Re: [ovs-dev] [PATCH ovn 3/3] northd: Add missing RBAC rules for Learned_Route table.

Thu, 30 Oct 2025 01:39:28 -0700 

On Thu, Oct 30, 2025 at 9:25 AM Dumitru Ceara <[email protected]> wrote:

> On 10/29/25 1:30 PM, Ales Musil via dev wrote:
> > When RBAC was enabled ovn-controller wasn't able to create any
> > Learned_Route rows due to missing RBAC configuration. Add the
> > configuration to allow ovn-controller insertion and update inside
> > Learned_Route table.
> >
> > Fixes: 866a5014ae45 ("controller: Support learning routes.")
> > Signed-off-by: Ales Musil <[email protected]>
> > ---
>
> Hi Ales,
>
> Thanks for the patch!
>

Hi Dumitru,

thank you for the review.


>
> >  northd/ovn-northd.c | 13 +++++++++++++
> >  1 file changed, 13 insertions(+)
> >
> > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
> > index c9d88dd22..9e5adb60f 100644
> > --- a/northd/ovn-northd.c
> > +++ b/northd/ovn-northd.c
> > @@ -128,6 +128,11 @@ static const char *rbac_bfd_auth[] =
> >  static const char *rbac_bfd_update[] =
> >      {"status"};
> >
> > +static const char *rbac_learned_route_auth[] =
> > +    {""};
> > +static const char *rbac_learned_route_update[] =
> > +    {"datapath", "logical_port", "ip_prefix", "nexthop"};
>
> In hindsight this might have been an unfortunate schema design decision
> when we chose to add "external_ids" to the SB.Learned_Route table.
>
> Do we want to allow ovn-controller to also update external_ids?  If I
> understand correctly it would anyway be allowed to create entries with
> external_ids set after this patch.
>

At the moment ovn-controller doesn't write into external_ids,
the question is if it ever will. But I guess it makes sense
to  allow it too. I'll add it in v2.


> > +
> >  static struct rbac_perm_cfg {
> >      const char *table;
> >      const char **auth;
> > @@ -217,6 +222,14 @@ static struct rbac_perm_cfg {
> >          .update = rbac_bfd_update,
> >          .n_update = ARRAY_SIZE(rbac_bfd_update),
> >          .row = NULL
> > +    },{
> > +        .table = "Learned_Route",
> > +        .auth = rbac_learned_route_auth,
> > +        .n_auth = ARRAY_SIZE(rbac_learned_route_auth),
> > +        .insdel = true,
> > +        .update = rbac_learned_route_update,
> > +        .n_update = ARRAY_SIZE(rbac_learned_route_update),
> > +        .row = NULL
> >      },{
> >          .table = NULL,
> >          .auth = NULL,
>
> Regards,
> Dumitru
>
>
Regards,
Ales
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to