Role-Based Access Controls for the Soutbound DB
In order to provide additional security against the possibility
of an OVN chassis becoming compromised in such a way as to allow
rogue software to make arbitrary modifications to the southbound
database state and thus disrupt the OVN network, role-based
access controls (see ovsdb-server(1) for additional details) are
provided for the southbound database.
The implementation of role-based access controls (RBAC) requires
the addition of two tables to an OVSDB schema: the RBAC_Role
table, which is indexed by role name and maps the the names of
the various tables that may be modifiable for a given role to
individual rows in a permissions table containing detailed
permission information for that role, and the permission table
itself which consists of rows containing the following
information:
Table Name
The name of the associated table. This column
exists primarily as an aid for humans reading the
contents of this table.
Auth Criteria
A set of strings containing the names of columns
(or column:key pairs for columns containing
string:string maps). The contents of at least one
of the columns or column:key values in a row to be
modified, inserted, or deleted must be equal to the
ID of the client attempting to act on the row in
order for the authorization check to pass. If the
authorization criteria is empty, authorization
checking is disabled and all clients for the role
will be treated as authorized.
Insert/Delete
Row insertion/deletion permission; boolean value
indicating whether insertion and deletion of rows
is allowed for the associated table. If true,
insertion and deletion of rows is allowed for
authorized clients.
Updatable Columns
A set of strings containing the names of columns or
column:key pairs that may be updated or mutated by
authorized clients. Modifications to columns within
a row are only permitted when the authorization
check for the client passes and all columns to be
modified are included in this set of modifiable
columns.
RBAC configuration for the OVN southbound database is maintained
by ovn-northd. With RBAC enabled, modifications are only
permitted for the Chassis
, Encap
, Port_Binding
, and MAC_Binding
tables, and are resstricted as follows:
Chassis
Authorization
: client ID must match the chassis
name.
Insert/Delete
: authorized row insertion and
deletion are permitted.
Update
: The columns nb_cfg
, external_ids
, encaps
,
and vtep_logical_switches
may be modified when
authorized.
Encap Authorization
: client ID must match the chassis
name.
Insert/Delete
: row insertion and row deletion are
permitted.
Update
: The columns type
, options
, and ip
can be
modified.
Port_Binding
Authorization
: disabled (all clients are considered
authorized. A future enhancement may add columns
(or keys to external_ids
) in order to control which
chassis are allowed to bind each port.
Insert/Delete
: row insertion/deletion are not
permitted (ovn-northd maintains rows in this table.
Update
: Only modifications to the chassis
column
are permitted.
MAC_Binding
Authorization
: disabled (all clients are considered
to be authorized).
Insert/Delete
: row insertion/deletion are
permitted.
Update
: The columns logical_port
, ip
, mac
, and
datapath
may be modified by ovn-controller.
Enabling RBAC for ovn-controller connections to the southbound
database requires the following steps:
1. Creating SSL certificates for each chassis with the
certificate CN field set to the chassis name (e.g. for
a chassis with external-ids:system-id=chassis-1
, via
the command "ovs-pki -u req+sign chassis-1 switch
").
2. Configuring each ovn-controller to use SSL when
connecting to the southbound database (e.g. via
"ovs-vsctl set open .
external-ids:ovn-remote=ssl:x.x.x.x:6642
").
3. Configuring a southbound database SSL remote with
"ovn-controller" role (e.g. via "ovn-sbctl
set-connection role=ovn-controller pssl:6642
").
Encrypt Tunnel Traffic with IPsec
OVN tunnel traffic goes through physical routers and switches.
These physical devices could be untrusted (devices in public
network) or might be compromised. Enabling encryption to the
tunnel traffic can prevent the traffic data from being monitored
and manipulated.
The tunnel traffic is encrypted with IPsec. The CMS sets the
ipsec
column in the northbound NB_Global
table to enable or
disable IPsec encrytion. If ipsec
is true, all OVN tunnels will
be encrypted. If ipsec
is false, no OVN tunnels will be
encrypted.
When CMS updates the ipsec
column in the northbound NB_Global
table, ovn-northd
copies the value to the ipsec
column in the
southbound SB_Global
table. ovn-controller
in each chassis
monitors the southbound database and sets the options of the OVS
tunnel interface accordingly. OVS tunnel interface options are
monitored by the ovs-monitor-ipsec
daemon which configures IKE
daemon to set up IPsec connections.
Chassis authenticates each other by using certificate. The
authentication succeeds if the other end in tunnel presents a
certificate signed by a trusted CA and the common name (CN)
matches the expected chassis name. The SSL certificates used in
role-based access controls (RBAC) can be used in IPsec. Or use
ovs-pki
to create different certificates. The certificate is
required to be x.509 version 3, and with CN field and
subjectAltName field being set to the chassis name.
The CA certificate, chassis certificate and private key are
required to be installed in each chassis before enabling IPsec.
Please see ovs-vswitchd.conf.db(5) for setting up CA based IPsec
authentication.