[Bug 1913024] [NEW] RBAC Permissions too strict for Chassis_Private table
Frode Nordahl
1913024 at bugs.launchpad.net
Mon Jan 25 08:22:35 UTC 2021
Public bug reported:
After introduction of the Chassis_Private table in OVN 20.09, CMS'es do
expect data plane daemons to be able to write to the external_ids
column.
However the current RBAC permissions do not allow for this. Running with this patch for ovn-northd fixes the problem:
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index 27df6a379..d332721cd 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -12951,7 +12951,7 @@ static const char *rbac_chassis_update[] =
static const char *rbac_chassis_private_auth[] =
{"name"};
static const char *rbac_chassis_private_update[] =
- {"nb_cfg", "nb_cfg_timestamp", "chassis"};
+ {"nb_cfg", "nb_cfg_timestamp", "chassis", "external_ids"};
static const char *rbac_encap_auth[] =
{"chassis_name"};
For completeness I will include output from a OpenStack neutron-ovn-metadata-agent daemon when running without the fix:
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command Traceback (most recent call last):
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/command.py", line 40, in execute
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command t.add(self)
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command File "/usr/lib/python3.8/contextlib.py", line 120, in __exit__
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command next(self.gen)
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command File "/usr/lib/python3/dist-packages/ovsdbapp/api.py", line 119, in transaction
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command del self._nested_txns_map[cur_thread_id]
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command File "/usr/lib/python3/dist-packages/ovsdbapp/api.py", line 69, in __exit__
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command self.result = self.commit()
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/transaction.py", line 62, in commit
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command raise result.ex
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/connection.py", line 122, in run
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command txn.results.put(txn.do_commit())
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/transaction.py", line 118, in do_commit
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command raise RuntimeError(msg)
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command RuntimeError: OVSDB Error: {"details":"RBAC rules for client \"ps5-ra4-n2.maas\" role \"ovn-controller\" prohibit modification of table \"Chassis_Private\".","error":"permission error"}
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command
2021-01-25 08:06:51.334 1763580 CRITICAL neutron [-] Unhandled error: RuntimeError: OVSDB Error: {"details":"RBAC rules for client \"ps5-ra4-n2.maas\" role \"ovn-controller\" prohibit modification of table \"Chassis_Private\".","error":"permission error"}
2021-01-25 08:06:51.334 1763580 ERROR neutron Traceback (most recent call last):
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/bin/neutron-ovn-metadata-agent", line 10, in <module>
2021-01-25 08:06:51.334 1763580 ERROR neutron sys.exit(main())
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/python3/dist-packages/neutron/cmd/eventlet/agents/ovn_metadata.py", line 17, in main
2021-01-25 08:06:51.334 1763580 ERROR neutron metadata_agent.main()
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/python3/dist-packages/neutron/agent/ovn/metadata_agent.py", line 39, in main
2021-01-25 08:06:51.334 1763580 ERROR neutron agt.start()
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/python3/dist-packages/neutron/agent/ovn/metadata/agent.py", line 229, in start
2021-01-25 08:06:51.334 1763580 ERROR neutron self.register_metadata_agent()
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/python3/dist-packages/neutron/agent/ovn/metadata/agent.py", line 239, in register_metadata_agent
2021-01-25 08:06:51.334 1763580 ERROR neutron self.sb_idl.db_add(table, self.chassis, 'external_ids',
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/command.py", line 40, in execute
2021-01-25 08:06:51.334 1763580 ERROR neutron t.add(self)
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/python3.8/contextlib.py", line 120, in __exit__
2021-01-25 08:06:51.334 1763580 ERROR neutron next(self.gen)
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/python3/dist-packages/ovsdbapp/api.py", line 119, in transaction
2021-01-25 08:06:51.334 1763580 ERROR neutron del self._nested_txns_map[cur_thread_id]
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/python3/dist-packages/ovsdbapp/api.py", line 69, in __exit__
2021-01-25 08:06:51.334 1763580 ERROR neutron self.result = self.commit()
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/transaction.py", line 62, in commit
2021-01-25 08:06:51.334 1763580 ERROR neutron raise result.ex
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/connection.py", line 122, in run
2021-01-25 08:06:51.334 1763580 ERROR neutron txn.results.put(txn.do_commit())
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/transaction.py", line 118, in do_commit
2021-01-25 08:06:51.334 1763580 ERROR neutron raise RuntimeError(msg)
2021-01-25 08:06:51.334 1763580 ERROR neutron RuntimeError: OVSDB Error: {"details":"RBAC rules for client \"ps5-ra4-n2.maas\" role \"ovn-controller\" prohibit modification of table \"Chassis_Private\".","error":"permission error"}
2021-01-25 08:06:51.334 1763580 ERROR neutron
2021-01-25 08:06:51.375 1763595 INFO oslo_service.service [-] Parent process has died unexpectedly, exiting
2021-01-25 08:06:51.375 1763594 INFO oslo_service.service [-] Parent process has died unexpectedly, exiting
2021-01-25 08:06:51.375 1763595 INFO eventlet.wsgi.server [-] (1763595) wsgi exited, is_accepting=True
2021-01-25 08:06:51.376 1763594 INFO eventlet.wsgi.server [-] (1763594) wsgi exited, is_accepting=True
** Affects: ovn (Ubuntu)
Importance: Undecided
Status: New
** Tags: ps5
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ovn in Ubuntu.
https://bugs.launchpad.net/bugs/1913024
Title:
RBAC Permissions too strict for Chassis_Private table
Status in ovn package in Ubuntu:
New
Bug description:
After introduction of the Chassis_Private table in OVN 20.09, CMS'es
do expect data plane daemons to be able to write to the external_ids
column.
