mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-08-22 09:58:01 +00:00
Code Issues Releases Wiki Activity
ovs/ovsdb/execution.c

895 lines
30 KiB
C
Raw Permalink Normal View History

ovsdb-server: Allow OVSDB clients to specify the UUID for inserted rows. Acked-by: Han Zhou <hzhou@ovn.org> Requested-by: Leonid Ryzhyk <lryzhyk@vmware.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2020-01-09 12:48:30 -08:00
/* Copyright (c) 2009, 2010, 2011, 2012, 2013, 2017, 2019 Nicira, Inc.
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <config.h>
ovsdb: Introduce experimental support for clustered databases. This commit adds support for OVSDB clustering via Raft. Please read ovsdb(7) for information on how to set up a clustered database. It is simple and boils down to running "ovsdb-tool create-cluster" on one server and "ovsdb-tool join-cluster" on each of the others and then starting ovsdb-server in the usual way on all of them. One you have a clustered database, you configure ovn-controller and ovn-northd to use it by pointing them to all of the servers, e.g. where previously you might have said "tcp:1.2.3.4" was the database server, now you say that it is "tcp:1.2.3.4,tcp:5.6.7.8,tcp:9.10.11.12". This also adds support for database clustering to ovs-sandbox. Acked-by: Justin Pettit <jpettit@ovn.org> Tested-by: aginwala <aginwala@asu.edu> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-12-31 21:15:58 -08:00
#include "ovsdb.h"
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
#include <limits.h>
#include "column.h"
#include "condition.h"
ovsdb: Add replication support and refactor files in terms of replication. An upcoming commit will add support for replicating tables across JSON-RPC connection. As a prerequisite ovsdb itself must support basic replication. This commit adds that support and then reimplements the ovsdb file storage in terms of that replication.
2009-11-13 13:37:55 -08:00
#include "file.h"
json: Move from lib to include/openvswitch. To easily allow both in- and out-of-tree building of the Python wrapper for the OVS JSON parser (e.g. w/ pip), move json.h to include/openvswitch. This also requires moving lib/{hmap,shash}.h. Both hmap.h and shash.h were #include-ing "util.h" even though the headers themselves did not use anything from there, but rather from include/openvswitch/util.h. Fixing that required including util.h in several C files mostly due to OVS_NOT_REACHED and things like xmalloc. Signed-off-by: Terry Wilson <twilson@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2016-07-12 16:37:34 -05:00
#include "openvswitch/json.h"
ovsdb: Add new "mutation" operation to transactions.
2009-12-16 10:49:31 -08:00
#include "mutation.h"
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
#include "ovsdb-data.h"
#include "ovsdb-error.h"
#include "ovsdb-parser.h"
#include "query.h"
ovsdb: add support for role-based access controls Add suport for ovsdb RBAC (role-based access control). This includes: - Support for "RBAC_Role" table. A db schema containing a table by this name will enable role-based access controls using this table for RBAC role configuration. The "RBAC_Role" table has one row per role, with each row having a "name" column (role name) and a "permissions" column (map of table name to UUID of row in separate permission table.) The permission table has one row per access control configuration, with the following columns: "name" - name of table to which this row applies "authorization" - set of column names and column:key pairs to be compared against client ID to determine authorization status "insert_delete" - boolean, true if insertions and authorized deletions are allowed. "update" - Set of columns and column:key pairs for which authorized updates are allowed. - Support for a new "role" column in the remote configuration table. - Logic for applying the RBAC role and permission tables, in combination with session role from the remote connection table and client id, to determine whether operations modifying database contents should be permitted. - Support for specifying RBAC role string as a command-line option to ovsdb-tool (Ben Pfaff). Signed-off-by: Lance Richardson <lrichard@redhat.com> Co-authored-by: Ben Pfaff <blp@ovn.org> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-05-31 19:04:32 -04:00
#include "rbac.h"
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
#include "row.h"
ovsdb: Implement a "lock" feature in the database protocol. This provides clients a way to coordinate their access to the database. This is a voluntary, not mandatory, locking protocols, that is, clients are not prevented from modifying the database unless they cooperate with the locking protocol. It is also not related to any of the ACID properties of database transactions. It is strictly a way for clients to coordinate among themselves. The following commit will introduce one user.
2011-07-26 10:24:17 -07:00
#include "server.h"
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
#include "table.h"
#include "timeval.h"
#include "transaction.h"
struct ovsdb_execution {
struct ovsdb *db;
ovsdb: Implement a "lock" feature in the database protocol. This provides clients a way to coordinate their access to the database. This is a voluntary, not mandatory, locking protocols, that is, clients are not prevented from modifying the database unless they cooperate with the locking protocol. It is also not related to any of the ACID properties of database transactions. It is strictly a way for clients to coordinate among themselves. The following commit will introduce one user.
2011-07-26 10:24:17 -07:00
const struct ovsdb_session *session;
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
struct ovsdb_txn *txn;
struct ovsdb_symbol_table *symtab;
bool durable;
ovsdb: add support for role-based access controls Add suport for ovsdb RBAC (role-based access control). This includes: - Support for "RBAC_Role" table. A db schema containing a table by this name will enable role-based access controls using this table for RBAC role configuration. The "RBAC_Role" table has one row per role, with each row having a "name" column (role name) and a "permissions" column (map of table name to UUID of row in separate permission table.) The permission table has one row per access control configuration, with the following columns: "name" - name of table to which this row applies "authorization" - set of column names and column:key pairs to be compared against client ID to determine authorization status "insert_delete" - boolean, true if insertions and authorized deletions are allowed. "update" - Set of columns and column:key pairs for which authorized updates are allowed. - Support for a new "role" column in the remote configuration table. - Logic for applying the RBAC role and permission tables, in combination with session role from the remote connection table and client id, to determine whether operations modifying database contents should be permitted. - Support for specifying RBAC role string as a command-line option to ovsdb-tool (Ben Pfaff). Signed-off-by: Lance Richardson <lrichard@redhat.com> Co-authored-by: Ben Pfaff <blp@ovn.org> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-05-31 19:04:32 -04:00
const char *role;
const char *id;
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
/* Triggers. */
long long int elapsed_msec;
long long int timeout_msec;
};
typedef struct ovsdb_error *ovsdb_operation_executor(struct ovsdb_execution *,
struct ovsdb_parser *,
struct json *result);
static ovsdb_operation_executor ovsdb_execute_insert;
static ovsdb_operation_executor ovsdb_execute_select;
static ovsdb_operation_executor ovsdb_execute_update;
ovsdb: Add new "mutation" operation to transactions.
2009-12-16 10:49:31 -08:00
static ovsdb_operation_executor ovsdb_execute_mutate;
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
static ovsdb_operation_executor ovsdb_execute_delete;
static ovsdb_operation_executor ovsdb_execute_wait;
static ovsdb_operation_executor ovsdb_execute_commit;
static ovsdb_operation_executor ovsdb_execute_abort;
ovsdb: Add "comment" feature to transactions and make ovs-vsctl use them. The idea here is that transaction comments get copied to the ovsdb-server's transaction log, which can then make it clear later why a particular change was made to the database, to ease debugging.
2009-12-16 13:30:53 -08:00
static ovsdb_operation_executor ovsdb_execute_comment;
ovsdb: Implement a "lock" feature in the database protocol. This provides clients a way to coordinate their access to the database. This is a voluntary, not mandatory, locking protocols, that is, clients are not prevented from modifying the database unless they cooperate with the locking protocol. It is also not related to any of the ACID properties of database transactions. It is strictly a way for clients to coordinate among themselves. The following commit will introduce one user.
