[Bug 1917475] Re: RBAC Permissions too strict for Port_Binding table

Thu, 23 Sep 2021 02:41:04 -0700 

** Description changed:

- When using Openstack Ussuri with OVN 20.03 and adding a floating IP
- address to a unbound port the ovn-controller on the hypervisor
- repeatedly reports:
+ [Impact]
+ The OpenStack Octavia service will not work after upgrade to Hirsute.
+ 
+ [Test Plan]
+ Execute the gate tests for the octavia charm, which performs a full cloud 
deployment and confirms successful creation and operation of load balancer.
+ 
+ [Regression Potential]
+ The patch has already been available in the upstream branch-20.12 and has 
been released in our Focal packages as part of the 20.03.2 point release update 
for some time.
+ 
+ [Original Bug Description]
+ When using Openstack Ussuri with OVN 20.03 and adding a floating IP address 
to a unbound port the ovn-controller on the hypervisor repeatedly reports:
  
  2021-03-02T10:33:35.517Z|35359|ovsdb_idl|WARN|transaction error: 
{"details":"RBAC rules for client 
\"juju-eab186-zaza-d26c8c079cc7-11.project.serverstack\" role 
\"ovn-controller\" prohibit modification of table 
\"Port_Binding\".","error":"permission error"}
  2021-03-02T10:33:35.518Z|35360|main|INFO|OVNSB commit failed, force recompute 
next time.
  
  The seams to be because the ovn-controller needs to update the
  virtual_parent attribute of the port binding *2 but that is not included
  in the list of permissions allowed by the ovn-controller role *1
  
  *1 
https://github.com/ovn-org/ovn/blob/aa8ef5588c119fa8615d78288a7db7e3df2d6fbe/northd/ovn-northd.c#L11331-L11332
  *2 https://pastebin.ubuntu.com/p/4CfcxgDgdm/
  
  Disabling rbac by changing the role to "" and stopping and starting the
  southbound db listener results in the port being immediately updated and
  the floating IP can be accessed.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1917475

Title:
  RBAC Permissions too strict for Port_Binding table

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1917475/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to