Hello,
I set up a similar scenario using the OVS sandbox. I started the OVN
sandbox and then issued the command:
ovn-sbctl --id=@test97c983e4 --db=ssl:127.0.0.1:6642
--private-key=sandbox/chassis-1-privkey.pem
--certificate=sandbox/chassis-1-cert.pem
--ca-cert=sandbox/pki/switchca/cacert.pem create encap
chassis_name='1234' ip='1234' options:csum="true" type="geneve"
It's the same command you used but with the db IP address filled in and
the certificate files changed to the ones installed by the sandbox. This
is what I see:
2018-09-13T19:05:50Z|00002|sbctl|WARN|row id "@test97c983e4" was created
but no reference to it was inserted, so it will not actually appear in
the database
2018-09-13T19:05:50Z|00003|ovsdb_idl|WARN|transaction error:
{"details":"RBAC rules for client \"chassis-1\" role \"ovn-controller\"
prohibit row insertion into table \"Encap\".","error":"permission error"}
It starts the same as what you see but then also has a permission error
on the Encap table.
I think your issue is that you used "ssl" in your `ovn-sbctl
set-connection` command instead of "pssl". Try using
ovn-sbctl set-connection role=ovn-controller pssl:6642
or
ovn-sbctl set-connection role=ovn-controller pssl:6642:[central_node_ip]
Note that with pssl, you put the port before the IP address. If you
leave out the IP address, then OVN binds to the wildcard address.
Aside from that, double-check the output of `ovn-sbctl list connection`
and ensure that the connection has what you expect. Ensure that the
"role" column is actually set to "ovn-controller".
Also, double-check the client certificate you are using. The way RBAC
works is that it looks at the CN field on the client certificate and
sets that as the ID of the stream. The RBAC-permission Encap table says
to make sure that the chassis-name in the Encap record matches the ID of
the stream. So if you are creating the Encap using a client certificate
with CN set to "1234" then it will succeed.
Hopefully one of the above recommendations will fix the problem.
Mark!
On 09/11/2018 09:52 PM, Feng, Zhenhua wrote:
Hi
This is my first question here so please kindly let me know if I need
to add any information to make the question actually answerable. : )
Basically, I have a working OVN test environment with one central node
(where nb and sb db runs) and 2 hypervisor nodes (ovn-controllers). SSL
has already been enabled for connection to south bound db. Hypervisors
connect to sb db via SSL.
To enable rbac on south bound connection I’ve issue the following
command on central node
/ovn-sbctl set-connection role=ovn-controller ssl:[central_node_ip]:6642/
The role, permission and connection table looks as follow:
/#ovn-sbctl list rbac-role/
/_uuid : cfba4fb4-2073-4639-8da4-f43e3336583d/
/name : ovn-controller/
/permissions : {Chassis=6b444b75-a3dd-4482-8399-91db41eacbe8,
Encap=4e57bd31-f326-4c52-9814-963e92cd39cd,
MAC_Binding=e8c3f556-2f98-4b15-b40a-5a444903902a,
Port_Binding=9adcc428-8910-4e49-bff5-a82ec1dad586} /
//
/# ovn-sbctl list rbac-permission/
/_uuid : 9adcc428-8910-4e49-bff5-a82ec1dad586/
/authorization : [""]/
/insert_delete : false/
/table : Port_Binding/
/update : [chassis]/
//
/_uuid : 4e57bd31-f326-4c52-9814-963e92cd39cd/
/authorization : [chassis_name]/
/insert_delete : true/
/table : Encap/
/update : [ip, options, type]/
//
/_uuid : 6b444b75-a3dd-4482-8399-91db41eacbe8/
/authorization : [name]/
/insert_delete : true/
/table : Chassis/
/update : [encaps, external_ids, nb_cfg,
vtep_logical_switches]/
//
/_uuid : e8c3f556-2f98-4b15-b40a-5a444903902a/
/authorization : [""]/
/insert_delete : true/
/table : MAC_Binding/
/update : [datapath, ip, logical_port, mac]/
Both the role and permission table come with OVN by default.
I tested the following scenario for rbac:
Add one more row in the encap table with a random chassis_name “1234”
from one of the hypervisors. (The command issued and results are as
below). I’m expecting the command to fail because of rbac permission on
encap table which authorize based on chassis_name. But rom the output,
it appears to have succeeded.
# ovn-sbctl --id=@test97c983e4 --db=ssl:[central_node_ip]:6642
--private-key=/etc/openvswitch/ovn-controller-privkey.pem
--certificate=/etc/openvswitch/ovn-controller-cert.pem
--ca-cert=/etc/openvswitch/cacert.pem create encap chassis_name='1234'
ip='1234' options:csum="true" type="geneve"
2018-09-11T21:58:27Z|00002|sbctl|WARN|row id "@test97c983e4" was created
but no reference to it was inserted, so it will not actually appear in
the database
I cant find many documents that actually shows how to setup and test
rbac for ovn other than the official doc
http://docs.openvswitch.org/en/latest/topics/role-based-access-control/
Can someone help to tell what’s going on here?
Am I configured rbac wrong or use the wrong test parameters?
Thank you very much!
Zhenhua
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