2011-07-26 10:24:17 -07:00
static ovsdb_operation_executor ovsdb_execute_assert;
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
static ovsdb_operation_executor *
ovsdb: Make OVSDB backup sever read only When ovsdb-sever is running in the backup state, it would be nice to make sure there is no un-intended changes to the backup database. This patch makes the ovsdb server only accepts 'read' transactions as a backup server. When the server role is changed into an active server, all existing client connections will be reset. After reconnect, all clinet transactions will then be accepted. Signed-off-by: Andy Zhou <azhou@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
2016-07-29 14:39:29 -07:00
lookup_executor(const char *name, bool *read_only)
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
{
struct ovsdb_operation {
const char *name;
ovsdb: Make OVSDB backup sever read only When ovsdb-sever is running in the backup state, it would be nice to make sure there is no un-intended changes to the backup database. This patch makes the ovsdb server only accepts 'read' transactions as a backup server. When the server role is changed into an active server, all existing client connections will be reset. After reconnect, all clinet transactions will then be accepted. Signed-off-by: Andy Zhou <azhou@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
2016-07-29 14:39:29 -07:00
bool read_only;
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
ovsdb_operation_executor *executor;
};
static const struct ovsdb_operation operations[] = {
ovsdb: Make OVSDB backup sever read only When ovsdb-sever is running in the backup state, it would be nice to make sure there is no un-intended changes to the backup database. This patch makes the ovsdb server only accepts 'read' transactions as a backup server. When the server role is changed into an active server, all existing client connections will be reset. After reconnect, all clinet transactions will then be accepted. Signed-off-by: Andy Zhou <azhou@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
2016-07-29 14:39:29 -07:00
{ "insert", false, ovsdb_execute_insert },
{ "select", true, ovsdb_execute_select },
{ "update", false, ovsdb_execute_update },
{ "mutate", false, ovsdb_execute_mutate },
{ "delete", false, ovsdb_execute_delete },
{ "wait", true, ovsdb_execute_wait },
{ "commit", false, ovsdb_execute_commit },
{ "abort", true, ovsdb_execute_abort },
{ "comment", true, ovsdb_execute_comment },
{ "assert", true, ovsdb_execute_assert },
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
};
size_t i;
for (i = 0; i < ARRAY_SIZE(operations); i++) {
const struct ovsdb_operation *c = &operations[i];
if (!strcmp(c->name, name)) {
ovsdb: Make OVSDB backup sever read only When ovsdb-sever is running in the backup state, it would be nice to make sure there is no un-intended changes to the backup database. This patch makes the ovsdb server only accepts 'read' transactions as a backup server. When the server role is changed into an active server, all existing client connections will be reset. After reconnect, all clinet transactions will then be accepted. Signed-off-by: Andy Zhou <azhou@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
2016-07-29 14:39:29 -07:00
*read_only = c->read_only;
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
return c->executor;
}
}
return NULL;
}
ovsdb: Introduce experimental support for clustered databases. This commit adds support for OVSDB clustering via Raft. Please read ovsdb(7) for information on how to set up a clustered database. It is simple and boils down to running "ovsdb-tool create-cluster" on one server and "ovsdb-tool join-cluster" on each of the others and then starting ovsdb-server in the usual way on all of them. One you have a clustered database, you configure ovn-controller and ovn-northd to use it by pointing them to all of the servers, e.g. where previously you might have said "tcp:1.2.3.4" was the database server, now you say that it is "tcp:1.2.3.4,tcp:5.6.7.8,tcp:9.10.11.12". This also adds support for database clustering to ovs-sandbox. Acked-by: Justin Pettit <jpettit@ovn.org> Tested-by: aginwala <aginwala@asu.edu> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-12-31 21:15:58 -08:00
/* On success, returns a transaction and stores the results to return to the
ovsdb: relay: Add support for transaction forwarding. Current version of ovsdb relay allows to scale out read-only access to the primary database. However, many clients are not read-only but read-mostly. For example, ovn-controller. In order to scale out database access for this case ovsdb-server need to process transactions that are not read-only. Relay is not allowed to do that, i.e. not allowed to modify the database, but it can act like a proxy and forward transactions that includes database modifications to the primary server and forward replies back to a client. At the same time it may serve read-only transactions and monitor requests by itself greatly reducing the load on primary server. This configuration will slightly increase transaction latency, but it's not very important for read-mostly use cases. Implementation details: With this change instead of creating a trigger to commit the transaction, ovsdb-server will create a trigger for transaction forwarding. Later, ovsdb_relay_run() will send all new transactions to the relay source. Once transaction reply received from the relay source, ovsdb-relay module will update the state of the transaction forwarding with the reply. After that, trigger_run() will complete the trigger and jsonrpc_server_run() will send the reply back to the client. Since transaction reply from the relay source will be received after all the updates, client will receive all the updates before receiving the transaction reply as it is in a normal scenario with other database models. Acked-by: Mark D. Gray <mark.d.gray@redhat.com> Acked-by: Dumitru Ceara <dceara@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2021-04-15 19:05:40 +02:00
* client in '*resultsp'. If 'forwarding_needed' is nonnull and transaction
* needs to be forwarded (in relay mode), sets '*forwarding_needed' to true.
ovsdb: Introduce experimental support for clustered databases. This commit adds support for OVSDB clustering via Raft. Please read ovsdb(7) for information on how to set up a clustered database. It is simple and boils down to running "ovsdb-tool create-cluster" on one server and "ovsdb-tool join-cluster" on each of the others and then starting ovsdb-server in the usual way on all of them. One you have a clustered database, you configure ovn-controller and ovn-northd to use it by pointing them to all of the servers, e.g. where previously you might have said "tcp:1.2.3.4" was the database server, now you say that it is "tcp:1.2.3.4,tcp:5.6.7.8,tcp:9.10.11.12". This also adds support for database clustering to ovs-sandbox. Acked-by: Justin Pettit <jpettit@ovn.org> Tested-by: aginwala <aginwala@asu.edu> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-12-31 21:15:58 -08:00
*
* On failure, returns NULL. If '*resultsp' is nonnull, then it is the results
* to return to the client. If '*resultsp' is null, then the execution failed
* due to an unsatisfied "wait" operation and '*timeout_msec' is the time at
* which the transaction will time out. (If 'timeout_msec' is null, this case
* never occurs--instead, an unsatisfied "wait" unconditionally fails.) */
struct ovsdb_txn *
ovsdb_execute_compose(struct ovsdb *db, const struct ovsdb_session *session,
const struct json *params, bool read_only,
const char *role, const char *id,
long long int elapsed_msec, long long int *timeout_msec,
ovsdb: relay: Add support for transaction forwarding. Current version of ovsdb relay allows to scale out read-only access to the primary database. However, many clients are not read-only but read-mostly. For example, ovn-controller. In order to scale out database access for this case ovsdb-server need to process transactions that are not read-only. Relay is not allowed to do that, i.e. not allowed to modify the database, but it can act like a proxy and forward transactions that includes database modifications to the primary server and forward replies back to a client. At the same time it may serve read-only transactions and monitor requests by itself greatly reducing the load on primary server. This configuration will slightly increase transaction latency, but it's not very important for read-mostly use cases. Implementation details: With this change instead of creating a trigger to commit the transaction, ovsdb-server will create a trigger for transaction forwarding. Later, ovsdb_relay_run() will send all new transactions to the relay source. Once transaction reply received from the relay source, ovsdb-relay module will update the state of the transaction forwarding with the reply. After that, trigger_run() will complete the trigger and jsonrpc_server_run() will send the reply back to the client. Since transaction reply from the relay source will be received after all the updates, client will receive all the updates before receiving the transaction reply as it is in a normal scenario with other database models. Acked-by: Mark D. Gray <mark.d.gray@redhat.com> Acked-by: Dumitru Ceara <dceara@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2021-04-15 19:05:40 +02:00
bool *durable, bool *forwarding_needed,
struct json **resultsp)
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
{
struct ovsdb_execution x;
struct ovsdb_error *error;
struct json *results;
size_t n_operations;
size_t i;
ovsdb: Introduce experimental support for clustered databases. This commit adds support for OVSDB clustering via Raft. Please read ovsdb(7) for information on how to set up a clustered database. It is simple and boils down to running "ovsdb-tool create-cluster" on one server and "ovsdb-tool join-cluster" on each of the others and then starting ovsdb-server in the usual way on all of them. One you have a clustered database, you configure ovn-controller and ovn-northd to use it by pointing them to all of the servers, e.g. where previously you might have said "tcp:1.2.3.4" was the database server, now you say that it is "tcp:1.2.3.4,tcp:5.6.7.8,tcp:9.10.11.12". This also adds support for database clustering to ovs-sandbox. Acked-by: Justin Pettit <jpettit@ovn.org> Tested-by: aginwala <aginwala@asu.edu> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-12-31 21:15:58 -08:00
*durable = false;
ovsdb: relay: Add support for transaction forwarding. Current version of ovsdb relay allows to scale out read-only access to the primary database. However, many clients are not read-only but read-mostly. For example, ovn-controller. In order to scale out database access for this case ovsdb-server need to process transactions that are not read-only. Relay is not allowed to do that, i.e. not allowed to modify the database, but it can act like a proxy and forward transactions that includes database modifications to the primary server and forward replies back to a client. At the same time it may serve read-only transactions and monitor requests by itself greatly reducing the load on primary server. This configuration will slightly increase transaction latency, but it's not very important for read-mostly use cases. Implementation details: With this change instead of creating a trigger to commit the transaction, ovsdb-server will create a trigger for transaction forwarding. Later, ovsdb_relay_run() will send all new transactions to the relay source. Once transaction reply received from the relay source, ovsdb-relay module will update the state of the transaction forwarding with the reply. After that, trigger_run() will complete the trigger and jsonrpc_server_run() will send the reply back to the client. Since transaction reply from the relay source will be received after all the updates, client will receive all the updates before receiving the transaction reply as it is in a normal scenario with other database models. Acked-by: Mark D. Gray <mark.d.gray@redhat.com> Acked-by: Dumitru Ceara <dceara@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2021-04-15 19:05:40 +02:00
if (forwarding_needed) {
*forwarding_needed = false;
}
ovsdb: Add support for multiple databases to the protocol. This also adds protocol compatibility to the database itself and to ovsdb-client. It doesn't actually add multiple database support to ovsdb-server, since we don't really need that yet.
2010-02-09 10:17:58 -08:00
if (params->type != JSON_ARRAY
json: Use functions to access json arrays. Internal implementation of JSON array will be changed in the future commits. Add access functions that users can rely on instead of accessing the internals of 'struct json' directly and convert all the users. Structure fields are intentionally renamed to make sure that no code is using the old fields directly. json_array() function is removed, as not needed anymore. Added new functions: json_array_size(), json_array_at(), json_array_set() and json_array_pop(). These are enough to cover all the use cases within OVS. The change is fairly large, however, IMO, it's a much overdue cleanup that we need even without changing the underlying implementation. Acked-by: Mike Pattrick <mkp@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2025-06-24 21:54:33 +02:00
|| !json_array_size(params)
|| json_array_at(params, 0)->type != JSON_STRING
|| strcmp(json_string(json_array_at(params, 0)), db->schema->name)) {
ovsdb: Add support for multiple databases to the protocol. This also adds protocol compatibility to the database itself and to ovsdb-client. It doesn't actually add multiple database support to ovsdb-server, since we don't really need that yet.
2010-02-09 10:17:58 -08:00
if (params->type != JSON_ARRAY) {
error = ovsdb_syntax_error(params, NULL, "array expected");
} else {
error = ovsdb_syntax_error(params, NULL, "database name expected "
"as first parameter");
}
ovsdb: Introduce experimental support for clustered databases. This commit adds support for OVSDB clustering via Raft. Please read ovsdb(7) for information on how to set up a clustered database. It is simple and boils down to running "ovsdb-tool create-cluster" on one server and "ovsdb-tool join-cluster" on each of the others and then starting ovsdb-server in the usual way on all of them. One you have a clustered database, you configure ovn-controller and ovn-northd to use it by pointing them to all of the servers, e.g. where previously you might have said "tcp:1.2.3.4" was the database server, now you say that it is "tcp:1.2.3.4,tcp:5.6.7.8,tcp:9.10.11.12". This also adds support for database clustering to ovs-sandbox. Acked-by: Justin Pettit <jpettit@ovn.org> Tested-by: aginwala <aginwala@asu.edu> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-12-31 21:15:58 -08:00
*resultsp = ovsdb_error_to_json_free(error);
return NULL;
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
}
x.db = db;
ovsdb: Implement a "lock" feature in the database protocol. This provides clients a way to coordinate their access to the database. This is a voluntary, not mandatory, locking protocols, that is, clients are not prevented from modifying the database unless they cooperate with the locking protocol. It is also not related to any of the ACID properties of database transactions. It is strictly a way for clients to coordinate among themselves. The following commit will introduce one user.
