[Bug 1913024] Re: RBAC Permissions too strict for Chassis_Private table

Corey Bryant 1913024 at bugs.launchpad.net
Wed Nov 3 12:32:02 UTC 2021 

This bug was fixed in the package ovn - 20.12.0-0ubuntu3~cloud0
---------------

 ovn (20.12.0-0ubuntu3~cloud0) focal-wallaby; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 ovn (20.12.0-0ubuntu3) hirsute; urgency=medium
 .
   * Add RBAC rules for IGMP_Group table (LP: #1914988):
     - d/p/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch
     - d/p/lp-1914988-northd-Add-missing-RBAC-rules-for-FDB-table.patch
     - d/p/lp-1914988-northd-Amend-Chassis-RBAC-rules.patch
     - d/p/lp-1914988-northd-Add-Controller_Event-RBAC-rules.patch
     - d/p/lp-1914988-tests-Amend-release-stale-port-binding-test-for-RBAC.patch
     - d/p/lp-1914988-tests-Use-ovn_start-in-tests-ovn-controller.at.patch
     - d/p/lp-1914988-tests-Make-certificate-generation-extendable.patch
     - d/p/lp-1914988-tests-Test-with-SSL-and-RBAC-for-controller-by-defau.patch
   * d/p/lp-1943266-physical-do-not-forward-traffic-from-localport-to-a-.patch:
     Do not forward traffic from localport to localnet ports (LP: #1943266).
   * d/p/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch
     Update RBAC rules for Chassis_Private table (LP: #1913024).
   * d/p/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch
     Update RBAC rules for Port_Binding table (LP: #1917475).


** Changed in: cloud-archive/wallaby
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ovn in Ubuntu.
https://bugs.launchpad.net/bugs/1913024

Title:
  RBAC Permissions too strict for Chassis_Private table

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive wallaby series:
  Fix Released
Status in ovn package in Ubuntu:
  Fix Released
Status in ovn source package in Focal:
  Fix Released
Status in ovn source package in Hirsute:
  Fix Released
Status in ovn source package in Impish:
  Fix Released

Bug description:
  [Impact]
  The OpenStack metadata service will not work after upgrade to Hirsute.

  [Test Plan]
  Execute the gate tests for the neutron-api-plugin-ovn charm, which performs a full cloud deployment and confirms two instances can spawn, get metadata and communicate with each other.

  [Regression Potential]
  The patch has already been available in the upstream branch-20.12 and has been released in our Focal packages as part of the 20.03.2 point release update for some time.

  [Original Bug Description]
  After introduction of the Chassis_Private table in OVN 20.09, CMS'es do expect data plane daemons to be able to write to the external_ids column.

  However the current RBAC permissions do not allow for this. Running with this patch for ovn-northd fixes the problem:
  diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
  index 27df6a379..d332721cd 100644
  --- a/northd/ovn-northd.c
  +++ b/northd/ovn-northd.c
  @@ -12951,7 +12951,7 @@ static const char *rbac_chassis_update[] =
   static const char *rbac_chassis_private_auth[] =
       {"name"};
   static const char *rbac_chassis_private_update[] =
  -    {"nb_cfg", "nb_cfg_timestamp", "chassis"};
  +    {"nb_cfg", "nb_cfg_timestamp", "chassis", "external_ids"};

   static const char *rbac_encap_auth[] =
       {"chassis_name"};

