ovn: Restrict encap modification to its creating chassis

This patch extends RBAC restrictiveness of the encap table in the ovn southbound database by only allowing modification by the chassis that created the encap. Signed-off-by: Mark Michelson <[email protected]> Reported-by: Lance Richardson <[email protected]> Acked-by: Lance Richardson <[email protected]> Signed-off-by: Russell Bryant <[email protected]>
zhuomingliang · Jul 31, 2017 · af0e972 · af0e972
1 parent 0360ef8
commit af0e972
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 4 deletions.
diff --git a/ovn/controller/chassis.c b/ovn/controller/chassis.c
@@ -222,6 +222,7 @@ chassis_run(struct controller_ctx *ctx, const char *chassis_id,
         sbrec_encap_set_type(encaps[i], type);
         sbrec_encap_set_ip(encaps[i], encap_ip);
         sbrec_encap_set_options(encaps[i], &options);
+        sbrec_encap_set_chassis_name(encaps[i], chassis_id);
     }
     sbrec_chassis_set_encaps(chassis_rec, encaps, n_encaps);
     free(encaps);

diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
@@ -6106,7 +6106,7 @@ static const char *rbac_chassis_update[] =
     {"nb_cfg", "external_ids", "encaps", "vtep_logical_switches"};
 
 static const char *rbac_encap_auth[] =
-    {""};
+    {"chassis_name"};
 static const char *rbac_encap_update[] =
     {"type", "options", "ip"};
 

diff --git a/ovn/ovn-sb.ovsschema b/ovn/ovn-sb.ovsschema
@@ -1,7 +1,7 @@
 {
     "name": "OVN_Southbound",
-    "version": "1.14.0",
-    "cksum": "3613553908 13275",
+    "version": "1.15.0",
+    "cksum": "70426956 13327",
     "tables": {
         "SB_Global": {
             "columns": {
@@ -45,7 +45,8 @@
                                      "value": "string",
                                      "min": 0,
                                      "max": "unlimited"}},
-                "ip": {"type": "string"}}},
+                "ip": {"type": "string"},
+                "chassis_name": {"type": "string"}}},
         "Address_Set": {
             "columns": {
                 "name": {"type": "string"},

diff --git a/ovn/ovn-sb.xml b/ovn/ovn-sb.xml
@@ -353,6 +353,9 @@
     <column name="ip">
       The IPv4 address of the encapsulation tunnel endpoint.
     </column>
+    <column name="chassis_name">
+      The name of the chassis that created this encap.
+    </column>
   </table>
 
   <table name="Address_Set" title="Address Sets">

diff --git a/ovn/utilities/ovn-sbctl.c b/ovn/utilities/ovn-sbctl.c
@@ -571,6 +571,7 @@ cmd_chassis_add(struct ctl_context *ctx)
         sbrec_encap_set_type(encaps[i], encap_type);
         sbrec_encap_set_ip(encaps[i], encap_ip);
         sbrec_encap_set_options(encaps[i], &options);
+        sbrec_encap_set_chassis_name(encaps[i], ch_name);
         i++;
     }
     sset_destroy(&encap_set);