[Bug 1917475] Re: RBAC Permissions too strict for Port_Binding table

Camille Rodriguez 1917475 at bugs.launchpad.net
Thu May 6 14:12:04 UTC 2021 

To confirm this is the bug in /var/log/ovn/ovn-controller.log on the
hypervisors look for:.

2021-03-02T10:33:35.517Z|35359|ovsdb_idl|WARN|transaction error: {"details":"RBAC rules for client \"juju-eab186-zaza-d26c8c079cc7-11.project.serverstack\" role \"ovn-controller\" prohibit modification of table \"Port_Binding\".","error":"permission error"}
2021-03-02T10:33:35.518Z|35360|main|INFO|OVNSB commit failed, force recompute next time.

To disabel rbac, on an ovn-central unit:

# sudo ovn-sbctl find connection
_uuid               : a3b68994-4376-4506-81eb-e23d15641305
external_ids        : {}
inactivity_probe    : 60000
is_connected        : false                                                                                                                                                                                   
max_backoff         : []                                                                               
other_config        : {}                                                                               
read_only           : false                                                                            
role                : ""                                                                               
status              : {}
target              : "pssl:16642"

_uuid               : ee53c2b6-ed8b-4b21-9825-a4ecaf2bdc95
external_ids        : {}
inactivity_probe    : 60000
is_connected        : false
max_backoff         : []
other_config        : {}
read_only           : false
role                : ovn-controller
status              : {}
target              : "pssl:6642"

Look for the 6642 listeners uuid. In this case 'ee53c2b6-ed8b-
4b21-9825-a4ecaf2bdc95'

Remove the role to disable rbac:

# sudo ovn-sbctl set connection ee53c2b6-ed8b-4b21-9825-a4ecaf2bdc95
role=''

Restart the ovn-controller service on the hypervisors.

To reenable rbac:

# sudo ovn-sbctl set connection e0cef788-df18-4b1b-a238-e8b79ea51c7c
role='ovn-controller'

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ovn in Ubuntu.
https://bugs.launchpad.net/bugs/1917475

Title:
  RBAC Permissions too strict for Port_Binding table

Status in ovn package in Ubuntu:
  In Progress

Bug description:
  When using Openstack Ussuri with OVN 20.03 and adding a floating IP
  address to a unbound port the ovn-controller on the hypervisor
  repeatedly reports:

  2021-03-02T10:33:35.517Z|35359|ovsdb_idl|WARN|transaction error: {"details":"RBAC rules for client \"juju-eab186-zaza-d26c8c079cc7-11.project.serverstack\" role \"ovn-controller\" prohibit modification of table \"Port_Binding\".","error":"permission error"}
  2021-03-02T10:33:35.518Z|35360|main|INFO|OVNSB commit failed, force recompute next time.

  The seams to be because the ovn-controller needs to update the
  virtual_parent attribute of the port binding *2 but that is not
  included in the list of permissions allowed by the ovn-controller role
  *1

  *1 https://github.com/ovn-org/ovn/blob/aa8ef5588c119fa8615d78288a7db7e3df2d6fbe/northd/ovn-northd.c#L11331-L11332
  *2 https://pastebin.ubuntu.com/p/4CfcxgDgdm/

  Disabling rbac by changing the role to "" and stopping and starting
  the southbound db listener results in the port being immediately
  updated and the floating IP can be accessed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1917475/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list