RBAC Permissions too strict for Port_Binding table
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Cloud Archive |
Fix Released
|
Undecided
|
Unassigned | ||
Wallaby |
Fix Released
|
Undecided
|
Unassigned | ||
ovn (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Focal |
Fix Released
|
High
|
Unassigned | ||
Groovy |
Fix Released
|
High
|
Unassigned | ||
Hirsute |
Fix Released
|
High
|
Frode Nordahl | ||
Impish |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
The OpenStack Octavia service will not work after upgrade to Hirsute.
[Test Plan]
Execute the gate tests for the octavia charm, which performs a full cloud deployment and confirms successful creation and operation of load balancer.
[Regression Potential]
The patch has already been available in the upstream branch-20.12 and has been released in our Focal packages as part of the 20.03.2 point release update for some time.
[Original Bug Description]
When using Openstack Ussuri with OVN 20.03 and adding a floating IP address to a unbound port the ovn-controller on the hypervisor repeatedly reports:
2021-03-
2021-03-
The seams to be because the ovn-controller needs to update the virtual_parent attribute of the port binding *2 but that is not included in the list of permissions allowed by the ovn-controller role *1
*1 https:/
*2 https:/
Disabling rbac by changing the role to "" and stopping and starting the southbound db listener results in the port being immediately updated and the floating IP can be accessed.
Related branches
- James Page: Pending requested
- Ubuntu Server Developers: Pending requested
-
Diff: 237 lines (+205/-0)5 files modifieddebian/changelog (+12/-0)
debian/patches/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch (+42/-0)
debian/patches/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch (+100/-0)
debian/patches/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch (+48/-0)
debian/patches/series (+3/-0)
description: | updated |
Changed in ovn (Ubuntu): | |
status: | New → In Progress |
importance: | Undecided → High |
assignee: | nobody → Frode Nordahl (fnordahl) |
Changed in ovn (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in ovn (Ubuntu Hirsute): | |
status: | New → In Progress |
Changed in ovn (Ubuntu Groovy): | |
status: | New → Fix Released |
Changed in ovn (Ubuntu Focal): | |
status: | New → Fix Released |
Changed in ovn (Ubuntu Impish): | |
assignee: | Frode Nordahl (fnordahl) → nobody |
Changed in ovn (Ubuntu Hirsute): | |
assignee: | nobody → Frode Nordahl (fnordahl) |
Changed in ovn (Ubuntu Impish): | |
status: | Fix Committed → Fix Released |
description: | updated |
Changed in cloud-archive: | |
status: | New → Fix Released |
status: | Fix Released → Fix Committed |
Changed in cloud-archive: | |
status: | Fix Committed → Fix Released |
Changed in ovn (Ubuntu Focal): | |
importance: | Undecided → High |
Changed in ovn (Ubuntu Groovy): | |
importance: | Undecided → High |
Changed in ovn (Ubuntu Hirsute): | |
importance: | Undecided → High |
https:/ /patchwork. ozlabs. org/project/ ovn/list/ ?series= 232350