rbac: Only allow relevant chassis to update BFD.

This adds a new "chassis_name" column to the BFD table. ovn-northd sets this to the logical port's chassis name when creating the BFD record. RBAC has been updated so that chassis may only update their own records. Signed-off-by: Mark Michelson <mmichels@redhat.com> Acked-by: Ales Musil <amusil@redhat.com> Signed-off-by: Mark Michelson <mmichels@redhat.com>
ovn-org · Feb 2, 2024 · 4885e33 · 4885e33
1 parent bfac19d
commit 4885e33
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 5 deletions.
diff --git a/northd/northd.c b/northd/northd.c
@@ -10933,6 +10933,7 @@ build_bfd_table(struct ovsdb_idl_txn *ovnsb_txn,
             nbrec_bfd_set_status(nb_bt, "admin_down");
         }
 
+        struct ovn_port *op = ovn_port_find(lr_ports, nb_bt->logical_port);
         bfd_e = bfd_port_lookup(&sb_only, nb_bt->logical_port, nb_bt->dst_ip);
         if (!bfd_e) {
             int udp_src = bfd_get_unused_port(bfd_src_ports);
@@ -10946,6 +10947,9 @@ build_bfd_table(struct ovsdb_idl_txn *ovnsb_txn,
             sbrec_bfd_set_disc(sb_bt, 1 + random_uint32());
             sbrec_bfd_set_src_port(sb_bt, udp_src);
             sbrec_bfd_set_status(sb_bt, nb_bt->status);
+            if (op && op->sb && op->sb->chassis) {
+                sbrec_bfd_set_chassis_name(sb_bt, op->sb->chassis->name);
+            }
 
             int min_tx = nb_bt->n_min_tx ? nb_bt->min_tx[0] : BFD_DEF_MINTX;
             sbrec_bfd_set_min_tx(sb_bt, min_tx);
@@ -10964,6 +10968,10 @@ build_bfd_table(struct ovsdb_idl_txn *ovnsb_txn,
                 }
             }
             build_bfd_update_sb_conf(nb_bt, bfd_e->sb_bt);
+            if (op && op->sb && op->sb->chassis &&
+                strcmp(op->sb->chassis->name, sb_bt->chassis_name)) {
+                sbrec_bfd_set_chassis_name(sb_bt, op->sb->chassis->name);
+            }
 
             hmap_remove(&sb_only, &bfd_e->hmap_node);
             bfd_e->ref = false;
@@ -10972,7 +10980,6 @@ build_bfd_table(struct ovsdb_idl_txn *ovnsb_txn,
             hmap_insert(bfd_connections, &bfd_e->hmap_node, hash);
         }
 
-        struct ovn_port *op = ovn_port_find(lr_ports, nb_bt->logical_port);
         if (op) {
             op->has_bfd = true;
         }

diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
@@ -122,7 +122,7 @@ static const char *rbac_igmp_group_auth[] =
 static const char *rbac_igmp_group_update[] =
     {"address", "chassis", "datapath", "ports"};
 static const char *rbac_bfd_auth[] =
-    {""};
+    {"chassis_name"};
 static const char *rbac_bfd_update[] =
     {"status"};
 

diff --git a/ovn-sb.ovsschema b/ovn-sb.ovsschema
@@ -1,7 +1,7 @@
 {
     "name": "OVN_Southbound",
-    "version": "20.32.0",
-    "cksum": "1262133774 31276",
+    "version": "20.33.0",
+    "cksum": "4076371179 31328",
     "tables": {
         "SB_Global": {
             "columns": {
@@ -578,7 +578,8 @@
                              "min": 0, "max": "unlimited"}},
                 "options": {
                     "type": {"key": "string", "value": "string",
-                             "min": 0, "max": "unlimited"}}},
+                             "min": 0, "max": "unlimited"}},
+                "chassis_name": {"type": "string"}},
             "indexes": [["logical_port", "dst_ip", "src_port", "disc"]],
             "isRoot": true},
         "FDB": {

diff --git a/ovn-sb.xml b/ovn-sb.xml
@@ -4989,6 +4989,10 @@ tcp.flags = RST;
         receiving system in Asynchronous mode.
       </column>
 
+      <column name="chassis_name">
+        The name of the chassis where the logical port is bound.
+      </column>
+
       <column name="options">
         Reserved for future use.
       </column>