1472860 – OVN: RBAC for Encap Table

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1472860 - OVN: RBAC for Encap Table

Summary: OVN: RBAC for Encap Table

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	openvswitch
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	7.5
Assignee:	Mark Michelson
QA Contact:	qding
Docs Contact:
URL:	https://patchwork.ozlabs.org/patch/79...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-07-19 14:36 UTC by Mark Michelson
Modified:	2018-07-16 15:29 UTC (History)
CC List:	8 users (show)
Fixed In Version:	openvswitch-2.8.0-1.el7fdb
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-02-16 13:13:43 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
RBAC Instructions and Reproducer (7.18 KB, text/plain) 2017-10-13 18:55 UTC, Mark Michelson	no flags	Details
View All

Description Mark Michelson 2017-07-19 14:36:55 UTC

From the OVN Work Items document:

"This work item aims to minimize the extent to which malicious or buggy software running on an OVN chassis node can disrupt other chassis by modifying the OVN_Southbound database. Using SSL for ovn-controller to SB db communication combined along with RBAC addresses much of the problem, however the OVN_Southbound Encap table is currently not protected by RBAC. Addressing this should be a matter of:

1. Adding a “creating chassis” column to the Encap table.
2. Adding code to ovn-controller to set this column when creating rows in the Encap 
   table.
3. Adding code to set appropriate authorization criteria in the RBAC_Permission table."

Comment 4 Mark Michelson 2017-09-27 15:43:34 UTC

Hi Qijun,

I will let you know as soon as I have a simple scenario for this.

Comment 6 qding 2017-09-28 09:53:39 UTC

(In reply to Mark Michelson from comment #4)
> 
> I will let you know as soon as I have a simple scenario for this.

Thanks a lot

Comment 7 Mark Michelson 2017-10-13 18:55:07 UTC

Created attachment 1338316 [details]
RBAC Instructions and Reproducer

I have uploaded rbac_instructions.txt to this issue. The document consists of three parts

1) A set of steps to configure OVN to use SSL and enable RBAC for the ovn-controller

2) An explanation of what RBAC is and how it works.

3) A simple reproducer for this particular issue.

If you have any questions or problems, please let me know.

Comment 8 haidong li 2017-11-26 13:58:43 UTC

This issue is verified on the latest version:
[root@dell-per730-21 openvswitch]# ovs-vsctl show
75ed8c65-06dd-4033-af7a-3cd428b05212
    Bridge br-int
        fail_mode: secure
        Port br-int
            Interface br-int
                type: internal
    ovs_version: "2.8.0"
[root@dell-per730-21 openvswitch]# ovn-sbctl show
Chassis controller
    hostname: controller
    Encap geneve
        ip: "127.0.0.1"
        options: {csum="true"}
[root@dell-per730-21 openvswitch]# ovn-sbctl list rbac_role
_uuid               : 8b739b9b-f092-4e19-abc3-a00988312be5
name                : ovn-controller
permissions         : {Chassis=ca5bd3a2-78e1-48a8-a610-6cffffa43a94, Encap=b665d6a7-bae8-4373-bb7e-4183e93ed51f, MAC_Binding=ca18cfe4-dad5-4f0c-8027-9a9bec37fcac, Port_Binding=8a487364-5796-4e56-b0ca-46cd008d0510}
[root@dell-per730-21 openvswitch]# ovn-sbctl list rbac_permission
_uuid               : 8a487364-5796-4e56-b0ca-46cd008d0510
authorization       : [""]
insert_delete       : false
table               : Port_Binding
update              : [chassis]

_uuid               : ca18cfe4-dad5-4f0c-8027-9a9bec37fcac
authorization       : [""]
insert_delete       : true
table               : MAC_Binding
update              : [datapath, ip, logical_port, mac]

_uuid               : ca5bd3a2-78e1-48a8-a610-6cffffa43a94
authorization       : [name]
insert_delete       : true
table               : Chassis
update              : [encaps, external_ids, nb_cfg, vtep_logical_switches]

