Bug 1472860 - OVN: RBAC for Encap Table
OVN: RBAC for Encap Table
Status: VERIFIED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openvswitch (Show other bugs)
7.4
Unspecified Linux
medium Severity medium
: rc
: 7.5
Assigned To: Mark Michelson
qding
https://patchwork.ozlabs.org/patch/79...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-19 10:36 EDT by Mark Michelson
Modified: 2017-11-26 08:58 EST (History)
7 users (show)

See Also:
Fixed In Version: openvswitch-2.8.0-1.el7fdb
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
RBAC Instructions and Reproducer (7.18 KB, text/plain)
2017-10-13 14:55 EDT, Mark Michelson
no flags Details

  None (edit)
Description Mark Michelson 2017-07-19 10:36:55 EDT
From the OVN Work Items document:

"This work item aims to minimize the extent to which malicious or buggy software running on an OVN chassis node can disrupt other chassis by modifying the OVN_Southbound database. Using SSL for ovn-controller to SB db communication combined along with RBAC addresses much of the problem, however the OVN_Southbound Encap table is currently not protected by RBAC. Addressing this should be a matter of:

1. Adding a “creating chassis” column to the Encap table.
2. Adding code to ovn-controller to set this column when creating rows in the Encap 
   table.
3. Adding code to set appropriate authorization criteria in the RBAC_Permission table."
Comment 4 Mark Michelson 2017-09-27 11:43:34 EDT
Hi Qijun,

I will let you know as soon as I have a simple scenario for this.
Comment 6 qding 2017-09-28 05:53:39 EDT
(In reply to Mark Michelson from comment #4)
> 
> I will let you know as soon as I have a simple scenario for this.

Thanks a lot
Comment 7 Mark Michelson 2017-10-13 14:55 EDT
Created attachment 1338316 [details]
RBAC Instructions and Reproducer

I have uploaded rbac_instructions.txt to this issue. The document consists of three parts

1) A set of steps to configure OVN to use SSL and enable RBAC for the ovn-controller

2) An explanation of what RBAC is and how it works.

3) A simple reproducer for this particular issue.

If you have any questions or problems, please let me know.
Comment 8 haidong li 2017-11-26 08:58:43 EST
This issue is verified on the latest version:
[root@dell-per730-21 openvswitch]# ovs-vsctl show
75ed8c65-06dd-4033-af7a-3cd428b05212
    Bridge br-int
        fail_mode: secure
        Port br-int
            Interface br-int
                type: internal
    ovs_version: "2.8.0"
[root@dell-per730-21 openvswitch]# ovn-sbctl show
Chassis controller
    hostname: controller
    Encap geneve
        ip: "127.0.0.1"
        options: {csum="true"}
[root@dell-per730-21 openvswitch]# ovn-sbctl list rbac_role
_uuid               : 8b739b9b-f092-4e19-abc3-a00988312be5
name                : ovn-controller
permissions         : {Chassis=ca5bd3a2-78e1-48a8-a610-6cffffa43a94, Encap=b665d6a7-bae8-4373-bb7e-4183e93ed51f, MAC_Binding=ca18cfe4-dad5-4f0c-8027-9a9bec37fcac, Port_Binding=8a487364-5796-4e56-b0ca-46cd008d0510}
[root@dell-per730-21 openvswitch]# ovn-sbctl list rbac_permission
_uuid               : 8a487364-5796-4e56-b0ca-46cd008d0510
authorization       : [""]
insert_delete       : false
table               : Port_Binding
update              : [chassis]

_uuid               : ca18cfe4-dad5-4f0c-8027-9a9bec37fcac
authorization       : [""]
insert_delete       : true
table               : MAC_Binding
update              : [datapath, ip, logical_port, mac]

_uuid               : ca5bd3a2-78e1-48a8-a610-6cffffa43a94
authorization       : [name]
insert_delete       : true
table               : Chassis
update              : [encaps, external_ids, nb_cfg, vtep_logical_switches]

_uuid               : b665d6a7-bae8-4373-bb7e-4183e93ed51f
authorization       : [chassis_name]
insert_delete       : true
table               : Encap
update              : [ip, options, type]

[root@dell-per730-21 openvswitch]# ovn-sbctl list chassis
_uuid               : 93455306-5778-4ac5-806d-20f78cd9d826
encaps              : [41771175-0838-4905-9c89-beab1af22afa]
external_ids        : {datapath-type="", iface-types="geneve,gre,internal,lisp,patch,stt,system,tap,vxlan", ovn-bridge-mappings=""}
hostname            : controller
name                : controller
nb_cfg              : 0
vtep_logical_switches: []
[root@dell-per730-21 openvswitch]# ovn-sbctl --db=ssl:127.0.0.1:6642 -c /etc/openvswitch/controller-cert.pem -p /etc/openvswitch/controller-privkey.pem -C /etc/openvswitch/pki/switchca/cacert.pem set chassis 93455306-5778-4ac5-806d-20f78cd9d826  external_ids:foo=bar
[root@dell-per730-21 openvswitch]# ovn-sbctl list chassis
_uuid               : 93455306-5778-4ac5-806d-20f78cd9d826
encaps              : [41771175-0838-4905-9c89-beab1af22afa]
external_ids        : {datapath-type="", foo=bar, iface-types="geneve,gre,internal,lisp,patch,stt,system,tap,vxlan", ovn-bridge-mappings=""}
hostname            : controller
name                : controller
nb_cfg              : 0
vtep_logical_switches: []
[root@dell-per730-21 openvswitch]# ovn-sbctl --db=ssl:127.0.0.1:6642 -c /etc/openvswitch/controller-cert.pem -p /etc/openvswitch/controller-privkey.pem -C /etc/openvswitch/pki/switchca/cacert.pem set chassis 93455306-5778-4ac5-806d-20f78cd9d826  hostname=hacker
2017-11-26T13:27:19Z|00002|ovsdb_idl|WARN|transaction error: {"details":"RBAC rules for client \"controller\" role \"ovn-controller\" prohibit modification of table \"Chassis\".","error":"permission error"}
ovn-sbctl: transaction error: {"details":"RBAC rules for client \"controller\" role \"ovn-controller\" prohibit modification of table \"Chassis\".","error":"permission error"}
[root@dell-per730-21 openvswitch]#
[root@dell-per730-21 openvswitch]# ovn-sbctl list encap
_uuid               : 41771175-0838-4905-9c89-beab1af22afa
chassis_name        : controller
ip                  : "127.0.0.1"
options             : {csum="true"}
type                : geneve
[root@dell-per730-21 openvswitch]# ovn-sbctl --db=ssl:127.0.0.1:6642 -c /etc/openvswitch/ovnnb-cert.pem -p /etc/openvswitch/ovnnb-privkey.pem -C /etc/openvswitch/pki/switchca/cacert.pem set encap 41771175-0838-4905-9c89-beab1af22afa  ip=1.2.3.4
2017-11-26T13:56:29Z|00002|ovsdb_idl|WARN|transaction error: {"details":"RBAC rules for client \"ovnnb id:727bfbc6-2d5b-4725-8333-ca94a16864e9\" role \"ovn-controller\" prohibit modification of table \"Encap\".","error":"permission error"}
ovn-sbctl: transaction error: {"details":"RBAC rules for client \"ovnnb id:727bfbc6-2d5b-4725-8333-ca94a16864e9\" role \"ovn-controller\" prohibit modification of table \"Encap\".","error":"permission error"}
[root@dell-per730-21 openvswitch]#

Note You need to log in before you can comment on or make changes to this bug.