2011-07-26 10:24:17 -07:00
x.session = session;
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
x.txn = ovsdb_txn_create(db);
x.symtab = ovsdb_symbol_table_create();
x.durable = false;
ovsdb: add support for role-based access controls Add suport for ovsdb RBAC (role-based access control). This includes: - Support for "RBAC_Role" table. A db schema containing a table by this name will enable role-based access controls using this table for RBAC role configuration. The "RBAC_Role" table has one row per role, with each row having a "name" column (role name) and a "permissions" column (map of table name to UUID of row in separate permission table.) The permission table has one row per access control configuration, with the following columns: "name" - name of table to which this row applies "authorization" - set of column names and column:key pairs to be compared against client ID to determine authorization status "insert_delete" - boolean, true if insertions and authorized deletions are allowed. "update" - Set of columns and column:key pairs for which authorized updates are allowed. - Support for a new "role" column in the remote configuration table. - Logic for applying the RBAC role and permission tables, in combination with session role from the remote connection table and client id, to determine whether operations modifying database contents should be permitted. - Support for specifying RBAC role string as a command-line option to ovsdb-tool (Ben Pfaff). Signed-off-by: Lance Richardson <lrichard@redhat.com> Co-authored-by: Ben Pfaff <blp@ovn.org> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-05-31 19:04:32 -04:00
x.role = role;
x.id = id;
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
x.elapsed_msec = elapsed_msec;
x.timeout_msec = LLONG_MAX;
results = NULL;
results = json_array_create_empty();
json: Use functions to access json arrays. Internal implementation of JSON array will be changed in the future commits. Add access functions that users can rely on instead of accessing the internals of 'struct json' directly and convert all the users. Structure fields are intentionally renamed to make sure that no code is using the old fields directly. json_array() function is removed, as not needed anymore. Added new functions: json_array_size(), json_array_at(), json_array_set() and json_array_pop(). These are enough to cover all the use cases within OVS. The change is fairly large, however, IMO, it's a much overdue cleanup that we need even without changing the underlying implementation. Acked-by: Mike Pattrick <mkp@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2025-06-24 21:54:33 +02:00
n_operations = json_array_size(params) - 1;
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
error = NULL;
ovsdb: Add support for multiple databases to the protocol. This also adds protocol compatibility to the database itself and to ovsdb-client. It doesn't actually add multiple database support to ovsdb-server, since we don't really need that yet.
2010-02-09 10:17:58 -08:00
for (i = 1; i <= n_operations; i++) {
json: Use functions to access json arrays. Internal implementation of JSON array will be changed in the future commits. Add access functions that users can rely on instead of accessing the internals of 'struct json' directly and convert all the users. Structure fields are intentionally renamed to make sure that no code is using the old fields directly. json_array() function is removed, as not needed anymore. Added new functions: json_array_size(), json_array_at(), json_array_set() and json_array_pop(). These are enough to cover all the use cases within OVS. The change is fairly large, however, IMO, it's a much overdue cleanup that we need even without changing the underlying implementation. Acked-by: Mike Pattrick <mkp@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2025-06-24 21:54:33 +02:00
const struct json *operation = json_array_at(params, i);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
struct ovsdb_error *parse_error;
struct ovsdb_parser parser;
struct json *result;
const struct json *op;
ovsdb: Make OVSDB backup sever read only When ovsdb-sever is running in the backup state, it would be nice to make sure there is no un-intended changes to the backup database. This patch makes the ovsdb server only accepts 'read' transactions as a backup server. When the server role is changed into an active server, all existing client connections will be reset. After reconnect, all clinet transactions will then be accepted. Signed-off-by: Andy Zhou <azhou@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
2016-07-29 14:39:29 -07:00
const char *op_name = NULL;
bool ro = false;
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
/* Parse and execute operation. */
ovsdb_parser_init(&parser, operation,
ovsdb: Make OVSDB backup sever read only When ovsdb-sever is running in the backup state, it would be nice to make sure there is no un-intended changes to the backup database. This patch makes the ovsdb server only accepts 'read' transactions as a backup server. When the server role is changed into an active server, all existing client connections will be reset. After reconnect, all clinet transactions will then be accepted. Signed-off-by: Andy Zhou <azhou@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
2016-07-29 14:39:29 -07:00
"ovsdb operation %"PRIuSIZE" of %"PRIuSIZE, i,
n_operations);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
op = ovsdb_parser_member(&parser, "op", OP_ID);
result = json_object_create();
if (op) {
ovsdb: Make OVSDB backup sever read only When ovsdb-sever is running in the backup state, it would be nice to make sure there is no un-intended changes to the backup database. This patch makes the ovsdb server only accepts 'read' transactions as a backup server. When the server role is changed into an active server, all existing client connections will be reset. After reconnect, all clinet transactions will then be accepted. Signed-off-by: Andy Zhou <azhou@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
2016-07-29 14:39:29 -07:00
op_name = json_string(op);
ovsdb_operation_executor *executor = lookup_executor(op_name, &ro);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
if (executor) {
error = executor(&x, &parser, result);
} else {
ovsdb: Improve error message for transaction that uses unknown operation. Without this commit, misspelling an operation name provokes a mysterious error message.
2009-11-06 15:33:25 -08:00
ovsdb_parser_raise_error(&parser, "No operation \"%s\"",
op_name);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
}
} else {
Replace most uses of assert by ovs_assert. This is a straight search-and-replace, except that I also removed #include <assert.h> from each file where there were no assert calls left. Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Ethan Jackson <ethan@nicira.com>
2012-11-06 13:14:55 -08:00
ovs_assert(ovsdb_parser_has_error(&parser));
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
}
/* A parse error overrides any other error.
* An error overrides any other result. */
parse_error = ovsdb_parser_finish(&parser);
if (parse_error) {
ovsdb_error_destroy(error);
error = parse_error;
}
ovsdb: Make OVSDB backup sever read only When ovsdb-sever is running in the backup state, it would be nice to make sure there is no un-intended changes to the backup database. This patch makes the ovsdb server only accepts 'read' transactions as a backup server. When the server role is changed into an active server, all existing client connections will be reset. After reconnect, all clinet transactions will then be accepted. Signed-off-by: Andy Zhou <azhou@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
2016-07-29 14:39:29 -07:00
/* Create read-only violation error if there is one. */
ovsdb-server: Forbid user-specified databases with reserved names. Names that begin with "_" are reserved, but ovsdb-server didn't previously enforce this. At the same time, make ovsdb-client ignore databases with reserved names for the purpose of selecting a default database to work on. This is in preparation for ovsdb-server starting to serve a new database, full of meta-information, called _Server. Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Justin Pettit <jpettit@ovn.org>
2017-12-22 11:41:11 -08:00
if (!ro && !error) {
if (read_only) {
error = ovsdb_error("not allowed",
"%s operation not allowed when "
"database server is in read only mode",
op_name);
} else if (db->schema->name[0] == '_') {
error = ovsdb_error("not allowed",
"%s operation not allowed on "
"table in reserved database %s",
op_name, db->schema->name);
ovsdb: relay: Add support for transaction forwarding. Current version of ovsdb relay allows to scale out read-only access to the primary database. However, many clients are not read-only but read-mostly. For example, ovn-controller. In order to scale out database access for this case ovsdb-server need to process transactions that are not read-only. Relay is not allowed to do that, i.e. not allowed to modify the database, but it can act like a proxy and forward transactions that includes database modifications to the primary server and forward replies back to a client. At the same time it may serve read-only transactions and monitor requests by itself greatly reducing the load on primary server. This configuration will slightly increase transaction latency, but it's not very important for read-mostly use cases. Implementation details: With this change instead of creating a trigger to commit the transaction, ovsdb-server will create a trigger for transaction forwarding. Later, ovsdb_relay_run() will send all new transactions to the relay source. Once transaction reply received from the relay source, ovsdb-relay module will update the state of the transaction forwarding with the reply. After that, trigger_run() will complete the trigger and jsonrpc_server_run() will send the reply back to the client. Since transaction reply from the relay source will be received after all the updates, client will receive all the updates before receiving the transaction reply as it is in a normal scenario with other database models. Acked-by: Mark D. Gray <mark.d.gray@redhat.com> Acked-by: Dumitru Ceara <dceara@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2021-04-15 19:05:40 +02:00
} else if (db->is_relay && forwarding_needed) {
*forwarding_needed = true;
ovsdb-server: Forbid user-specified databases with reserved names. Names that begin with "_" are reserved, but ovsdb-server didn't previously enforce this. At the same time, make ovsdb-client ignore databases with reserved names for the purpose of selecting a default database to work on. This is in preparation for ovsdb-server starting to serve a new database, full of meta-information, called _Server. Signed-off-by: Ben Pfaff <blp@ovn.org> Acked-by: Justin Pettit <jpettit@ovn.org>
2017-12-22 11:41:11 -08:00
}
ovsdb: Make OVSDB backup sever read only When ovsdb-sever is running in the backup state, it would be nice to make sure there is no un-intended changes to the backup database. This patch makes the ovsdb server only accepts 'read' transactions as a backup server. When the server role is changed into an active server, all existing client connections will be reset. After reconnect, all clinet transactions will then be accepted. Signed-off-by: Andy Zhou <azhou@ovn.org> Acked-by: Ben Pfaff <blp@ovn.org>
2016-07-29 14:39:29 -07:00
}
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
if (error) {
json_destroy(result);
json_array_add(results, ovsdb_error_to_json(error));
ovsdb: Introduce experimental support for clustered databases. This commit adds support for OVSDB clustering via Raft. Please read ovsdb(7) for information on how to set up a clustered database. It is simple and boils down to running "ovsdb-tool create-cluster" on one server and "ovsdb-tool join-cluster" on each of the others and then starting ovsdb-server in the usual way on all of them. One you have a clustered database, you configure ovn-controller and ovn-northd to use it by pointing them to all of the servers, e.g. where previously you might have said "tcp:1.2.3.4" was the database server, now you say that it is "tcp:1.2.3.4,tcp:5.6.7.8,tcp:9.10.11.12". This also adds support for database clustering to ovs-sandbox. Acked-by: Justin Pettit <jpettit@ovn.org> Tested-by: aginwala <aginwala@asu.edu> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-12-31 21:15:58 -08:00
if (!strcmp(ovsdb_error_get_tag(error), "not supported")
&& timeout_msec) {
*timeout_msec = x.timeout_msec;
json_destroy(results);
results = NULL;
goto exit;
}
break;
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
}
ovsdb: Introduce experimental support for clustered databases. This commit adds support for OVSDB clustering via Raft. Please read ovsdb(7) for information on how to set up a clustered database. It is simple and boils down to running "ovsdb-tool create-cluster" on one server and "ovsdb-tool join-cluster" on each of the others and then starting ovsdb-server in the usual way on all of them. One you have a clustered database, you configure ovn-controller and ovn-northd to use it by pointing them to all of the servers, e.g. where previously you might have said "tcp:1.2.3.4" was the database server, now you say that it is "tcp:1.2.3.4,tcp:5.6.7.8,tcp:9.10.11.12". This also adds support for database clustering to ovs-sandbox. Acked-by: Justin Pettit <jpettit@ovn.org> Tested-by: aginwala <aginwala@asu.edu> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-12-31 21:15:58 -08:00
json_array_add(results, result);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
}
json: Use functions to access json arrays. Internal implementation of JSON array will be changed in the future commits. Add access functions that users can rely on instead of accessing the internals of 'struct json' directly and convert all the users. Structure fields are intentionally renamed to make sure that no code is using the old fields directly. json_array() function is removed, as not needed anymore. Added new functions: json_array_size(), json_array_at(), json_array_set() and json_array_pop(). These are enough to cover all the use cases within OVS. The change is fairly large, however, IMO, it's a much overdue cleanup that we need even without changing the underlying implementation. Acked-by: Mike Pattrick <mkp@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2025-06-24 21:54:33 +02:00
while (json_array_size(results) < n_operations) {
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
json_array_add(results, json_null_create());
}
ovsdb-server: Fix various memory leaks. Some of these are serious leaks, in that they could leak some amount of memory for every transaction processed by the database server. Found with valgrind.
