[Bug 1914988] Re: IGMP Snooping does not work with RBAC enabled ovn-controllers

Frode Nordahl 1914988 at bugs.launchpad.net
Thu Sep 23 07:55:08 UTC 2021 

I somehow convinced myself we got this patch into the upstream 20.03.2
point release, and evidently that is not the case.  I want to offer my
apologies for any confusion and time wasted as a result of that.

As for Hirsute, there are some patches that are in Focal / Groovy but
still pending for the Hirsute OVN package.  This is unfortunate and the
reason for that is that we upstreamed the patches we carried in our
packages to the 20.03, 20.06, 20.09 and 20.12 branches, but only got
point releases cut for 20.03 and 20.06, and not 20.12.

I will pick the remaining patches for Hirsute and correct that as part
of the SRU process for this bug.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ovn in Ubuntu.
https://bugs.launchpad.net/bugs/1914988

Title:
  IGMP Snooping does not work with RBAC enabled ovn-controllers

Status in Ubuntu Cloud Archive:
  New
Status in Ubuntu Cloud Archive ussuri series:
  New
Status in ovn package in Ubuntu:
  Fix Released
Status in ovn source package in Focal:
  Confirmed
Status in ovn source package in Hirsute:
  Triaged
Status in ovn source package in Impish:
  Fix Released

Bug description:
  Hi,

  I've tested this on both 20.03 and 20.06.

  Looking into ovn-architecture.xml: https://github.com/ovn-org/ovn/blob/master/ovn-architecture.7.xml#L2530
  It states that once RBAC is enabled, ovn-controllers will have access to some of the tables and that is hardcoded within OVN.

  That means once RBAC is enabled, IGMP_Group table is out of reach for
  ovn-controllers and will cause the following issue:

  2021-02-06T17:17:40.916Z|00028|ovsdb_idl|WARN|transaction error:
  {"details":"RBAC rules for client "REDACTED" role "ovn-controller"
  prohibit row insertion into table "IGMP_Group".","error":"permission
  error"}

  Reported on upstream repo: https://github.com/ovn-org/ovn/issues/77

  Proposed patch:
  https://github.com/phvalguima/ovn/commit/3419d9946c51b413f816ceb82372677e4afdbe9d

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1914988/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list