OVS connect the client to the database using SSL to provide authentication services, RBAC (role based access control, RBAC) authorization to provide service to clients connected to the operation OVS database. RBAC allows the administrator to limit client database operations that may be performed to further enhance the security has been provided by SSL.
In theory, any OVS database can be defined RBAC roles and permissions, but currently only OVN South have the appropriate table to support RBAC database.
mechanism
RBAC is intended to complement SSL. To enable RBAC, connect to the database must use SSL. Certain rights RBAC is based on the certificate common name (CN) connected client.
RBAC controlled by two database tables, i.e. RBAC_Role and RBAC_Permission. BAC_Permission table records, describes a set of access control information into a database table.
RBAC_Permission table contains the following:
table
is describing its authority in the name of the database table.
insert_delete
describe whether to allow the insertion and deletion of records.
update
the list of columns to allow updates.
authorization
column name list. Wherein a CN field must match the SSL certificate, in order to attempt the operation to the table can be successful. If a key-value pair, the key is the column name, value is the name of the column keys. Empty string means allowing all clients to perform the operation.
RBAC_Role table contains the following:
name
roles are defined names
permissions
list of key-value pairs. Key is the name of the database table, the table value is RBAC_Permission recorded UUID, describes the role of authority to the table.
Note :
All records RBAC_Role not explicitly referenced tables are read-only
To enable RBAC, set the role name as the database set-connectionparameter command. For example, to enable the "ovn-controller" role on the database, use the following command in South OVN:
In order to enable RBAC, specify the role name as an argument to the
set-connection command for the database. As an example, to enable the
“ovn-controller” role on the OVN southbound database, use the following
command:
$ ovn-sbctl set-connection role=ovn-controller ssl:192.168.0.1:6642
Predefined roles
This section describes the role of OVS / OVN within the definition.
oven controller
ovn-controllerDatabase role is assigned to the OVN south, and is used by the daemon running ovn-controller management program (hypervisors). ovn-controllerOVN south to connect to the database, mainly for reading information, but in some cases, ovn-controlleralso need to write. ovn-controllerRole is designed to allow ovn-controllersonly written to the database reasonable position in the South. Thus, if an intruder to take over the running ovn-controllermanagement daemons, harder to destroy the entire overlay network.
It is strongly recommended to set up a database for the south OVN ovn-controllerrole, to enhance security.