However the current RBAC permissions do not allow for this. Running with this patch for ovn-northd fixes the problem:
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index 27df6a379..d332721cd 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -12951,7 +12951,7 @@ static const char *rbac_chassis_update[] =
static const char *rbac_chassis_private_auth[] =
{"name"};
static const char *rbac_chassis_private_update[] =
- {"nb_cfg", "nb_cfg_timestamp", "chassis"};
+ {"nb_cfg", "nb_cfg_timestamp", "chassis", "external_ids"};
static const char *rbac_encap_auth[] =
{"chassis_name"};
For completeness I will include output from a OpenStack neutron-ovn-metadata-agent daemon when running without the fix:
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command Traceback (most recent call last):
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/command.py", line 40, in execute
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command t.add(self)
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command File "/usr/lib/python3.8/contextlib.py", line 120, in __exit__
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command next(self.gen)
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command File "/usr/lib/python3/dist-packages/ovsdbapp/api.py", line 119, in transaction
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command del self._nested_txns_map[cur_thread_id]
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command File "/usr/lib/python3/dist-packages/ovsdbapp/api.py", line 69, in __exit__
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command self.result = self.commit()
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/transaction.py", line 62, in commit
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command raise result.ex
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/connection.py", line 122, in run
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command txn.results.put(txn.do_commit())
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/transaction.py", line 118, in do_commit
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command raise RuntimeError(msg)
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command RuntimeError: OVSDB Error: {"details":"RBAC rules for client \"ps5-ra4-n2.maas\" role \"ovn-controller\" prohibit modification of table \"Chassis_Private\".","error":"permission error"}
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command
2021-01-25 08:06:51.334 1763580 CRITICAL neutron [-] Unhandled error: RuntimeError: OVSDB Error: {"details":"RBAC rules for client \"ps5-ra4-n2.maas\" role \"ovn-controller\" prohibit modification of table \"Chassis_Private\".","error":"permission error"}
2021-01-25 08:06:51.334 1763580 ERROR neutron Traceback (most recent call last):
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/bin/neutron-ovn-metadata-agent", line 10, in <module>
2021-01-25 08:06:51.334 1763580 ERROR neutron sys.exit(main())
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/python3/dist-packages/neutron/cmd/eventlet/agents/ovn_metadata.py", line 17, in main
2021-01-25 08:06:51.334 1763580 ERROR neutron metadata_agent.main()
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/python3/dist-packages/neutron/agent/ovn/metadata_agent.py", line 39, in main
2021-01-25 08:06:51.334 1763580 ERROR neutron agt.start()
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/python3/dist-packages/neutron/agent/ovn/metadata/agent.py", line 229, in start
2021-01-25 08:06:51.334 1763580 ERROR neutron self.register_metadata_agent()
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/python3/dist-packages/neutron/agent/ovn/metadata/agent.py", line 239, in register_metadata_agent
2021-01-25 08:06:51.334 1763580 ERROR neutron self.sb_idl.db_add(table, self.chassis, 'external_ids',
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/command.py", line 40, in execute
2021-01-25 08:06:51.334 1763580 ERROR neutron t.add(self)
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/python3.8/contextlib.py", line 120, in __exit__
2021-01-25 08:06:51.334 1763580 ERROR neutron next(self.gen)
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/python3/dist-packages/ovsdbapp/api.py", line 119, in transaction
2021-01-25 08:06:51.334 1763580 ERROR neutron del self._nested_txns_map[cur_thread_id]
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/python3/dist-packages/ovsdbapp/api.py", line 69, in __exit__
2021-01-25 08:06:51.334 1763580 ERROR neutron self.result = self.commit()
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/transaction.py", line 62, in commit
2021-01-25 08:06:51.334 1763580 ERROR neutron raise result.ex
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/connection.py", line 122, in run
2021-01-25 08:06:51.334 1763580 ERROR neutron txn.results.put(txn.do_commit())
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/transaction.py", line 118, in do_commit
2021-01-25 08:06:51.334 1763580 ERROR neutron raise RuntimeError(msg)
2021-01-25 08:06:51.334 1763580 ERROR neutron RuntimeError: OVSDB Error: {"details":"RBAC rules for client \"ps5-ra4-n2.maas\" role \"ovn-controller\" prohibit modification of table \"Chassis_Private\".","error":"permission error"}
2021-01-25 08:06:51.334 1763580 ERROR neutron
2021-01-25 08:06:51.375 1763595 INFO oslo_service.service [-] Parent process has died unexpectedly, exiting
2021-01-25 08:06:51.375 1763594 INFO oslo_service.service [-] Parent process has died unexpectedly, exiting
2021-01-25 08:06:51.375 1763595 INFO eventlet.wsgi.server [-] (1763595) wsgi exited, is_accepting=True
2021-01-25 08:06:51.376 1763594 INFO eventlet.wsgi.server [-] (1763594) wsgi exited, is_accepting=True
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1913024/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list