2010-02-02 14:40:25 -08:00
exit:
ovsdb: Introduce experimental support for clustered databases. This commit adds support for OVSDB clustering via Raft. Please read ovsdb(7) for information on how to set up a clustered database. It is simple and boils down to running "ovsdb-tool create-cluster" on one server and "ovsdb-tool join-cluster" on each of the others and then starting ovsdb-server in the usual way on all of them. One you have a clustered database, you configure ovn-controller and ovn-northd to use it by pointing them to all of the servers, e.g. where previously you might have said "tcp:1.2.3.4" was the database server, now you say that it is "tcp:1.2.3.4,tcp:5.6.7.8,tcp:9.10.11.12". This also adds support for database clustering to ovs-sandbox. Acked-by: Justin Pettit <jpettit@ovn.org> Tested-by: aginwala <aginwala@asu.edu> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-12-31 21:15:58 -08:00
if (error) {
ovsdb_txn_abort(x.txn);
x.txn = NULL;
ovsdb_error_destroy(error);
}
*resultsp = results;
*durable = x.durable;
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
ovsdb_symbol_table_destroy(x.symtab);
ovsdb: Introduce experimental support for clustered databases. This commit adds support for OVSDB clustering via Raft. Please read ovsdb(7) for information on how to set up a clustered database. It is simple and boils down to running "ovsdb-tool create-cluster" on one server and "ovsdb-tool join-cluster" on each of the others and then starting ovsdb-server in the usual way on all of them. One you have a clustered database, you configure ovn-controller and ovn-northd to use it by pointing them to all of the servers, e.g. where previously you might have said "tcp:1.2.3.4" was the database server, now you say that it is "tcp:1.2.3.4,tcp:5.6.7.8,tcp:9.10.11.12". This also adds support for database clustering to ovs-sandbox. Acked-by: Justin Pettit <jpettit@ovn.org> Tested-by: aginwala <aginwala@asu.edu> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-12-31 21:15:58 -08:00
return x.txn;
}
struct json *
ovsdb_execute(struct ovsdb *db, const struct ovsdb_session *session,
const struct json *params, bool read_only,
const char *role, const char *id,
long long int elapsed_msec, long long int *timeout_msec)
{
bool durable;
struct json *results;
struct ovsdb_txn *txn = ovsdb_execute_compose(
db, session, params, read_only, role, id, elapsed_msec, timeout_msec,
ovsdb: relay: Add support for transaction forwarding. Current version of ovsdb relay allows to scale out read-only access to the primary database. However, many clients are not read-only but read-mostly. For example, ovn-controller. In order to scale out database access for this case ovsdb-server need to process transactions that are not read-only. Relay is not allowed to do that, i.e. not allowed to modify the database, but it can act like a proxy and forward transactions that includes database modifications to the primary server and forward replies back to a client. At the same time it may serve read-only transactions and monitor requests by itself greatly reducing the load on primary server. This configuration will slightly increase transaction latency, but it's not very important for read-mostly use cases. Implementation details: With this change instead of creating a trigger to commit the transaction, ovsdb-server will create a trigger for transaction forwarding. Later, ovsdb_relay_run() will send all new transactions to the relay source. Once transaction reply received from the relay source, ovsdb-relay module will update the state of the transaction forwarding with the reply. After that, trigger_run() will complete the trigger and jsonrpc_server_run() will send the reply back to the client. Since transaction reply from the relay source will be received after all the updates, client will receive all the updates before receiving the transaction reply as it is in a normal scenario with other database models. Acked-by: Mark D. Gray <mark.d.gray@redhat.com> Acked-by: Dumitru Ceara <dceara@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2021-04-15 19:05:40 +02:00
&durable, NULL, &results);
ovsdb: Introduce experimental support for clustered databases. This commit adds support for OVSDB clustering via Raft. Please read ovsdb(7) for information on how to set up a clustered database. It is simple and boils down to running "ovsdb-tool create-cluster" on one server and "ovsdb-tool join-cluster" on each of the others and then starting ovsdb-server in the usual way on all of them. One you have a clustered database, you configure ovn-controller and ovn-northd to use it by pointing them to all of the servers, e.g. where previously you might have said "tcp:1.2.3.4" was the database server, now you say that it is "tcp:1.2.3.4,tcp:5.6.7.8,tcp:9.10.11.12". This also adds support for database clustering to ovs-sandbox. Acked-by: Justin Pettit <jpettit@ovn.org> Tested-by: aginwala <aginwala@asu.edu> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-12-31 21:15:58 -08:00
if (!txn) {
return results;
}
struct ovsdb_error *error = ovsdb_txn_propose_commit_block(txn, durable);
if (error) {
json_array_add(results, ovsdb_error_to_json(error));
ovsdb_error_destroy(error);
}
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
return results;
}
Add missing "static" keywords. Found by sparse.
2011-05-04 13:58:10 -07:00
static struct ovsdb_error *
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
ovsdb_execute_commit(struct ovsdb_execution *x, struct ovsdb_parser *parser,
Merge "master" into "next". The main change here is the need to update all of the uses of UNUSED in the next branch to OVS_UNUSED as it is now spelled on "master".
2010-02-11 11:11:23 -08:00
struct json *result OVS_UNUSED)
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
{
const struct json *durable;
durable = ovsdb_parser_member(parser, "durable", OP_BOOLEAN);
if (durable && json_boolean(durable)) {
x->durable = true;
}
return NULL;
}
static struct ovsdb_error *
Merge "master" into "next". The main change here is the need to update all of the uses of UNUSED in the next branch to OVS_UNUSED as it is now spelled on "master".
2010-02-11 11:11:23 -08:00
ovsdb_execute_abort(struct ovsdb_execution *x OVS_UNUSED,
struct ovsdb_parser *parser OVS_UNUSED,
struct json *result OVS_UNUSED)
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
{
return ovsdb_error("aborted", "aborted by request");
}
static struct ovsdb_table *
parse_table(struct ovsdb_execution *x,
struct ovsdb_parser *parser, const char *member)
{
struct ovsdb_table *table;
const char *table_name;
const struct json *json;
json = ovsdb_parser_member(parser, member, OP_ID);
if (!json) {
return NULL;
}
table_name = json_string(json);
table = shash_find_data(&x->db->tables, table_name);
if (!table) {
ovsdb_parser_raise_error(parser, "No table named %s.", table_name);
}
return table;
}
lib: Move compiler.h to <openvswitch/compiler.h> The following macros are renamed to avoid conflicts with other headers: * WARN_UNUSED_RESULT to OVS_WARN_UNUSED_RESULT * PRINTF_FORMAT to OVS_PRINTF_FORMAT * NO_RETURN to OVS_NO_RETURN Signed-off-by: Thomas Graf <tgraf@noironetworks.com> Acked-by: Ben Pfaff <blp@nicira.com>
2014-12-15 14:10:38 +01:00
static OVS_WARN_UNUSED_RESULT struct ovsdb_error *
ovsdb: Improve error message for duplicate uuid-name. ovsdb_execute_insert() tried to return a helpful error message when there was a duplicate uuid-name, but ovsdb_execute() (its caller) makes any parse error override a parse error. Since ovsdb_execute_insert() would skip parsing the row when the uuid-name was a duplicate, this meant that the error actually reported would be that "row" was not allowed here, which wasn't at all helpful (since "row" is in fact mandatory). This commit clears up the problem by always retrieving the "row" member, which required a small amount of refactoring, and adds a test.
2011-03-09 12:42:46 -08:00
parse_row(const struct json *json, const struct ovsdb_table *table,
ovsdb: Get rid of "declare" operation. It's more elegant, and just as easy to implement, if we allow a "named-uuid" to be a forward reference to a "uuid-name" in a later "insert" operation.
