RBAC Permissions too strict for Port_Binding table

Bug #1917475 reported by Liam Young on 2021-03-02
28
This bug affects 4 people
Affects Status Importance Assigned to Milestone
ovn (Ubuntu)
High
Frode Nordahl

Bug Description

When using Openstack Ussuri with OVN 20.03 and adding a floating IP address to a unbound port the ovn-controller on the hypervisor repeatedly reports:

2021-03-02T10:33:35.517Z|35359|ovsdb_idl|WARN|transaction error: {"details":"RBAC rules for client \"juju-eab186-zaza-d26c8c079cc7-11.project.serverstack\" role \"ovn-controller\" prohibit modification of table \"Port_Binding\".","error":"permission error"}
2021-03-02T10:33:35.518Z|35360|main|INFO|OVNSB commit failed, force recompute next time.

The seams to be because the ovn-controller needs to update the virtual_parent attribute of the port binding *2 but that is not included in the list of permissions allowed by the ovn-controller role *1

*1 https://github.com/ovn-org/ovn/blob/aa8ef5588c119fa8615d78288a7db7e3df2d6fbe/northd/ovn-northd.c#L11331-L11332
*2 https://pastebin.ubuntu.com/p/4CfcxgDgdm/

Disabling rbac by changing the role to "" and stopping and starting the southbound db listener results in the port being immediately updated and the floating IP can be accessed.

Frode Nordahl (fnordahl) on 2021-03-02
description: updated
Changed in ovn (Ubuntu):
status: New → In Progress
importance: Undecided → High
assignee: nobody → Frode Nordahl (fnordahl)
Revision history for this message
Frode Nordahl (fnordahl) wrote :
Revision history for this message
Frode Nordahl (fnordahl) wrote :

Fixes has been applied upstream for all versions of OVN and we are awaiting upstream to cut point releases to get these and other updates into Ubuntu. We are also working on extending the upstream tests to encompass testing with RBAC by default.

While waiting for that I have picked the relevant fixes into a package provided through a PPA [0].

0: https://launchpad.net/~fnordahl/+archive/ubuntu/lp1917475

Revision history for this message
Camille Rodriguez (camille.rodriguez) wrote :

To confirm this is the bug in /var/log/ovn/ovn-controller.log on the hypervisors look for:.

2021-03-02T10:33:35.517Z|35359|ovsdb_idl|WARN|transaction error: {"details":"RBAC rules for client \"juju-eab186-zaza-d26c8c079cc7-11.project.serverstack\" role \"ovn-controller\" prohibit modification of table \"Port_Binding\".","error":"permission error"}
2021-03-02T10:33:35.518Z|35360|main|INFO|OVNSB commit failed, force recompute next time.

To disabel rbac, on an ovn-central unit:

# sudo ovn-sbctl find connection
_uuid : a3b68994-4376-4506-81eb-e23d15641305
external_ids : {}
inactivity_probe : 60000
is_connected : false
max_backoff : []
other_config : {}
read_only : false
role : ""
status : {}
target : "pssl:16642"

_uuid : ee53c2b6-ed8b-4b21-9825-a4ecaf2bdc95
external_ids : {}
inactivity_probe : 60000
is_connected : false
max_backoff : []
other_config : {}
read_only : false
role : ovn-controller
status : {}
target : "pssl:6642"

Look for the 6642 listeners uuid. In this case 'ee53c2b6-ed8b-4b21-9825-a4ecaf2bdc95'

Remove the role to disable rbac:

# sudo ovn-sbctl set connection ee53c2b6-ed8b-4b21-9825-a4ecaf2bdc95 role=''

Restart the ovn-controller service on the hypervisors.

To reenable rbac:

# sudo ovn-sbctl set connection e0cef788-df18-4b1b-a238-e8b79ea51c7c role='ovn-controller'

Revision history for this message
Frode Nordahl (fnordahl) wrote :

Thank you for adding the extended detail, Camille!

I would like to note that the fix for this is now in -proposed on Focal and is just around the corner to be promoted to -updates. The SRU can be tracked in bug 1924981.

Revision history for this message
Giuseppe Petralia (peppepetra) wrote :

I can confirm that on Bionic upgrading to 20.03.2-0ubuntu0.20.04.1~cloud0 fixed this issue

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers