Public bug reported:

When using Openstack Ussuri with OVN 20.03 and adding a floating IP
address to a port the ovn-controller on the hypervisor repeatedly
reports:

2021-03-02T10:33:35.517Z|35359|ovsdb_idl|WARN|transaction error: 
{"details":"RBAC rules for client 
\"juju-eab186-zaza-d26c8c079cc7-11.project.serverstack\" role 
\"ovn-controller\" prohibit modification of table 
\"Port_Binding\".","error":"permission error"}
2021-03-02T10:33:35.518Z|35360|main|INFO|OVNSB commit failed, force recompute 
next time.

The seams to be because the ovn-controller needs to update the
virtual_parent attribute of the port binding *2 but that is not included
in the list of permissions allowed by the ovn-controller role *1


*1 
https://github.com/ovn-org/ovn/blob/aa8ef5588c119fa8615d78288a7db7e3df2d6fbe/northd/ovn-northd.c#L11331-L11332
*2 https://pastebin.ubuntu.com/p/4CfcxgDgdm/

Disabling rbac by changing the role to "" and stopping and starting the
southbound db listener results in the port being immediately updated and
the floating IP can be accessed.

** Affects: ovn (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1917475

Title:
  RBAC Permissions too strict for Port_Binding table

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1917475/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to