2010-02-08 16:03:21 -08:00
struct ovsdb_symbol_table *symtab,
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
struct ovsdb_row **rowp, struct ovsdb_column_set *columns)
{
struct ovsdb_error *error;
struct ovsdb_row *row;
*rowp = NULL;
if (!table) {
return OVSDB_BUG("null table");
}
if (!json) {
ovsdb: Improve error message for duplicate uuid-name. ovsdb_execute_insert() tried to return a helpful error message when there was a duplicate uuid-name, but ovsdb_execute() (its caller) makes any parse error override a parse error. Since ovsdb_execute_insert() would skip parsing the row when the uuid-name was a duplicate, this meant that the error actually reported would be that "row" was not allowed here, which wasn't at all helpful (since "row" is in fact mandatory). This commit clears up the problem by always retrieving the "row" member, which required a small amount of refactoring, and adds a test.
2011-03-09 12:42:46 -08:00
return OVSDB_BUG("null row");
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
}
row = ovsdb_row_create(table);
ovsdb: relay: Fix handling of XOR updates with size constraints. Relay servers apply updates via ovsdb_table_execute_update(). XOR updates contain datum diffs, and datum diffs can be larger than the type constraints. Currently, relay will fail to parse such update into ovsdb row triggering a syntax error and a re-connection. Fix that by relaxing the size constraints for this kind of updates. Fixes: 026c77c58ddb ("ovsdb: New ovsdb 'relay' service model.") Acked-by: Dumitru Ceara <dceara@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2023-07-25 11:32:19 +02:00
error = ovsdb_row_from_json(row, json, symtab, columns, false);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
if (error) {
ovsdb_row_destroy(row);
return error;
} else {
*rowp = row;
return NULL;
}
}
Add missing "static" keywords. Found by sparse.
2011-05-04 13:58:10 -07:00
static struct ovsdb_error *
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
ovsdb_execute_insert(struct ovsdb_execution *x, struct ovsdb_parser *parser,
struct json *result)
{
struct ovsdb_table *table;
struct ovsdb_row *row = NULL;
ovsdb-server: Allow OVSDB clients to specify the UUID for inserted rows. Acked-by: Han Zhou <hzhou@ovn.org> Requested-by: Leonid Ryzhyk <lryzhyk@vmware.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2020-01-09 12:48:30 -08:00
const struct json *uuid_json, *uuid_name, *row_json;
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
struct ovsdb_error *error;
ovsdb: Allow a named-uuid to be used within the operation that creates it. This allows a transaction like this: [{"op": "insert", "table": "mytable", "row": {"i": 0, "k": ["named-uuid", "self"]}, "uuid-name": "self"}] It was already possible to do this by following up on the "insert" with an "update", but since this was easy to implement I did it.
2009-12-01 16:35:33 -08:00
struct uuid row_uuid;
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
table = parse_table(x, parser, "table");
ovsdb-server: Allow OVSDB clients to specify the UUID for inserted rows. Acked-by: Han Zhou <hzhou@ovn.org> Requested-by: Leonid Ryzhyk <lryzhyk@vmware.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2020-01-09 12:48:30 -08:00
uuid_json = ovsdb_parser_member(parser, "uuid", OP_STRING | OP_OPTIONAL);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
uuid_name = ovsdb_parser_member(parser, "uuid-name", OP_ID | OP_OPTIONAL);
ovsdb: Improve error message for duplicate uuid-name. ovsdb_execute_insert() tried to return a helpful error message when there was a duplicate uuid-name, but ovsdb_execute() (its caller) makes any parse error override a parse error. Since ovsdb_execute_insert() would skip parsing the row when the uuid-name was a duplicate, this meant that the error actually reported would be that "row" was not allowed here, which wasn't at all helpful (since "row" is in fact mandatory). This commit clears up the problem by always retrieving the "row" member, which required a small amount of refactoring, and adds a test.
2011-03-09 12:42:46 -08:00
row_json = ovsdb_parser_member(parser, "row", OP_OBJECT);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
error = ovsdb_parser_get_error(parser);
ovsdb: Improve error message for duplicate uuid-name. ovsdb_execute_insert() tried to return a helpful error message when there was a duplicate uuid-name, but ovsdb_execute() (its caller) makes any parse error override a parse error. Since ovsdb_execute_insert() would skip parsing the row when the uuid-name was a duplicate, this meant that the error actually reported would be that "row" was not allowed here, which wasn't at all helpful (since "row" is in fact mandatory). This commit clears up the problem by always retrieving the "row" member, which required a small amount of refactoring, and adds a test.
2011-03-09 12:42:46 -08:00
if (error) {
return error;
}
ovsdb: Allow a named-uuid to be used within the operation that creates it. This allows a transaction like this: [{"op": "insert", "table": "mytable", "row": {"i": 0, "k": ["named-uuid", "self"]}, "uuid-name": "self"}] It was already possible to do this by following up on the "insert" with an "update", but since this was easy to implement I did it.
2009-12-01 16:35:33 -08:00
ovsdb-server: Allow OVSDB clients to specify the UUID for inserted rows. Acked-by: Han Zhou <hzhou@ovn.org> Requested-by: Leonid Ryzhyk <lryzhyk@vmware.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2020-01-09 12:48:30 -08:00
if (uuid_json) {
if (!uuid_from_string(&row_uuid, json_string(uuid_json))) {
return ovsdb_syntax_error(uuid_json, NULL, "bad uuid");
}
if (!ovsdb_txn_may_create_row(table, &row_uuid)) {
return ovsdb_syntax_error(uuid_json, "duplicate uuid",
"This UUID would duplicate a UUID "
"already present within the table or "
"deleted within the same transaction.");
}
}
ovsdb: Allow a named-uuid to be used within the operation that creates it. This allows a transaction like this: [{"op": "insert", "table": "mytable", "row": {"i": 0, "k": ["named-uuid", "self"]}, "uuid-name": "self"}] It was already possible to do this by following up on the "insert" with an "update", but since this was easy to implement I did it.
2009-12-01 16:35:33 -08:00
if (uuid_name) {
ovsdb: Implement new "declare" operation.
2009-12-07 11:47:48 -08:00
struct ovsdb_symbol *symbol;
ovsdb: Get rid of "declare" operation. It's more elegant, and just as easy to implement, if we allow a "named-uuid" to be a forward reference to a "uuid-name" in a later "insert" operation.
2010-02-08 16:03:21 -08:00
symbol = ovsdb_symbol_table_insert(x->symtab, json_string(uuid_name));
ovsdb-data: Rename 'used' to 'created' in struct ovsdb_symbol. The name 'created' better reflects the actual meaning of this member: in both ovsdb and ovs-vsctl, it is true if a row has been created with the symbol's UUID and false otherwise.
2011-02-28 12:43:15 -08:00
if (symbol->created) {
ovsdb: Get rid of "declare" operation. It's more elegant, and just as easy to implement, if we allow a "named-uuid" to be a forward reference to a "uuid-name" in a later "insert" operation.
2010-02-08 16:03:21 -08:00
return ovsdb_syntax_error(uuid_name, "duplicate uuid-name",
"This \"uuid-name\" appeared on an "
"earlier \"insert\" operation.");
ovsdb: Implement new "declare" operation.
2009-12-07 11:47:48 -08:00
}
ovsdb-server: Allow OVSDB clients to specify the UUID for inserted rows. Acked-by: Han Zhou <hzhou@ovn.org> Requested-by: Leonid Ryzhyk <lryzhyk@vmware.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2020-01-09 12:48:30 -08:00
if (uuid_json) {
symbol->uuid = row_uuid;
} else {
row_uuid = symbol->uuid;
}
ovsdb-data: Rename 'used' to 'created' in struct ovsdb_symbol. The name 'created' better reflects the actual meaning of this member: in both ovsdb and ovs-vsctl, it is true if a row has been created with the symbol's UUID and false otherwise.
2011-02-28 12:43:15 -08:00
symbol->created = true;
ovsdb-server: Allow OVSDB clients to specify the UUID for inserted rows. Acked-by: Han Zhou <hzhou@ovn.org> Requested-by: Leonid Ryzhyk <lryzhyk@vmware.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2020-01-09 12:48:30 -08:00
} else if (!uuid_json) {
ovsdb: Implement new "declare" operation.
2009-12-07 11:47:48 -08:00
uuid_generate(&row_uuid);
ovsdb: Allow a named-uuid to be used within the operation that creates it. This allows a transaction like this: [{"op": "insert", "table": "mytable", "row": {"i": 0, "k": ["named-uuid", "self"]}, "uuid-name": "self"}] It was already possible to do this by following up on the "insert" with an "update", but since this was easy to implement I did it.
2009-12-01 16:35:33 -08:00
}
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
if (!error) {
ovsdb: Improve error message for duplicate uuid-name. ovsdb_execute_insert() tried to return a helpful error message when there was a duplicate uuid-name, but ovsdb_execute() (its caller) makes any parse error override a parse error. Since ovsdb_execute_insert() would skip parsing the row when the uuid-name was a duplicate, this meant that the error actually reported would be that "row" was not allowed here, which wasn't at all helpful (since "row" is in fact mandatory). This commit clears up the problem by always retrieving the "row" member, which required a small amount of refactoring, and adds a test.
2011-03-09 12:42:46 -08:00
error = parse_row(row_json, table, x->symtab, &row, NULL);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
}
ovsdb: Add simple constraints.
2010-02-08 14:09:36 -08:00
if (!error) {
/* Check constraints for columns not included in "row", in case the
* default values do not satisfy the constraints. We could check only
* the columns that have their default values by supplying an
* ovsdb_column_set to parse_row() above, but I suspect that this is
* cheaper. */
const struct shash_node *node;
SHASH_FOR_EACH (node, &table->schema->columns) {
const struct ovsdb_column *column = node->data;
const struct ovsdb_datum *datum = &row->fields[column->index];
/* If there are 0 keys or pairs, there's nothing to check.
* If there is 1, it might be a default value.