  For completeness I will include output from a OpenStack neutron-ovn-metadata-agent daemon when running without the fix:
  2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command Traceback (most recent call last):
  2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command   File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/command.py", line 40, in execute
  2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command     t.add(self)
  2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command   File "/usr/lib/python3.8/contextlib.py", line 120, in __exit__
  2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command     next(self.gen)
  2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command   File "/usr/lib/python3/dist-packages/ovsdbapp/api.py", line 119, in transaction
  2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command     del self._nested_txns_map[cur_thread_id]
  2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command   File "/usr/lib/python3/dist-packages/ovsdbapp/api.py", line 69, in __exit__
  2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command     self.result = self.commit()
  2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command   File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/transaction.py", line 62, in commit
  2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command     raise result.ex
  2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command   File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/connection.py", line 122, in run
  2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command     txn.results.put(txn.do_commit())
  2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command   File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/transaction.py", line 118, in do_commit
  2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command     raise RuntimeError(msg)
  2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command RuntimeError: OVSDB Error: {"details":"RBAC rules for client \"ps5-ra4-n2.maas\" role \"ovn-controller\" prohibit modification of table \"Chassis_Private\".","error":"permission error"}
  2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.backend.ovs_idl.command
  2021-01-25 08:06:51.334 1763580 CRITICAL neutron [-] Unhandled error: RuntimeError: OVSDB Error: {"details":"RBAC rules for client \"ps5-ra4-n2.maas\" role \"ovn-controller\" prohibit modification of table \"Chassis_Private\".","error":"permission error"}
  2021-01-25 08:06:51.334 1763580 ERROR neutron Traceback (most recent call last):
  2021-01-25 08:06:51.334 1763580 ERROR neutron   File "/usr/bin/neutron-ovn-metadata-agent", line 10, in <module>
  2021-01-25 08:06:51.334 1763580 ERROR neutron     sys.exit(main())
  2021-01-25 08:06:51.334 1763580 ERROR neutron   File "/usr/lib/python3/dist-packages/neutron/cmd/eventlet/agents/ovn_metadata.py", line 17, in main
  2021-01-25 08:06:51.334 1763580 ERROR neutron     metadata_agent.main()
  2021-01-25 08:06:51.334 1763580 ERROR neutron   File "/usr/lib/python3/dist-packages/neutron/agent/ovn/metadata_agent.py", line 39, in main
  2021-01-25 08:06:51.334 1763580 ERROR neutron     agt.start()
  2021-01-25 08:06:51.334 1763580 ERROR neutron   File "/usr/lib/python3/dist-packages/neutron/agent/ovn/metadata/agent.py", line 229, in start
  2021-01-25 08:06:51.334 1763580 ERROR neutron     self.register_metadata_agent()
  2021-01-25 08:06:51.334 1763580 ERROR neutron   File "/usr/lib/python3/dist-packages/neutron/agent/ovn/metadata/agent.py", line 239, in register_metadata_agent
  2021-01-25 08:06:51.334 1763580 ERROR neutron     self.sb_idl.db_add(table, self.chassis, 'external_ids',
  2021-01-25 08:06:51.334 1763580 ERROR neutron   File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/command.py", line 40, in execute
  2021-01-25 08:06:51.334 1763580 ERROR neutron     t.add(self)
  2021-01-25 08:06:51.334 1763580 ERROR neutron   File "/usr/lib/python3.8/contextlib.py", line 120, in __exit__
  2021-01-25 08:06:51.334 1763580 ERROR neutron     next(self.gen)
  2021-01-25 08:06:51.334 1763580 ERROR neutron   File "/usr/lib/python3/dist-packages/ovsdbapp/api.py", line 119, in transaction
  2021-01-25 08:06:51.334 1763580 ERROR neutron     del self._nested_txns_map[cur_thread_id]
  2021-01-25 08:06:51.334 1763580 ERROR neutron   File "/usr/lib/python3/dist-packages/ovsdbapp/api.py", line 69, in __exit__
  2021-01-25 08:06:51.334 1763580 ERROR neutron     self.result = self.commit()
  2021-01-25 08:06:51.334 1763580 ERROR neutron   File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/transaction.py", line 62, in commit
  2021-01-25 08:06:51.334 1763580 ERROR neutron     raise result.ex
  2021-01-25 08:06:51.334 1763580 ERROR neutron   File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/connection.py", line 122, in run
  2021-01-25 08:06:51.334 1763580 ERROR neutron     txn.results.put(txn.do_commit())
  2021-01-25 08:06:51.334 1763580 ERROR neutron   File "/usr/lib/python3/dist-packages/ovsdbapp/backend/ovs_idl/transaction.py", line 118, in do_commit
  2021-01-25 08:06:51.334 1763580 ERROR neutron     raise RuntimeError(msg)
  2021-01-25 08:06:51.334 1763580 ERROR neutron RuntimeError: OVSDB Error: {"details":"RBAC rules for client \"ps5-ra4-n2.maas\" role \"ovn-controller\" prohibit modification of table \"Chassis_Private\".","error":"permission error"}
  2021-01-25 08:06:51.334 1763580 ERROR neutron
  2021-01-25 08:06:51.375 1763595 INFO oslo_service.service [-] Parent process has died unexpectedly, exiting
  2021-01-25 08:06:51.375 1763594 INFO oslo_service.service [-] Parent process has died unexpectedly, exiting
  2021-01-25 08:06:51.375 1763595 INFO eventlet.wsgi.server [-] (1763595) wsgi exited, is_accepting=True
  2021-01-25 08:06:51.376 1763594 INFO eventlet.wsgi.server [-] (1763594) wsgi exited, is_accepting=True

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1913024/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list