[Bug 1917475] Re: RBAC Permissions too strict for Port_Binding table

Frode Nordahl 1917475 at bugs.launchpad.net
Thu Jul 15 07:52:13 UTC 2021 

** Changed in: ovn (Ubuntu)
       Status: In Progress => Fix Committed

** Also affects: ovn (Ubuntu Groovy)
   Importance: Undecided
       Status: New

** Also affects: ovn (Ubuntu Hirsute)
   Importance: Undecided
       Status: New

** Also affects: ovn (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: ovn (Ubuntu Impish)
   Importance: High
     Assignee: Frode Nordahl (fnordahl)
       Status: Fix Committed

** Changed in: ovn (Ubuntu Hirsute)
       Status: New => In Progress

** Changed in: ovn (Ubuntu Groovy)
       Status: New => Fix Released

** Changed in: ovn (Ubuntu Focal)
       Status: New => Fix Released

** Changed in: ovn (Ubuntu Impish)
     Assignee: Frode Nordahl (fnordahl) => (unassigned)

** Changed in: ovn (Ubuntu Hirsute)
     Assignee: (unassigned) => Frode Nordahl (fnordahl)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ovn in Ubuntu.
https://bugs.launchpad.net/bugs/1917475

Title:
  RBAC Permissions too strict for Port_Binding table

Status in ovn package in Ubuntu:
  Fix Committed
Status in ovn source package in Focal:
  Fix Released
Status in ovn source package in Groovy:
  Fix Released
Status in ovn source package in Hirsute:
  In Progress
Status in ovn source package in Impish:
  Fix Committed

Bug description:
  When using Openstack Ussuri with OVN 20.03 and adding a floating IP
  address to a unbound port the ovn-controller on the hypervisor
  repeatedly reports:

  2021-03-02T10:33:35.517Z|35359|ovsdb_idl|WARN|transaction error: {"details":"RBAC rules for client \"juju-eab186-zaza-d26c8c079cc7-11.project.serverstack\" role \"ovn-controller\" prohibit modification of table \"Port_Binding\".","error":"permission error"}
  2021-03-02T10:33:35.518Z|35360|main|INFO|OVNSB commit failed, force recompute next time.

  The seams to be because the ovn-controller needs to update the
  virtual_parent attribute of the port binding *2 but that is not
  included in the list of permissions allowed by the ovn-controller role
  *1

  *1 https://github.com/ovn-org/ovn/blob/aa8ef5588c119fa8615d78288a7db7e3df2d6fbe/northd/ovn-northd.c#L11331-L11332
  *2 https://pastebin.ubuntu.com/p/4CfcxgDgdm/

  Disabling rbac by changing the role to "" and stopping and starting
  the southbound db listener results in the port being immediately
  updated and the floating IP can be accessed.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1917475/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list