Bug 1885670

Summary: [RFE] Improving Northbound Database Port-Group Table's functional behavior
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Anil Vishnoi <avishnoi>
Component: OVNAssignee: OVN Team <ovnteam>
Status: NEW --- QA Contact: Jianlin Shi <jishi>
Severity: medium Docs Contact:
Priority: medium    
Version: RHEL 8.0CC: ctrautma, dceara, i.maximets, mmichels, nusiddiq, trozet
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anil Vishnoi 2020-10-06 16:48:46 UTC 
Description of problem:
Currently Port-Group is used in multiple context 
(1) as a match criteria for ACL
(2) applying ACL's to set of logical switches (not to specific ports of the logical-switches).

This creates a bit of a confusion about it's functional behavior. Specifically for scenario (2) above, where port group is used to determine the logical-switch where ACL needs to be specified. Please see the BZ (https://bugzilla.redhat.com/show_bug.cgi?id=1885668) for more details about it.

Had a good discussion over IRC on this with Dimitru, Iilya and numan in this regard. Just want to share few thoughts on improving this function behavior based on the discussion to see if that makes sense.

If we do following enhancement in OVN NB DB, it might make things more intuitive and simple
(1) Remove support for inport=@portgroup match from the ACL match.
(2) Port-Group will only be used to apply ACL to the specific ports. So it ACL is associated with a port-group, northd can generate logical-flows that contains inport match.
(3) Define Logical-Switch-Groups, to apply ACLs at the logical-switch level.

Given that inport won't be allowed in ACL, user need to explicitly define whether they want to apply ACL to specific port/set-of-ports or apply at the logical-switch level.

Thoughts?

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info: