On Thu, Nov 7, 2019 at 11:20 PM aginwala <aginw...@asu.edu> wrote: > Thanks Frode for covering that. Added minor comments too your PR and you can > send formal patch.
Thank you for the review Aliasgar, formal patch sent and it has already been merged [0][1]. Cheers! 0: https://patchwork.ozlabs.org/patch/1191671/ 1: https://github.com/ovn-org/ovn/commit/e60f2f2d074d992ecfa6d9fc905e98a408e2d85e -- Frode Nordahl > > > > > > > > On Thu, Nov 7, 2019 at 2:00 PM Frode Nordahl <frode.nord...@canonical.com> > wrote: >> >> fwiw; I proposed this small note earlier this evening: >> https://github.com/ovn-org/ovn/pull/25 >> >> tor. 7. nov. 2019, 21:47 skrev Ben Pfaff <b...@ovn.org>: >>> >>> Sure, anything helps. >>> >>> On Thu, Nov 07, 2019 at 12:27:44PM -0800, aginwala wrote: >>> > Hi Ben: >>> > >>> > It seems RBAC doc >>> > http://docs.openvswitch.org/en/stable/tutorials/ovn-rbac/#configuring-rbac >>> > only talks >>> > about chassis and not mentioning about northd. I can submit a patch to >>> > update that as a todo for northd and mention the workaround until we add >>> > formal support. Is that ok? >>> > >>> > >>> > >>> > >>> > On Thu, Nov 7, 2019 at 12:14 PM Ben Pfaff <b...@ovn.org> wrote: >>> > >>> > > Have we documented this? Should we? >>> > > >>> > > On Thu, Nov 07, 2019 at 10:20:22AM -0800, aginwala wrote: >>> > > > Hi: >>> > > > >>> > > > It is a known fact and have-been discussed before. We use the same >>> > > > workaround as you mentioned. Alternatively, you can also set role="" >>> > > > and >>> > > it >>> > > > will work for both northd and ovn-controller instead of separate >>> > > listeners >>> > > > which is also a security loop-hole. In short, some work is needed here >>> > > > to handle rbac for northd. >>> > > > >>> > > > On Thu, Nov 7, 2019 at 9:47 AM Frode Nordahl < >>> > > frode.nord...@canonical.com> >>> > > > wrote: >>> > > > >>> > > > > Hello all, >>> > > > > >>> > > > > TL;DR; When enabling the `ovn-controller` role on the SB DB >>> > > `ovsdb-server` >>> > > > > listener, `ovn-northd` no longer has the necessary access to do its >>> > > > > job >>> > > > > when you are unable to use the local unix socket for its connection >>> > > > > to >>> > > the >>> > > > > database. >>> > > > > >>> > > > > AFAICT there is no northd-specifc or admin type role available, >>> > > > > have I >>> > > > > missed something? >>> > > > > >>> > > > > I have worked around the issue by enabling a separate listener on a >>> > > > > different port on the Southbound ovsdb-servers so that `ovn-northd` >>> > > > > can >>> > > > > connect to that. >>> > > > > >>> > > > > >>> > > > > I have a OVN deployment with central components spread across three >>> > > > > machines, there is an instance of the Northbound and Southbound >>> > > > > `ovsdb-server` on each of them which are clustered, and there is >>> > > > > also >>> > > an >>> > > > > instance of `ovn-northd` on each of them. >>> > > > > >>> > > > > The deployment is TLS-enabled and I have enabled RBAC. >>> > > > > >>> > > > > Since the DBs are clustered I have no control of which machine will >>> > > > > be >>> > > the >>> > > > > leader, and it may be that one machine has the leader for the >>> > > Northbound DB >>> > > > > and a different machine has the leader of the Southbound DB. >>> > > > > >>> > > > > Because of this ovn-northd is unable to talk to the databases >>> > > > > through a >>> > > > > local unix socket and must use a TLS-enabled connection to the DBs, >>> > > > > and >>> > > > > herein lies the problem. >>> > > > > >>> > > > > >>> > > > > I peeked at the RBAC implementation, and it appears to me that the >>> > > > > permission system is tied to having specific columns in each table >>> > > > > that >>> > > > > maps to the name of the client that wants permission. On the >>> > > > > surface >>> > > this >>> > > > > appears to not fit with `ovn-northd`'s needs as I would think it >>> > > > > would >>> > > need >>> > > > > full access to all tables perhaps based on a centrally managed set >>> > > > > of >>> > > > > hostnames. >>> > > > > >>> > > > > -- >>> > > > > Frode Nordahl >>> > > > > >>> > > > > _______________________________________________ >>> > > > > discuss mailing list >>> > > > > disc...@openvswitch.org >>> > > > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss >>> > > > > >>> > > >>> > > > _______________________________________________ >>> > > > discuss mailing list >>> > > > disc...@openvswitch.org >>> > > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss >>> > > >>> > > _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss