[Bug 1914988] Re: IGMP Snooping does not work with RBAC enabled ovn-controllers

[Frode Nordahl]

** Also affects: ovn (Ubuntu Hirsute)
   Importance: Undecided
       Status: New

** Also affects: ovn (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: ovn (Ubuntu Impish)
   Importance: Undecided
       Status: Fix Committed

** Changed in: ovn (Ubuntu Focal)
       Status: New => Fix Released

** Changed in: ovn (Ubuntu Hirsute)
       Status: New => Triaged

** Changed in: ovn (Ubuntu Hirsute)
   Importance: Undecided => High

** Changed in: ovn (Ubuntu Impish)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ovn in Ubuntu.
https://bugs.launchpad.net/bugs/1914988

Title:
  IGMP Snooping does not work with RBAC enabled ovn-controllers

Status in ovn package in Ubuntu:
  Fix Released
Status in ovn source package in Focal:
  Fix Released
Status in ovn source package in Hirsute:
  Triaged
Status in ovn source package in Impish:
  Fix Released

Bug description:
  Hi,

  I've tested this on both 20.03 and 20.06.

  Looking into ovn-architecture.xml: https://github.com/ovn-org/ovn/blob/master/ovn-architecture.7.xml#L2530
  It states that once RBAC is enabled, ovn-controllers will have access to some of the tables and that is hardcoded within OVN.

  That means once RBAC is enabled, IGMP_Group table is out of reach for
  ovn-controllers and will cause the following issue:

  2021-02-06T17:17:40.916Z|00028|ovsdb_idl|WARN|transaction error:
  {"details":"RBAC rules for client "REDACTED" role "ovn-controller"
  prohibit row insertion into table "IGMP_Group".","error":"permission
  error"}

  Reported on upstream repo: https://github.com/ovn-org/ovn/issues/77

  Proposed patch:
  https://github.com/phvalguima/ovn/commit/3419d9946c51b413f816ceb82372677e4afdbe9d

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1914988/+subscriptions