diff options
| author | Lance Richardson <lrichard@redhat.com> | 2017-05-31 19:04:32 -0400 |
|---|---|---|
| committer | Ben Pfaff <blp@ovn.org> | 2017-06-08 13:58:27 -0700 |
| commit | d6db7b3cc4bcf908e3016924f4e782d4740f804f (patch) | |
| tree | 5983cb720c17549ba2163047240cbb7f54db9d00 /NEWS | |
| parent | 8155ab7e632f3c457117ad5206b4b28f01a04dcd (diff) | |
| download | openvswitch-d6db7b3cc4bcf908e3016924f4e782d4740f804f.tar.gz | |
ovsdb: add support for role-based access controls
Add suport for ovsdb RBAC (role-based access control). This includes:
- Support for "RBAC_Role" table. A db schema containing a table
by this name will enable role-based access controls using
this table for RBAC role configuration.
The "RBAC_Role" table has one row per role, with each row having a
"name" column (role name) and a "permissions" column (map of
table name to UUID of row in separate permission table.) The
permission table has one row per access control configuration,
with the following columns:
"name" - name of table to which this row applies
"authorization" - set of column names and column:key pairs
to be compared against client ID to
determine authorization status
"insert_delete" - boolean, true if insertions and
authorized deletions are allowed.
"update" - Set of columns and column:key pairs for
which authorized updates are allowed.
- Support for a new "role" column in the remote configuration
table.
- Logic for applying the RBAC role and permission tables, in
combination with session role from the remote connection table
and client id, to determine whether operations modifying database
contents should be permitted.
- Support for specifying RBAC role string as a command-line option
to ovsdb-tool (Ben Pfaff).
Signed-off-by: Lance Richardson <lrichard@redhat.com>
Co-authored-by: Ben Pfaff <blp@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 2 |
1 files changed, 2 insertions, 0 deletions
@@ -38,6 +38,8 @@ Post-v2.7.0 abbreviated to 4 hex digits. * "ovn-sbctl lflow-list" can now print OpenFlow flows that correspond to logical flows. + - OVSDB: + * New support for role-based access control (see ovsdb-server(1)). - Add the command 'ovs-appctl stp/show' (see ovs-vswitchd(8)). - OpenFlow: * All features required by OpenFlow 1.4 are now implemented, so |