Bug 1809662
| Summary: | [RFE] OVN improve ACL add shortcut commands | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux Fast Datapath | Reporter: | Tim Rozet <trozet> |
| Component: | ovn2.13 | Assignee: | OVN Team <ovnteam> |
| Status: | CLOSED WONTFIX | QA Contact: | Ehsan Elahi <eelahi> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | RHEL 8.0 | CC: | ctrautma, jishi, mmichels, ralongi, rkhan, tredaelli |
| Target Milestone: | --- | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-10-05 20:52:34 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This can be closed since OCP uses libovsdb instead of ovn-nbctl. Tim confirmed this with me. |
Description of problem: With the current implementation of acl-add: [--type={switch | port-group}] [--log] [--meter=meter] [--severity=severity] [--name=name] [--may-exist] acl-add entity direction priority match verdict We are only able to add an ACL to a single entity. It would be nice to be able to apply an ACL to multiple entities at once. Otherwise acl-add has to be run multiple times, resulting in multiple ACLs. Additionally, if acl-add is used for an ACL that may already exist using "--may-exist", but the entity specified does not the have the ACL, the ACL will not be added (expected), but it will also not add the ACL to the entity. This results in no mechanism to be able to set the ACL to one or more entities, without direct database interaction. The real issue is that the acl-add command is doing 2 actions, creating an acl and associating it. I think a solution is to introduce separate commands to handle these issues, and eventually deprecate acl-add current behavior. We can create two commands to handle each action: 1) modify acl-add as follows: acl-add --acl-only (allows adding an acl without an entity) acl-add entities (replace entity with csv of one or more entities) 2) entity association commands: acl-set-entities (sets an existing ACL to one or more entities) acl-add-entities (adds one or more entities to an existing ACL) acl-del-entities acl-get-entities