Thanks Frode for covering that. Added minor comments too your PR and you can send formal patch.
On Thu, Nov 7, 2019 at 2:00 PM Frode Nordahl <frode.nord...@canonical.com> wrote: > fwiw; I proposed this small note earlier this evening: > https://github.com/ovn-org/ovn/pull/25 > > tor. 7. nov. 2019, 21:47 skrev Ben Pfaff <b...@ovn.org>: > >> Sure, anything helps. >> >> On Thu, Nov 07, 2019 at 12:27:44PM -0800, aginwala wrote: >> > Hi Ben: >> > >> > It seems RBAC doc >> > >> http://docs.openvswitch.org/en/stable/tutorials/ovn-rbac/#configuring-rbac >> > only talks >> > about chassis and not mentioning about northd. I can submit a patch to >> > update that as a todo for northd and mention the workaround until we add >> > formal support. Is that ok? >> > >> > >> > >> > >> > On Thu, Nov 7, 2019 at 12:14 PM Ben Pfaff <b...@ovn.org> wrote: >> > >> > > Have we documented this? Should we? >> > > >> > > On Thu, Nov 07, 2019 at 10:20:22AM -0800, aginwala wrote: >> > > > Hi: >> > > > >> > > > It is a known fact and have-been discussed before. We use the same >> > > > workaround as you mentioned. Alternatively, you can also set >> role="" and >> > > it >> > > > will work for both northd and ovn-controller instead of separate >> > > listeners >> > > > which is also a security loop-hole. In short, some work is needed >> here >> > > > to handle rbac for northd. >> > > > >> > > > On Thu, Nov 7, 2019 at 9:47 AM Frode Nordahl < >> > > frode.nord...@canonical.com> >> > > > wrote: >> > > > >> > > > > Hello all, >> > > > > >> > > > > TL;DR; When enabling the `ovn-controller` role on the SB DB >> > > `ovsdb-server` >> > > > > listener, `ovn-northd` no longer has the necessary access to do >> its job >> > > > > when you are unable to use the local unix socket for its >> connection to >> > > the >> > > > > database. >> > > > > >> > > > > AFAICT there is no northd-specifc or admin type role available, >> have I >> > > > > missed something? >> > > > > >> > > > > I have worked around the issue by enabling a separate listener on >> a >> > > > > different port on the Southbound ovsdb-servers so that >> `ovn-northd` can >> > > > > connect to that. >> > > > > >> > > > > >> > > > > I have a OVN deployment with central components spread across >> three >> > > > > machines, there is an instance of the Northbound and Southbound >> > > > > `ovsdb-server` on each of them which are clustered, and there is >> also >> > > an >> > > > > instance of `ovn-northd` on each of them. >> > > > > >> > > > > The deployment is TLS-enabled and I have enabled RBAC. >> > > > > >> > > > > Since the DBs are clustered I have no control of which machine >> will be >> > > the >> > > > > leader, and it may be that one machine has the leader for the >> > > Northbound DB >> > > > > and a different machine has the leader of the Southbound DB. >> > > > > >> > > > > Because of this ovn-northd is unable to talk to the databases >> through a >> > > > > local unix socket and must use a TLS-enabled connection to the >> DBs, and >> > > > > herein lies the problem. >> > > > > >> > > > > >> > > > > I peeked at the RBAC implementation, and it appears to me that the >> > > > > permission system is tied to having specific columns in each >> table that >> > > > > maps to the name of the client that wants permission. On the >> surface >> > > this >> > > > > appears to not fit with `ovn-northd`'s needs as I would think it >> would >> > > need >> > > > > full access to all tables perhaps based on a centrally managed >> set of >> > > > > hostnames. >> > > > > >> > > > > -- >> > > > > Frode Nordahl >> > > > > >> > > > > _______________________________________________ >> > > > > discuss mailing list >> > > > > disc...@openvswitch.org >> > > > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss >> > > > > >> > > >> > > > _______________________________________________ >> > > > discuss mailing list >> > > > disc...@openvswitch.org >> > > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss >> > > >> > > >> >
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss