diff options
author | Lance Richardson <lrichard@redhat.com> | 2017-05-31 19:04:32 -0400 |
---|---|---|
committer | Ben Pfaff <blp@ovn.org> | 2017-06-08 13:58:27 -0700 |
commit | d6db7b3cc4bcf908e3016924f4e782d4740f804f (patch) | |
tree | 5983cb720c17549ba2163047240cbb7f54db9d00 /ovsdb/ovsdb-tool.1.in | |
parent | 8155ab7e632f3c457117ad5206b4b28f01a04dcd (diff) | |
download | openvswitch-d6db7b3cc4bcf908e3016924f4e782d4740f804f.tar.gz |
ovsdb: add support for role-based access controls
Add suport for ovsdb RBAC (role-based access control). This includes:
- Support for "RBAC_Role" table. A db schema containing a table
by this name will enable role-based access controls using
this table for RBAC role configuration.
The "RBAC_Role" table has one row per role, with each row having a
"name" column (role name) and a "permissions" column (map of
table name to UUID of row in separate permission table.) The
permission table has one row per access control configuration,
with the following columns:
"name" - name of table to which this row applies
"authorization" - set of column names and column:key pairs
to be compared against client ID to
determine authorization status
"insert_delete" - boolean, true if insertions and
authorized deletions are allowed.
"update" - Set of columns and column:key pairs for
which authorized updates are allowed.
- Support for a new "role" column in the remote configuration
table.
- Logic for applying the RBAC role and permission tables, in
combination with session role from the remote connection table
and client id, to determine whether operations modifying database
contents should be permitted.
- Support for specifying RBAC role string as a command-line option
to ovsdb-tool (Ben Pfaff).
Signed-off-by: Lance Richardson <lrichard@redhat.com>
Co-authored-by: Ben Pfaff <blp@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Diffstat (limited to 'ovsdb/ovsdb-tool.1.in')
-rw-r--r-- | ovsdb/ovsdb-tool.1.in | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/ovsdb/ovsdb-tool.1.in b/ovsdb/ovsdb-tool.1.in index d01531e56..8c799f4cc 100644 --- a/ovsdb/ovsdb-tool.1.in +++ b/ovsdb/ovsdb-tool.1.in @@ -131,7 +131,7 @@ will print a blank line. . .SS "Other Commands" . -.IP "\fBquery\fI db transaction\fR" +.IP "[\fB\-\-rbac\-role=\fIrole\fR] \fBquery\fI db transaction\fR" Opens \fIdb\fR, executes \fItransaction\fR on it, and prints the results. The \fItransaction\fR must be a JSON array in the format of the \fBparams\fR array for the JSON-RPC \fBtransact\fR method, as @@ -142,8 +142,11 @@ safely run concurrently with other database activity, including \fBovsdb\-server\fR and other database writers. The \fItransaction\fR may specify database modifications, but these will have no effect on \fIdb\fR. +.IP +By default, the transaction is executed using the ``superuser'' RBAC +role. Use \fB\-\-rbac\-role\fR to specify a different role. . -.IP "\fBtransact\fI db transaction\fR" +.IP "[\fR\-\-rbac\-role=\fIrole\fR] \fBtransact\fI db transaction\fR" Opens \fIdb\fR, executes \fItransaction\fR on it, prints the results, and commits any changes to \fIdb\fR. The \fItransaction\fR must be a JSON array in the format of the \fBparams\fR array for the JSON-RPC @@ -154,6 +157,9 @@ command will fail if the database is opened for writing by any other process, including \fBovsdb\-server\fR(1). Use \fBovsdb\-client\fR(1), instead, to write to a database that is served by \fBovsdb\-server\fR(1). +.IP +By default, the transaction is executed using the ``superuser'' RBAC +role. Use \fB\-\-rbac\-role\fR to specify a different role. . .IP "\fBshow\-log\fI db\fR" Prints a summary of the records in \fIdb\fR's log, including the time |