[Bug 1917475] Re: RBAC Permissions too strict for Port_Binding table
Dariusz Smigiel
1917475 at bugs.launchpad.net
Mon Aug 30 16:34:40 UTC 2021
I had exactly the same issue right now on Focal with 20.03.2-0ubuntu0.20.04.1
3 of 6 ovn-controller nodes were reported as "XXX". After restarting all of failing ones, only 2 of 3 reconnected without issues.
The last one ovn-controller was still having problems. The only thing which worked was a workaround from #4
ubuntu at compute-server-6:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.2 LTS
Release: 20.04
Codename: focal
ubuntu at compute-server-6:~$ sudo apt-cache policy ovn-common
ovn-common:
Installed: 20.03.2-0ubuntu0.20.04.1
Candidate: 20.03.2-0ubuntu0.20.04.1
Version table:
*** 20.03.2-0ubuntu0.20.04.1 500
500 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages
100 /var/lib/dpkg/status
20.03.0-0ubuntu1 500
500 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ovn in Ubuntu.
https://bugs.launchpad.net/bugs/1917475
Title:
RBAC Permissions too strict for Port_Binding table
Status in ovn package in Ubuntu:
Fix Committed
Status in ovn source package in Focal:
Fix Released
Status in ovn source package in Groovy:
Fix Released
Status in ovn source package in Hirsute:
In Progress
Status in ovn source package in Impish:
Fix Committed
Bug description:
When using Openstack Ussuri with OVN 20.03 and adding a floating IP
address to a unbound port the ovn-controller on the hypervisor
repeatedly reports:
2021-03-02T10:33:35.517Z|35359|ovsdb_idl|WARN|transaction error: {"details":"RBAC rules for client \"juju-eab186-zaza-d26c8c079cc7-11.project.serverstack\" role \"ovn-controller\" prohibit modification of table \"Port_Binding\".","error":"permission error"}
2021-03-02T10:33:35.518Z|35360|main|INFO|OVNSB commit failed, force recompute next time.
The seams to be because the ovn-controller needs to update the
virtual_parent attribute of the port binding *2 but that is not
included in the list of permissions allowed by the ovn-controller role
*1
*1 https://github.com/ovn-org/ovn/blob/aa8ef5588c119fa8615d78288a7db7e3df2d6fbe/northd/ovn-northd.c#L11331-L11332
*2 https://pastebin.ubuntu.com/p/4CfcxgDgdm/
Disabling rbac by changing the role to "" and stopping and starting
the southbound db listener results in the port being immediately
updated and the floating IP can be accessed.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1917475/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list