On Thu, Nov 7, 2019 at 7:20 PM aginwala <aginw...@asu.edu> wrote: > Hi: > > It is a known fact and have-been discussed before. We use the same > workaround as you mentioned. Alternatively, you can also set role="" and it > will work for both northd and ovn-controller instead of separate listeners > which is also a security loop-hole. In short, some work is needed here > to handle rbac for northd. >
Thank you for your prompt response, and for confirming it being a known gap and that the approach is a reasonable one. Albeit not a solution, securing the separate port with external means such as firewall rules that only allow connections from the machines hosting ovn-northd will at least make it a bit more secure. Apologies for any duplicate questions or discussions. I made an honest attempt to find the information by searching the mailing list archive and existing documentation. -- Frode Nordahl > > On Thu, Nov 7, 2019 at 9:47 AM Frode Nordahl <frode.nord...@canonical.com> > wrote: > >> Hello all, >> >> TL;DR; When enabling the `ovn-controller` role on the SB DB >> `ovsdb-server` listener, `ovn-northd` no longer has the necessary access to >> do its job when you are unable to use the local unix socket for its >> connection to the database. >> >> AFAICT there is no northd-specifc or admin type role available, have I >> missed something? >> >> I have worked around the issue by enabling a separate listener on a >> different port on the Southbound ovsdb-servers so that `ovn-northd` can >> connect to that. >> >> >> I have a OVN deployment with central components spread across three >> machines, there is an instance of the Northbound and Southbound >> `ovsdb-server` on each of them which are clustered, and there is also an >> instance of `ovn-northd` on each of them. >> >> The deployment is TLS-enabled and I have enabled RBAC. >> >> Since the DBs are clustered I have no control of which machine will be >> the leader, and it may be that one machine has the leader for the >> Northbound DB and a different machine has the leader of the Southbound DB. >> >> Because of this ovn-northd is unable to talk to the databases through a >> local unix socket and must use a TLS-enabled connection to the DBs, and >> herein lies the problem. >> >> >> I peeked at the RBAC implementation, and it appears to me that the >> permission system is tied to having specific columns in each table that >> maps to the name of the client that wants permission. On the surface this >> appears to not fit with `ovn-northd`'s needs as I would think it would need >> full access to all tables perhaps based on a centrally managed set of >> hostnames. >> >> -- >> Frode Nordahl >> >> _______________________________________________ >> discuss mailing list >> disc...@openvswitch.org >> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss >> >
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss