OVN Role-Based Access Control (RBAC) Tutorial¶
This document provides a step-by-step guide for setting up role-based access
control (RBAC) in OVN. In OVN, hypervisors (chassis) read and write the
southbound database to do configuration. Without restricting hypervisor’s
access to the southbound database, a compromised hypervisor might disrupt the
entire OVN deployment by corrupting the database. RBAC ensures that each
hypervisor can only modify its own data and thus improves the security of OVN.
More details about the RBAC design can be found in
This document assumes OVN is installed in your system and runs normally.
Generating Certificates and Keys¶
In the OVN RBAC deployment, ovn-controller connects to the southbound database via SSL connection. The southbound database uses CA-signed certificate to authenticate ovn-controller.
Suppose there are three machines in your deployment. machine_1 runs chassis_1 and has IP address machine_1-ip. machine_2 runs chassis_2 and has IP address machine_2-ip. machine_3 hosts southbound database and has IP address machine_3-ip. machine_3 also hosts public key infrastructure (PKI).
$ ovs-pki init
Generate southbound database’s certificate request. Sign the certificate request with the CA key.
$ ovs-pki req -u sbdb $ ovs-pki sign sbdb switch
Generate chassis certificate requests. Copy the certificate requests to machine_3.
$ ovs-pki req -u chassis_1 $ scp chassis_1-req.pem \ machine_3@machine_3-ip:/path/to/chassis_1-req.pem
$ ovs-pki req -u chassis_2 $ scp chassis_2-req.pem \ machine_3@machine_3-ip:/path/to/chassis_2-req.pem
chassis_1 must be the same string as
external_ids:system-idin the Open_vSwitch table (the chassis name) of machine_1. Same applies for chassis_2.
Sign the chassis certificate requests with the CA key. Copy chassis_1’s signed certificate and the CA certificate to machine_1. Copy chassis_2’s signed certificate and the CA certificate to machine_2.
$ ovs-pki sign chassis_1 switch $ ovs-pki sign chassis_2 switch $ scp chassis_1-cert.pem \ machine_1@machine_1-ip:/path/to/chassis_1-cert.pem $ scp /var/lib/openvswitch/pki/switchca/cacert.pem \ machine_1@machine_1-ip:/path/to/cacert.pem $ scp chassis_2-cert.pem \ machine_2@machine_2-ip:/path/to/chassis_2-cert.pem $ scp /var/lib/openvswitch/pki/switchca/cacert.pem \ machine_2@machine_2-ip:/path/to/cacert.pem
Set certificate, private key, and CA certificate for the southbound database. Configure the southbound database to listen on SSL connection and enforce role-based access control.
$ ovn-sbctl set-ssl /path/to/sbdb-privkey.pem \ /path/to/sbdb-cert.pem /path/to/cacert.pem $ ovn-sbctl set-connection role=ovn-controller pssl:6642
Set certificate, private key, and CA certificate for chassis_1 and chassis_2. Configure chassis_1 and chassis_2 to connect southbound database via SSL.
$ ovs-vsctl set-ssl /path/to/chassis_1-privkey.pem \ /path/to/chassis_1-cert.pem /path/to/cacert.pem $ ovs-vsctl set open_vswitch . \ external_ids:ovn-remote=ssl:machine_3-ip:6642
$ ovs-vsctl set-ssl /path/to/chassis_2-privkey.pem \ /path/to/chassis_2-cert.pem /path/to/cacert.pem $ ovs-vsctl set open_vswitch . \ external_ids:ovn-remote=ssl:machine_3-ip:6642
The OVN central control daemon and RBAC¶
The OVN central control daemon (ovn-northd) needs full write access to the southbound database. When you have one machine hosting the central components, ovn-northd can talk to the databases through a local unix socket, bypassing the ovn-controller RBAC configured for the listener at port ‘6642’. However, if you want to deploy multiple machines for hosting the central components, ovn-northd will require a remote connection to all of them.
Configure the southbound database with a second SSL listener on a separate port without RBAC enabled for use by ovn-northd.
$ ovn-sbctl -- --id=@conn_uuid create Connection \ target="pssl\:16642" \ -- add SB_Global . connections=@conn_uuid
Care should be taken to restrict access to the above mentioned port so that only trusted machines can connect to it.