9901-03ed445c772d-cert.pem
subject= /C=US/ST=CA/O=Open vSwitch/OU=Open vSwitch 
certifier/CN=04540082-b5b5-4ab5-9901-03ed445c772d

# ovn-sbctl list chassis 04540082-b5b5-4ab5-9901-03ed445c772d
_uuid               : e1436af9-4a15-4480-937e-7584e64033a3
encaps              : [256d47ca-ef69-4d75-b967-7ab19bd413a7, 
7ec10f55-c89a-4fd3-a2ab-8ac22f845c85]
external_ids        : {datapath-type="", 
iface-types="erspan,geneve,gre,internal,ip6erspan,ip6gre,lisp,patch,stt,system,tap,vxlan",
 is-interconn="false", ovn-bridge-mappings="", ovn-chassis-mac-mappings="", 
ovn-cms-options="", ovn-monitor-all="false"}
hostname            : host.local
name                : "04540082-b5b5-4ab5-9901-03ed445c772d"
nb_cfg              : 0
other_config        : {datapath-type="", 
iface-types="erspan,geneve,gre,internal,ip6erspan,ip6gre,lisp,patch,stt,system,tap,vxlan",
 is-interconn="false", ovn-bridge-mappings="", ovn-chassis-mac-mappings="", 
ovn-cms-options="", ovn-monitor-all="false"}
transport_zones     : []
vtep_logical_switches: []

# ovn-sbctl list encap 256d47ca-ef69-4d75-b967-7ab19bd413a7
_uuid               : 256d47ca-ef69-4d75-b967-7ab19bd413a7
chassis_name        : "04540082-b5b5-4ab5-9901-03ed445c772d"
ip                  : "Y.Y.Y.Y"
options             : {csum="true"}
type                : stt
# ovn-sbctl list encap 7ec10f55-c89a-4fd3-a2ab-8ac22f845c85
_uuid               : 7ec10f55-c89a-4fd3-a2ab-8ac22f845c85
chassis_name        : "04540082-b5b5-4ab5-9901-03ed445c772d"
ip                  : "Y.Y.Y.Y"
options             : {csum="true"}
type                : vxlan

Can anybody point me what could go wrong?
Am I missing something?


Regards,

Vladislav Odintsov

_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to