Путеводитель по Руководству Linux

  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |



   ovn-architecture    ( 7 )

архитектура открытой виртуальной сети (Open Virtual Network architecture)

  Name  |  Description  |    Security    |  Design decisions  |

Безопасность (Security)

Role-Based Access Controls for the Soutbound DB
       In order to provide additional security against the possibility
       of an OVN chassis becoming compromised in such a way as to allow
       rogue software to make arbitrary modifications to the southbound
       database state and thus disrupt the OVN network, role-based
       access controls (see ovsdb-server(1) for additional details) are
       provided for the southbound database.

The implementation of role-based access controls (RBAC) requires the addition of two tables to an OVSDB schema: the RBAC_Role table, which is indexed by role name and maps the the names of the various tables that may be modifiable for a given role to individual rows in a permissions table containing detailed permission information for that role, and the permission table itself which consists of rows containing the following information:

Table Name The name of the associated table. This column exists primarily as an aid for humans reading the contents of this table.

Auth Criteria A set of strings containing the names of columns (or column:key pairs for columns containing string:string maps). The contents of at least one of the columns or column:key values in a row to be modified, inserted, or deleted must be equal to the ID of the client attempting to act on the row in order for the authorization check to pass. If the authorization criteria is empty, authorization checking is disabled and all clients for the role will be treated as authorized.

Insert/Delete Row insertion/deletion permission; boolean value indicating whether insertion and deletion of rows is allowed for the associated table. If true, insertion and deletion of rows is allowed for authorized clients.

Updatable Columns A set of strings containing the names of columns or column:key pairs that may be updated or mutated by authorized clients. Modifications to columns within a row are only permitted when the authorization check for the client passes and all columns to be modified are included in this set of modifiable columns.

RBAC configuration for the OVN southbound database is maintained by ovn-northd. With RBAC enabled, modifications are only permitted for the Chassis, Encap, Port_Binding, and MAC_Binding tables, and are resstricted as follows:

Chassis Authorization: client ID must match the chassis name.

Insert/Delete: authorized row insertion and deletion are permitted.

Update: The columns nb_cfg, external_ids, encaps, and vtep_logical_switches may be modified when authorized.

Encap Authorization: client ID must match the chassis name.

Insert/Delete: row insertion and row deletion are permitted.

Update: The columns type, options, and ip can be modified.

Port_Binding Authorization: disabled (all clients are considered authorized. A future enhancement may add columns (or keys to external_ids) in order to control which chassis are allowed to bind each port.

Insert/Delete: row insertion/deletion are not permitted (ovn-northd maintains rows in this table.

Update: Only modifications to the chassis column are permitted.

MAC_Binding Authorization: disabled (all clients are considered to be authorized).

Insert/Delete: row insertion/deletion are permitted.

Update: The columns logical_port, ip, mac, and datapath may be modified by ovn-controller.

Enabling RBAC for ovn-controller connections to the southbound database requires the following steps:

1. Creating SSL certificates for each chassis with the certificate CN field set to the chassis name (e.g. for a chassis with external-ids:system-id=chassis-1, via the command "ovs-pki -u req+sign chassis-1 switch").

2. Configuring each ovn-controller to use SSL when connecting to the southbound database (e.g. via "ovs-vsctl set open . external-ids:ovn-remote=ssl:x.x.x.x:6642").

3. Configuring a southbound database SSL remote with "ovn-controller" role (e.g. via "ovn-sbctl set-connection role=ovn-controller pssl:6642").

Encrypt Tunnel Traffic with IPsec OVN tunnel traffic goes through physical routers and switches. These physical devices could be untrusted (devices in public network) or might be compromised. Enabling encryption to the tunnel traffic can prevent the traffic data from being monitored and manipulated.

The tunnel traffic is encrypted with IPsec. The CMS sets the ipsec column in the northbound NB_Global table to enable or disable IPsec encrytion. If ipsec is true, all OVN tunnels will be encrypted. If ipsec is false, no OVN tunnels will be encrypted.

When CMS updates the ipsec column in the northbound NB_Global table, ovn-northd copies the value to the ipsec column in the southbound SB_Global table. ovn-controller in each chassis monitors the southbound database and sets the options of the OVS tunnel interface accordingly. OVS tunnel interface options are monitored by the ovs-monitor-ipsec daemon which configures IKE daemon to set up IPsec connections.

Chassis authenticates each other by using certificate. The authentication succeeds if the other end in tunnel presents a certificate signed by a trusted CA and the common name (CN) matches the expected chassis name. The SSL certificates used in role-based access controls (RBAC) can be used in IPsec. Or use ovs-pki to create different certificates. The certificate is required to be x.509 version 3, and with CN field and subjectAltName field being set to the chassis name.

The CA certificate, chassis certificate and private key are required to be installed in each chassis before enabling IPsec. Please see ovs-vswitchd.conf.db(5) for setting up CA based IPsec authentication.