[Bug 1917475] Re: RBAC Permissions too strict for Port_Binding table

Dariusz Smigiel 1917475 at bugs.launchpad.net
Mon Aug 30 16:34:40 UTC 2021


I had exactly the same issue right now on Focal with 20.03.2-0ubuntu0.20.04.1
3 of 6 ovn-controller nodes were reported as "XXX". After restarting all of failing ones, only 2 of 3 reconnected without issues.
The last one ovn-controller was still having problems. The only thing which worked was a workaround from #4


ubuntu at compute-server-6:~$ lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04.2 LTS
Release:	20.04
Codename:	focal
ubuntu at compute-server-6:~$ sudo apt-cache policy ovn-common
ovn-common:
  Installed: 20.03.2-0ubuntu0.20.04.1
  Candidate: 20.03.2-0ubuntu0.20.04.1
  Version table:
 *** 20.03.2-0ubuntu0.20.04.1 500
        500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     20.03.0-0ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ovn in Ubuntu.
https://bugs.launchpad.net/bugs/1917475

Title:
  RBAC Permissions too strict for Port_Binding table

Status in ovn package in Ubuntu:
  Fix Committed
Status in ovn source package in Focal:
  Fix Released
Status in ovn source package in Groovy:
  Fix Released
Status in ovn source package in Hirsute:
  In Progress
Status in ovn source package in Impish:
  Fix Committed

Bug description:
  When using Openstack Ussuri with OVN 20.03 and adding a floating IP
  address to a unbound port the ovn-controller on the hypervisor
  repeatedly reports:

  2021-03-02T10:33:35.517Z|35359|ovsdb_idl|WARN|transaction error: {"details":"RBAC rules for client \"juju-eab186-zaza-d26c8c079cc7-11.project.serverstack\" role \"ovn-controller\" prohibit modification of table \"Port_Binding\".","error":"permission error"}
  2021-03-02T10:33:35.518Z|35360|main|INFO|OVNSB commit failed, force recompute next time.

  The seams to be because the ovn-controller needs to update the
  virtual_parent attribute of the port binding *2 but that is not
  included in the list of permissions allowed by the ovn-controller role
  *1

  *1 https://github.com/ovn-org/ovn/blob/aa8ef5588c119fa8615d78288a7db7e3df2d6fbe/northd/ovn-northd.c#L11331-L11332
  *2 https://pastebin.ubuntu.com/p/4CfcxgDgdm/

  Disabling rbac by changing the role to "" and stopping and starting
  the southbound db listener results in the port being immediately
  updated and the floating IP can be accessed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1917475/+subscriptions




More information about the Ubuntu-openstack-bugs mailing list