* If there are more, it can't be a default value, so the value has
* already been checked. */
if (datum->n == 1) {
error = ovsdb_datum_check_constraints(datum, &column->type);
if (error) {
break;
}
}
}
}
ovsdb: add support for role-based access controls Add suport for ovsdb RBAC (role-based access control). This includes: - Support for "RBAC_Role" table. A db schema containing a table by this name will enable role-based access controls using this table for RBAC role configuration. The "RBAC_Role" table has one row per role, with each row having a "name" column (role name) and a "permissions" column (map of table name to UUID of row in separate permission table.) The permission table has one row per access control configuration, with the following columns: "name" - name of table to which this row applies "authorization" - set of column names and column:key pairs to be compared against client ID to determine authorization status "insert_delete" - boolean, true if insertions and authorized deletions are allowed. "update" - Set of columns and column:key pairs for which authorized updates are allowed. - Support for a new "role" column in the remote configuration table. - Logic for applying the RBAC role and permission tables, in combination with session role from the remote connection table and client id, to determine whether operations modifying database contents should be permitted. - Support for specifying RBAC role string as a command-line option to ovsdb-tool (Ben Pfaff). Signed-off-by: Lance Richardson <lrichard@redhat.com> Co-authored-by: Ben Pfaff <blp@ovn.org> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-05-31 19:04:32 -04:00
if (!error && !ovsdb_rbac_insert(x->db, table, row, x->role, x->id)) {
error = ovsdb_perm_error("RBAC rules for client \"%s\" role \"%s\" "
"prohibit row insertion into table \"%s\".",
x->id, x->role, table->schema->name);
}
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
if (!error) {
ovsdb: Allow a named-uuid to be used within the operation that creates it. This allows a transaction like this: [{"op": "insert", "table": "mytable", "row": {"i": 0, "k": ["named-uuid", "self"]}, "uuid-name": "self"}] It was already possible to do this by following up on the "insert" with an "update", but since this was easy to implement I did it.
2009-12-01 16:35:33 -08:00
*ovsdb_row_get_uuid_rw(row) = row_uuid;
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
ovsdb_txn_row_insert(x->txn, row);
json_object_put(result, "uuid",
ovsdb_datum_to_json(&row->fields[OVSDB_COL_UUID],
&ovsdb_type_uuid));
execution: Fix bug that leaks ovsdb_row If there is an error after ovsdb_rbac_insert, 'row' is leaked. So move the existing ovsdb_row_destroy to the function end. Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-11-20 04:26:38 -08:00
} else {
ovsdb_row_destroy(row);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
}
return error;
}
Add missing "static" keywords. Found by sparse.
2011-05-04 13:58:10 -07:00
static struct ovsdb_error *
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
ovsdb_execute_select(struct ovsdb_execution *x, struct ovsdb_parser *parser,
struct json *result)
{
struct ovsdb_table *table;
const struct json *where, *columns_json, *sort_json;
ovsdb: optimize match_any_clause() condition evaluation Optimize ovsdb_condition_match_any_clause() to be in O(#columns in condition) and not O(#clauses) in case condition's caluses function is boolean or "==". Signed-off-by: Liran Schour <lirans@il.ibm.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2016-07-18 11:45:54 +03:00
struct ovsdb_condition condition = OVSDB_CONDITION_INITIALIZER(&condition);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
struct ovsdb_column_set columns = OVSDB_COLUMN_SET_INITIALIZER;
struct ovsdb_column_set sort = OVSDB_COLUMN_SET_INITIALIZER;
struct ovsdb_error *error;
table = parse_table(x, parser, "table");
where = ovsdb_parser_member(parser, "where", OP_ARRAY);
columns_json = ovsdb_parser_member(parser, "columns",
OP_ARRAY | OP_OPTIONAL);
sort_json = ovsdb_parser_member(parser, "sort", OP_ARRAY | OP_OPTIONAL);
error = ovsdb_parser_get_error(parser);
if (!error) {
error = ovsdb_condition_from_json(table->schema, where, x->symtab,
&condition);
}
if (!error) {
ovsdb: Make ovsdb_column_set_from_json() take table schema instead of table. This function took a struct ovsdb_table but only used the 'schema' member. An upcoming patch needs to parse a column set when only the schema is available, so to prepare for that this patch changes ovsdb_column_set_from_json() to only take the schema that it really needs.
2011-06-01 16:14:46 -07:00
error = ovsdb_column_set_from_json(columns_json, table->schema,
&columns);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
}
if (!error) {
ovsdb: Make ovsdb_column_set_from_json() take table schema instead of table. This function took a struct ovsdb_table but only used the 'schema' member. An upcoming patch needs to parse a column set when only the schema is available, so to prepare for that this patch changes ovsdb_column_set_from_json() to only take the schema that it really needs.
2011-06-01 16:14:46 -07:00
error = ovsdb_column_set_from_json(sort_json, table->schema, &sort);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
}
if (!error) {
struct ovsdb_row_set rows = OVSDB_ROW_SET_INITIALIZER;
ovsdb: Use table indexes if available for ovsdb_query(). Currently all OVSDB database queries except for UUID lookups all result in linear lookups over the entire table, even if an index is present. This patch modifies ovsdb_query() to attempt an index lookup first, if possible. If no matching indexes are present then a linear index is still conducted. To test this, I set up an ovsdb database with a variable number of rows and timed the average of how long ovsdb-client took to query a single row. The first two tests involved a linear scan that didn't match any rows, so there was no overhead associated with sending or encoding output. The post-patch linear scan was a worst case scenario where the table did have an appropriate index but the conditions made its usage impossible. The indexed lookup test was for a matching row, which did also include overhead associated with a match. The results are included in the table below. Rows | 100k | 200k | 300k | 400k | 500k -----------------------+------+------+------+------+----- Pre-patch linear scan | 9ms | 24ms | 37ms | 49ms | 61ms Post-patch linear scan | 9ms | 24ms | 38ms | 49ms | 61ms Indexed lookup | 3ms | 3ms | 3ms | 3ms | 3ms I also tested the performance of ovsdb_query() by wrapping it in a loop and measuring the time it took to perform 1000 linear scans on 1, 10, 100k, and 200k rows. This test showed that the new index checking code did not slow down worst case lookups to a statistically detectable degree. Reported-at: https://issues.redhat.com/browse/FDP-590 Signed-off-by: Mike Pattrick <mkp@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2024-06-19 08:54:53 -04:00
ovsdb_query_distinct(table, &condition, &columns, &rows, x->txn);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
ovsdb_row_set_sort(&rows, &sort);
json_object_put(result, "rows",
ovsdb_row_set_to_json(&rows, &columns));
ovsdb_row_set_destroy(&rows);
}
ovsdb_column_set_destroy(&columns);
ovsdb_column_set_destroy(&sort);
ovsdb_condition_destroy(&condition);
return error;
}
struct update_row_cbdata {
size_t n_matches;
struct ovsdb_txn *txn;
const struct ovsdb_row *row;
const struct ovsdb_column_set *columns;
ovsdb: add support for role-based access controls Add suport for ovsdb RBAC (role-based access control). This includes: - Support for "RBAC_Role" table. A db schema containing a table by this name will enable role-based access controls using this table for RBAC role configuration. The "RBAC_Role" table has one row per role, with each row having a "name" column (role name) and a "permissions" column (map of table name to UUID of row in separate permission table.) The permission table has one row per access control configuration, with the following columns: "name" - name of table to which this row applies "authorization" - set of column names and column:key pairs to be compared against client ID to determine authorization status "insert_delete" - boolean, true if insertions and authorized deletions are allowed. "update" - Set of columns and column:key pairs for which authorized updates are allowed. - Support for a new "role" column in the remote configuration table. - Logic for applying the RBAC role and permission tables, in combination with session role from the remote connection table and client id, to determine whether operations modifying database contents should be permitted. - Support for specifying RBAC role string as a command-line option to ovsdb-tool (Ben Pfaff). Signed-off-by: Lance Richardson <lrichard@redhat.com> Co-authored-by: Ben Pfaff <blp@ovn.org> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-05-31 19:04:32 -04:00
const char *role;
const char *id;
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
};
static bool
update_row_cb(const struct ovsdb_row *row, void *ur_)
{
struct update_row_cbdata *ur = ur_;
ur->n_matches++;
if (!ovsdb_row_equal_columns(row, ur->row, ur->columns)) {
ovsdb: Preserve column diffs read from the storage. Database file contains the column diff, but it is discarded once the 'new' state of a row is constructed. Keep it in the transaction row, as it can be used later by other parts of the code. Diffs do not live long, we keep them around only while transaction is alive, so should not affect memory consumption. Users for this data will be added in later commits. Acked-by: Mike Pattrick <mkp@redhat.com> Acked-by: Dumitru Ceara <dceara@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2024-01-09 20:54:03 +01:00
struct ovsdb_row *rw_row;
ovsdb_txn_row_modify(ur->txn, row, &rw_row, NULL);
ovsdb: row: Add support for xor-based row updates. This will be used to apply update3 type updates to ovsdb tables while processing updates for future ovsdb 'relay' service model. 'ovsdb_datum_apply_diff' is allowed to fail, so adding support to return this error. Acked-by: Mark D. Gray <mark.d.gray@redhat.com> Acked-by: Dumitru Ceara <dceara@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2021-06-01 23:01:22 +02:00
ovsdb_error_assert(ovsdb_row_update_columns(
ovsdb: Preserve column diffs read from the storage. Database file contains the column diff, but it is discarded once the 'new' state of a row is constructed. Keep it in the transaction row, as it can be used later by other parts of the code. Diffs do not live long, we keep them around only while transaction is alive, so should not affect memory consumption. Users for this data will be added in later commits. Acked-by: Mike Pattrick <mkp@redhat.com> Acked-by: Dumitru Ceara <dceara@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2024-01-09 20:54:03 +01:00
rw_row, ur->row, ur->columns, false));
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
}
return true;
}
Add missing "static" keywords. Found by sparse.