_uuid               : b665d6a7-bae8-4373-bb7e-4183e93ed51f
authorization       : [chassis_name]
insert_delete       : true
table               : Encap
update              : [ip, options, type]

[root@dell-per730-21 openvswitch]# ovn-sbctl list chassis
_uuid               : 93455306-5778-4ac5-806d-20f78cd9d826
encaps              : [41771175-0838-4905-9c89-beab1af22afa]
external_ids        : {datapath-type="", iface-types="geneve,gre,internal,lisp,patch,stt,system,tap,vxlan", ovn-bridge-mappings=""}
hostname            : controller
name                : controller
nb_cfg              : 0
vtep_logical_switches: []
[root@dell-per730-21 openvswitch]# ovn-sbctl --db=ssl:127.0.0.1:6642 -c /etc/openvswitch/controller-cert.pem -p /etc/openvswitch/controller-privkey.pem -C /etc/openvswitch/pki/switchca/cacert.pem set chassis 93455306-5778-4ac5-806d-20f78cd9d826  external_ids:foo=bar
[root@dell-per730-21 openvswitch]# ovn-sbctl list chassis
_uuid               : 93455306-5778-4ac5-806d-20f78cd9d826
encaps              : [41771175-0838-4905-9c89-beab1af22afa]
external_ids        : {datapath-type="", foo=bar, iface-types="geneve,gre,internal,lisp,patch,stt,system,tap,vxlan", ovn-bridge-mappings=""}
hostname            : controller
name                : controller
nb_cfg              : 0
vtep_logical_switches: []
[root@dell-per730-21 openvswitch]# ovn-sbctl --db=ssl:127.0.0.1:6642 -c /etc/openvswitch/controller-cert.pem -p /etc/openvswitch/controller-privkey.pem -C /etc/openvswitch/pki/switchca/cacert.pem set chassis 93455306-5778-4ac5-806d-20f78cd9d826  hostname=hacker
2017-11-26T13:27:19Z|00002|ovsdb_idl|WARN|transaction error: {"details":"RBAC rules for client \"controller\" role \"ovn-controller\" prohibit modification of table \"Chassis\".","error":"permission error"}
ovn-sbctl: transaction error: {"details":"RBAC rules for client \"controller\" role \"ovn-controller\" prohibit modification of table \"Chassis\".","error":"permission error"}
[root@dell-per730-21 openvswitch]#
[root@dell-per730-21 openvswitch]# ovn-sbctl list encap
_uuid               : 41771175-0838-4905-9c89-beab1af22afa
chassis_name        : controller
ip                  : "127.0.0.1"
options             : {csum="true"}
type                : geneve
[root@dell-per730-21 openvswitch]# ovn-sbctl --db=ssl:127.0.0.1:6642 -c /etc/openvswitch/ovnnb-cert.pem -p /etc/openvswitch/ovnnb-privkey.pem -C /etc/openvswitch/pki/switchca/cacert.pem set encap 41771175-0838-4905-9c89-beab1af22afa  ip=1.2.3.4
2017-11-26T13:56:29Z|00002|ovsdb_idl|WARN|transaction error: {"details":"RBAC rules for client \"ovnnb id:727bfbc6-2d5b-4725-8333-ca94a16864e9\" role \"ovn-controller\" prohibit modification of table \"Encap\".","error":"permission error"}
ovn-sbctl: transaction error: {"details":"RBAC rules for client \"ovnnb id:727bfbc6-2d5b-4725-8333-ca94a16864e9\" role \"ovn-controller\" prohibit modification of table \"Encap\".","error":"permission error"}
[root@dell-per730-21 openvswitch]#

Comment 9 Flavio Leitner 2018-02-16 13:13:43 UTC

Closing resolved bugs.

Note You need to log in before you can comment on or make changes to this bug.