Red Hat Bugzilla – Bug 1472860
OVN: RBAC for Encap Table
Last modified: 2017-08-21 05:37:10 EDT
From the OVN Work Items document:
"This work item aims to minimize the extent to which malicious or buggy software running on an OVN chassis node can disrupt other chassis by modifying the OVN_Southbound database. Using SSL for ovn-controller to SB db communication combined along with RBAC addresses much of the problem, however the OVN_Southbound Encap table is currently not protected by RBAC. Addressing this should be a matter of:
1. Adding a “creating chassis” column to the Encap table.
2. Adding code to ovn-controller to set this column when creating rows in the Encap
3. Adding code to set appropriate authorization criteria in the RBAC_Permission table."