2011-05-04 13:58:10 -07:00
static struct ovsdb_error *
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
ovsdb_execute_update(struct ovsdb_execution *x, struct ovsdb_parser *parser,
struct json *result)
{
struct ovsdb_table *table;
ovsdb: Improve error message for duplicate uuid-name. ovsdb_execute_insert() tried to return a helpful error message when there was a duplicate uuid-name, but ovsdb_execute() (its caller) makes any parse error override a parse error. Since ovsdb_execute_insert() would skip parsing the row when the uuid-name was a duplicate, this meant that the error actually reported would be that "row" was not allowed here, which wasn't at all helpful (since "row" is in fact mandatory). This commit clears up the problem by always retrieving the "row" member, which required a small amount of refactoring, and adds a test.
2011-03-09 12:42:46 -08:00
const struct json *where, *row_json;
ovsdb: optimize match_any_clause() condition evaluation Optimize ovsdb_condition_match_any_clause() to be in O(#columns in condition) and not O(#clauses) in case condition's caluses function is boolean or "==". Signed-off-by: Liran Schour <lirans@il.ibm.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2016-07-18 11:45:54 +03:00
struct ovsdb_condition condition = OVSDB_CONDITION_INITIALIZER(&condition);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
struct ovsdb_column_set columns = OVSDB_COLUMN_SET_INITIALIZER;
struct ovsdb_row *row = NULL;
struct update_row_cbdata ur;
struct ovsdb_error *error;
table = parse_table(x, parser, "table");
where = ovsdb_parser_member(parser, "where", OP_ARRAY);
ovsdb: Improve error message for duplicate uuid-name. ovsdb_execute_insert() tried to return a helpful error message when there was a duplicate uuid-name, but ovsdb_execute() (its caller) makes any parse error override a parse error. Since ovsdb_execute_insert() would skip parsing the row when the uuid-name was a duplicate, this meant that the error actually reported would be that "row" was not allowed here, which wasn't at all helpful (since "row" is in fact mandatory). This commit clears up the problem by always retrieving the "row" member, which required a small amount of refactoring, and adds a test.
2011-03-09 12:42:46 -08:00
row_json = ovsdb_parser_member(parser, "row", OP_OBJECT);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
error = ovsdb_parser_get_error(parser);
if (!error) {
ovsdb: Improve error message for duplicate uuid-name. ovsdb_execute_insert() tried to return a helpful error message when there was a duplicate uuid-name, but ovsdb_execute() (its caller) makes any parse error override a parse error. Since ovsdb_execute_insert() would skip parsing the row when the uuid-name was a duplicate, this meant that the error actually reported would be that "row" was not allowed here, which wasn't at all helpful (since "row" is in fact mandatory). This commit clears up the problem by always retrieving the "row" member, which required a small amount of refactoring, and adds a test.
2011-03-09 12:42:46 -08:00
error = parse_row(row_json, table, x->symtab, &row, &columns);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
}
ovsdb: Enforce immutability of immutable columns. OVSDB has always had the ability to mark a column as "immutable", so that its value cannot be changed in a given row after that row is initially inserted. However, we discovered recently that ovsdb-server has never enforced this constraint. This commit implements enforcement. Reported-by: Paul Ingram <paul@nicira.com> Signed-off-by: Ben Pfaff <blp@nicira.com> Acked-by: Kyle Mestery <kmestery@cisco.com>
2012-09-05 10:35:20 -07:00
if (!error) {
size_t i;
for (i = 0; i < columns.n_columns; i++) {
const struct ovsdb_column *column = columns.columns[i];
if (!column->mutable) {
error = ovsdb_syntax_error(parser->json,
"constraint violation",
"Cannot update immutable column %s "
"in table %s.",
column->name, table->schema->name);
break;
}
}
}
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
if (!error) {
error = ovsdb_condition_from_json(table->schema, where, x->symtab,
&condition);
}
if (!error) {
ur.n_matches = 0;
ur.txn = x->txn;
ur.row = row;
ur.columns = &columns;
ovsdb: add support for role-based access controls Add suport for ovsdb RBAC (role-based access control). This includes: - Support for "RBAC_Role" table. A db schema containing a table by this name will enable role-based access controls using this table for RBAC role configuration. The "RBAC_Role" table has one row per role, with each row having a "name" column (role name) and a "permissions" column (map of table name to UUID of row in separate permission table.) The permission table has one row per access control configuration, with the following columns: "name" - name of table to which this row applies "authorization" - set of column names and column:key pairs to be compared against client ID to determine authorization status "insert_delete" - boolean, true if insertions and authorized deletions are allowed. "update" - Set of columns and column:key pairs for which authorized updates are allowed. - Support for a new "role" column in the remote configuration table. - Logic for applying the RBAC role and permission tables, in combination with session role from the remote connection table and client id, to determine whether operations modifying database contents should be permitted. - Support for specifying RBAC role string as a command-line option to ovsdb-tool (Ben Pfaff). Signed-off-by: Lance Richardson <lrichard@redhat.com> Co-authored-by: Ben Pfaff <blp@ovn.org> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-05-31 19:04:32 -04:00
if (ovsdb_rbac_update(x->db, table, &columns, &condition, x->role,
ovsdb: Use table indexes if available for ovsdb_query(). Currently all OVSDB database queries except for UUID lookups all result in linear lookups over the entire table, even if an index is present. This patch modifies ovsdb_query() to attempt an index lookup first, if possible. If no matching indexes are present then a linear index is still conducted. To test this, I set up an ovsdb database with a variable number of rows and timed the average of how long ovsdb-client took to query a single row. The first two tests involved a linear scan that didn't match any rows, so there was no overhead associated with sending or encoding output. The post-patch linear scan was a worst case scenario where the table did have an appropriate index but the conditions made its usage impossible. The indexed lookup test was for a matching row, which did also include overhead associated with a match. The results are included in the table below. Rows | 100k | 200k | 300k | 400k | 500k -----------------------+------+------+------+------+----- Pre-patch linear scan | 9ms | 24ms | 37ms | 49ms | 61ms Post-patch linear scan | 9ms | 24ms | 38ms | 49ms | 61ms Indexed lookup | 3ms | 3ms | 3ms | 3ms | 3ms I also tested the performance of ovsdb_query() by wrapping it in a loop and measuring the time it took to perform 1000 linear scans on 1, 10, 100k, and 200k rows. This test showed that the new index checking code did not slow down worst case lookups to a statistically detectable degree. Reported-at: https://issues.redhat.com/browse/FDP-590 Signed-off-by: Mike Pattrick <mkp@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2024-06-19 08:54:53 -04:00
x->id, x->txn)) {
ovsdb_query(table, &condition, update_row_cb, &ur, x->txn);
ovsdb: add support for role-based access controls Add suport for ovsdb RBAC (role-based access control). This includes: - Support for "RBAC_Role" table. A db schema containing a table by this name will enable role-based access controls using this table for RBAC role configuration. The "RBAC_Role" table has one row per role, with each row having a "name" column (role name) and a "permissions" column (map of table name to UUID of row in separate permission table.) The permission table has one row per access control configuration, with the following columns: "name" - name of table to which this row applies "authorization" - set of column names and column:key pairs to be compared against client ID to determine authorization status "insert_delete" - boolean, true if insertions and authorized deletions are allowed. "update" - Set of columns and column:key pairs for which authorized updates are allowed. - Support for a new "role" column in the remote configuration table. - Logic for applying the RBAC role and permission tables, in combination with session role from the remote connection table and client id, to determine whether operations modifying database contents should be permitted. - Support for specifying RBAC role string as a command-line option to ovsdb-tool (Ben Pfaff). Signed-off-by: Lance Richardson <lrichard@redhat.com> Co-authored-by: Ben Pfaff <blp@ovn.org> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-05-31 19:04:32 -04:00
} else {
error = ovsdb_perm_error("RBAC rules for client \"%s\" role "
"\"%s\" prohibit modification of "
"table \"%s\".",
x->id, x->role, table->schema->name);
}
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
json_object_put(result, "count", json_integer_create(ur.n_matches));
}
ovsdb_row_destroy(row);
ovsdb_column_set_destroy(&columns);
ovsdb_condition_destroy(&condition);
return error;
}
ovsdb: Add new "mutation" operation to transactions.
2009-12-16 10:49:31 -08:00
struct mutate_row_cbdata {
size_t n_matches;
struct ovsdb_txn *txn;
const struct ovsdb_mutation_set *mutations;
ovsdb: Check ovsdb_mutation_set_execute() return value in transactions. Errors from this function were being ignored, which meant that transactions could use "mutate" to bypass number-of-elements constraints on sets and maps. This fixes the problem and adds a test to prevent the problem from recurring. Bug #5781.
2011-05-31 12:50:57 -07:00
struct ovsdb_error **error;
ovsdb: Add new "mutation" operation to transactions.
2009-12-16 10:49:31 -08:00
};
static bool
mutate_row_cb(const struct ovsdb_row *row, void *mr_)
{
struct mutate_row_cbdata *mr = mr_;
ovsdb: Preserve column diffs read from the storage. Database file contains the column diff, but it is discarded once the 'new' state of a row is constructed. Keep it in the transaction row, as it can be used later by other parts of the code. Diffs do not live long, we keep them around only while transaction is alive, so should not affect memory consumption. Users for this data will be added in later commits. Acked-by: Mike Pattrick <mkp@redhat.com> Acked-by: Dumitru Ceara <dceara@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2024-01-09 20:54:03 +01:00
struct ovsdb_row *rw_row;
/* Not trying to track the row diff here, because user transactions
* may attempt to add duplicates or remove elements that do not exist. */
ovsdb_txn_row_modify(mr->txn, row, &rw_row, NULL);
ovsdb: Add new "mutation" operation to transactions.
2009-12-16 10:49:31 -08:00
mr->n_matches++;
ovsdb: Preserve column diffs read from the storage. Database file contains the column diff, but it is discarded once the 'new' state of a row is constructed. Keep it in the transaction row, as it can be used later by other parts of the code. Diffs do not live long, we keep them around only while transaction is alive, so should not affect memory consumption. Users for this data will be added in later commits. Acked-by: Mike Pattrick <mkp@redhat.com> Acked-by: Dumitru Ceara <dceara@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2024-01-09 20:54:03 +01:00
*mr->error = ovsdb_mutation_set_execute(rw_row, mr->mutations);
ovsdb: Check ovsdb_mutation_set_execute() return value in transactions. Errors from this function were being ignored, which meant that transactions could use "mutate" to bypass number-of-elements constraints on sets and maps. This fixes the problem and adds a test to prevent the problem from recurring. Bug #5781.
