RBAC Permissions too strict for Chassis_Private table
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Cloud Archive |
Fix Released
|
Undecided
|
Unassigned | ||
Wallaby |
Fix Released
|
Undecided
|
Unassigned | ||
ovn (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Hirsute |
Fix Released
|
High
|
Unassigned | ||
Impish |
Fix Released
|
High
|
Unassigned |
Bug Description
[Impact]
The OpenStack metadata service will not work after upgrade to Hirsute.
[Test Plan]
Execute the gate tests for the neutron-
[Regression Potential]
The patch has already been available in the upstream branch-20.12 and has been released in our Focal packages as part of the 20.03.2 point release update for some time.
[Original Bug Description]
After introduction of the Chassis_Private table in OVN 20.09, CMS'es do expect data plane daemons to be able to write to the external_ids column.
However the current RBAC permissions do not allow for this. Running with this patch for ovn-northd fixes the problem:
diff --git a/northd/
index 27df6a379.
--- a/northd/
+++ b/northd/
@@ -12951,7 +12951,7 @@ static const char *rbac_chassis_
static const char *rbac_chassis_
{"name"};
static const char *rbac_chassis_
- {"nb_cfg", "nb_cfg_timestamp", "chassis"};
+ {"nb_cfg", "nb_cfg_timestamp", "chassis", "external_ids"};
static const char *rbac_encap_auth[] =
{"
For completeness I will include output from a OpenStack neutron-
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.
2021-01-25 08:06:51.333 1763580 ERROR ovsdbapp.
2021-01-25 08:06:51.334 1763580 CRITICAL neutron [-] Unhandled error: RuntimeError: OVSDB Error: {"details":"RBAC rules for client \"ps5-ra4-n2.maas\" role \"ovn-controller\" prohibit modification of table \"Chassis_
2021-01-25 08:06:51.334 1763580 ERROR neutron Traceback (most recent call last):
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/bin/
2021-01-25 08:06:51.334 1763580 ERROR neutron sys.exit(main())
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/
2021-01-25 08:06:51.334 1763580 ERROR neutron metadata_
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/
2021-01-25 08:06:51.334 1763580 ERROR neutron agt.start()
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/
2021-01-25 08:06:51.334 1763580 ERROR neutron self.register_
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/
2021-01-25 08:06:51.334 1763580 ERROR neutron self.sb_
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/
2021-01-25 08:06:51.334 1763580 ERROR neutron t.add(self)
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/
2021-01-25 08:06:51.334 1763580 ERROR neutron next(self.gen)
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/
2021-01-25 08:06:51.334 1763580 ERROR neutron del self._nested_
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/
2021-01-25 08:06:51.334 1763580 ERROR neutron self.result = self.commit()
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/
2021-01-25 08:06:51.334 1763580 ERROR neutron raise result.ex
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/
2021-01-25 08:06:51.334 1763580 ERROR neutron txn.results.
2021-01-25 08:06:51.334 1763580 ERROR neutron File "/usr/lib/
2021-01-25 08:06:51.334 1763580 ERROR neutron raise RuntimeError(msg)
2021-01-25 08:06:51.334 1763580 ERROR neutron RuntimeError: OVSDB Error: {"details":"RBAC rules for client \"ps5-ra4-n2.maas\" role \"ovn-controller\" prohibit modification of table \"Chassis_
2021-01-25 08:06:51.334 1763580 ERROR neutron
2021-01-25 08:06:51.375 1763595 INFO oslo_service.
2021-01-25 08:06:51.375 1763594 INFO oslo_service.
2021-01-25 08:06:51.375 1763595 INFO eventlet.
2021-01-25 08:06:51.376 1763594 INFO eventlet.
Related branches
- James Page: Pending requested
- Ubuntu Server Developers: Pending requested
-
Diff: 237 lines (+205/-0)5 files modifieddebian/changelog (+12/-0)
debian/patches/lp-1913024-northd-Add-Chassis_Private-external_ids-column-to-RB.patch (+42/-0)
debian/patches/lp-1914988-Add-IGMP_Group-to-ovn-controller-RBAC.patch (+100/-0)
debian/patches/lp-1917475-northd-Amend-RBAC-rules-for-Port_Binding-table.patch (+48/-0)
debian/patches/series (+3/-0)
Changed in ovn (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in ovn (Ubuntu): | |
status: | Triaged → Fix Committed |
Changed in ovn (Ubuntu Impish): | |
status: | Fix Committed → Fix Released |
Changed in ovn (Ubuntu Hirsute): | |
status: | New → Triaged |
Changed in ovn (Ubuntu Focal): | |
status: | New → Fix Released |
Changed in ovn (Ubuntu Hirsute): | |
importance: | Undecided → High |
description: | updated |
Changed in cloud-archive: | |
status: | New → Fix Released |
status: | Fix Released → Fix Committed |
https://<email address hidden>/