2011-05-31 12:50:57 -07:00
return *mr->error == NULL;
ovsdb: Add new "mutation" operation to transactions.
2009-12-16 10:49:31 -08:00
}
ovsdb: Don't iterate over rows on empty mutation. Previously when an empty mutation was used to count the number of rows in a table, OVSDB would iterate over all rows twice. First to perform an RBAC check, and then to perform the no-operation. This change adds a short circuit to mutate operations with no conditions and an empty mutation set, returning immediately. One notable change in functionality is not performing the RBAC check in this condition, as no mutation actually takes place. Reported-by: Terry Wilson <twilson@redhat.com> Reported-at: https://issues.redhat.com/browse/FDP-359 Signed-off-by: Mike Pattrick <mkp@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2024-03-06 16:40:18 -05:00
static bool
count_row_cb(const struct ovsdb_row *row OVS_UNUSED, void *rc)
{
size_t *row_count = rc;
(*row_count)++;
return true;
}
Add missing "static" keywords. Found by sparse.
2011-05-04 13:58:10 -07:00
static struct ovsdb_error *
ovsdb: Add new "mutation" operation to transactions.
2009-12-16 10:49:31 -08:00
ovsdb_execute_mutate(struct ovsdb_execution *x, struct ovsdb_parser *parser,
struct json *result)
{
struct ovsdb_table *table;
const struct json *where;
const struct json *mutations_json;
ovsdb: optimize match_any_clause() condition evaluation Optimize ovsdb_condition_match_any_clause() to be in O(#columns in condition) and not O(#clauses) in case condition's caluses function is boolean or "==". Signed-off-by: Liran Schour <lirans@il.ibm.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2016-07-18 11:45:54 +03:00
struct ovsdb_condition condition = OVSDB_CONDITION_INITIALIZER(&condition);
ovsdb: Add new "mutation" operation to transactions.
2009-12-16 10:49:31 -08:00
struct ovsdb_mutation_set mutations = OVSDB_MUTATION_SET_INITIALIZER;
struct mutate_row_cbdata mr;
struct ovsdb_error *error;
table = parse_table(x, parser, "table");
where = ovsdb_parser_member(parser, "where", OP_ARRAY);
mutations_json = ovsdb_parser_member(parser, "mutations", OP_ARRAY);
error = ovsdb_parser_get_error(parser);
if (!error) {
error = ovsdb_mutation_set_from_json(table->schema, mutations_json,
x->symtab, &mutations);
}
if (!error) {
error = ovsdb_condition_from_json(table->schema, where, x->symtab,
&condition);
}
ovsdb: Don't iterate over rows on empty mutation. Previously when an empty mutation was used to count the number of rows in a table, OVSDB would iterate over all rows twice. First to perform an RBAC check, and then to perform the no-operation. This change adds a short circuit to mutate operations with no conditions and an empty mutation set, returning immediately. One notable change in functionality is not performing the RBAC check in this condition, as no mutation actually takes place. Reported-by: Terry Wilson <twilson@redhat.com> Reported-at: https://issues.redhat.com/browse/FDP-359 Signed-off-by: Mike Pattrick <mkp@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2024-03-06 16:40:18 -05:00
if (!error && ovsdb_mutation_set_empty(&mutations)) {
/* Special case with no mutations, just return the row count. */
if (ovsdb_condition_empty(&condition)) {
json_object_put(result, "count",
json_integer_create(hmap_count(&table->rows)));
} else {
size_t row_count = 0;
ovsdb: Use table indexes if available for ovsdb_query(). Currently all OVSDB database queries except for UUID lookups all result in linear lookups over the entire table, even if an index is present. This patch modifies ovsdb_query() to attempt an index lookup first, if possible. If no matching indexes are present then a linear index is still conducted. To test this, I set up an ovsdb database with a variable number of rows and timed the average of how long ovsdb-client took to query a single row. The first two tests involved a linear scan that didn't match any rows, so there was no overhead associated with sending or encoding output. The post-patch linear scan was a worst case scenario where the table did have an appropriate index but the conditions made its usage impossible. The indexed lookup test was for a matching row, which did also include overhead associated with a match. The results are included in the table below. Rows | 100k | 200k | 300k | 400k | 500k -----------------------+------+------+------+------+----- Pre-patch linear scan | 9ms | 24ms | 37ms | 49ms | 61ms Post-patch linear scan | 9ms | 24ms | 38ms | 49ms | 61ms Indexed lookup | 3ms | 3ms | 3ms | 3ms | 3ms I also tested the performance of ovsdb_query() by wrapping it in a loop and measuring the time it took to perform 1000 linear scans on 1, 10, 100k, and 200k rows. This test showed that the new index checking code did not slow down worst case lookups to a statistically detectable degree. Reported-at: https://issues.redhat.com/browse/FDP-590 Signed-off-by: Mike Pattrick <mkp@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2024-06-19 08:54:53 -04:00
ovsdb_query(table, &condition, count_row_cb, &row_count, x->txn);
ovsdb: Don't iterate over rows on empty mutation. Previously when an empty mutation was used to count the number of rows in a table, OVSDB would iterate over all rows twice. First to perform an RBAC check, and then to perform the no-operation. This change adds a short circuit to mutate operations with no conditions and an empty mutation set, returning immediately. One notable change in functionality is not performing the RBAC check in this condition, as no mutation actually takes place. Reported-by: Terry Wilson <twilson@redhat.com> Reported-at: https://issues.redhat.com/browse/FDP-359 Signed-off-by: Mike Pattrick <mkp@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2024-03-06 16:40:18 -05:00
json_object_put(result, "count",
json_integer_create(row_count));
}
} else if (!error) {
ovsdb: Add new "mutation" operation to transactions.
2009-12-16 10:49:31 -08:00
mr.n_matches = 0;
mr.txn = x->txn;
mr.mutations = &mutations;
ovsdb: Check ovsdb_mutation_set_execute() return value in transactions. Errors from this function were being ignored, which meant that transactions could use "mutate" to bypass number-of-elements constraints on sets and maps. This fixes the problem and adds a test to prevent the problem from recurring. Bug #5781.
2011-05-31 12:50:57 -07:00
mr.error = &error;
ovsdb: add support for role-based access controls Add suport for ovsdb RBAC (role-based access control). This includes: - Support for "RBAC_Role" table. A db schema containing a table by this name will enable role-based access controls using this table for RBAC role configuration. The "RBAC_Role" table has one row per role, with each row having a "name" column (role name) and a "permissions" column (map of table name to UUID of row in separate permission table.) The permission table has one row per access control configuration, with the following columns: "name" - name of table to which this row applies "authorization" - set of column names and column:key pairs to be compared against client ID to determine authorization status "insert_delete" - boolean, true if insertions and authorized deletions are allowed. "update" - Set of columns and column:key pairs for which authorized updates are allowed. - Support for a new "role" column in the remote configuration table. - Logic for applying the RBAC role and permission tables, in combination with session role from the remote connection table and client id, to determine whether operations modifying database contents should be permitted. - Support for specifying RBAC role string as a command-line option to ovsdb-tool (Ben Pfaff). Signed-off-by: Lance Richardson <lrichard@redhat.com> Co-authored-by: Ben Pfaff <blp@ovn.org> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-05-31 19:04:32 -04:00
if (ovsdb_rbac_mutate(x->db, table, &mutations, &condition, x->role,
ovsdb: Use table indexes if available for ovsdb_query(). Currently all OVSDB database queries except for UUID lookups all result in linear lookups over the entire table, even if an index is present. This patch modifies ovsdb_query() to attempt an index lookup first, if possible. If no matching indexes are present then a linear index is still conducted. To test this, I set up an ovsdb database with a variable number of rows and timed the average of how long ovsdb-client took to query a single row. The first two tests involved a linear scan that didn't match any rows, so there was no overhead associated with sending or encoding output. The post-patch linear scan was a worst case scenario where the table did have an appropriate index but the conditions made its usage impossible. The indexed lookup test was for a matching row, which did also include overhead associated with a match. The results are included in the table below. Rows | 100k | 200k | 300k | 400k | 500k -----------------------+------+------+------+------+----- Pre-patch linear scan | 9ms | 24ms | 37ms | 49ms | 61ms Post-patch linear scan | 9ms | 24ms | 38ms | 49ms | 61ms Indexed lookup | 3ms | 3ms | 3ms | 3ms | 3ms I also tested the performance of ovsdb_query() by wrapping it in a loop and measuring the time it took to perform 1000 linear scans on 1, 10, 100k, and 200k rows. This test showed that the new index checking code did not slow down worst case lookups to a statistically detectable degree. Reported-at: https://issues.redhat.com/browse/FDP-590 Signed-off-by: Mike Pattrick <mkp@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2024-06-19 08:54:53 -04:00
x->id, x->txn)) {
ovsdb_query(table, &condition, mutate_row_cb, &mr, x->txn);
ovsdb: add support for role-based access controls Add suport for ovsdb RBAC (role-based access control). This includes: - Support for "RBAC_Role" table. A db schema containing a table by this name will enable role-based access controls using this table for RBAC role configuration. The "RBAC_Role" table has one row per role, with each row having a "name" column (role name) and a "permissions" column (map of table name to UUID of row in separate permission table.) The permission table has one row per access control configuration, with the following columns: "name" - name of table to which this row applies "authorization" - set of column names and column:key pairs to be compared against client ID to determine authorization status "insert_delete" - boolean, true if insertions and authorized deletions are allowed. "update" - Set of columns and column:key pairs for which authorized updates are allowed. - Support for a new "role" column in the remote configuration table. - Logic for applying the RBAC role and permission tables, in combination with session role from the remote connection table and client id, to determine whether operations modifying database contents should be permitted. - Support for specifying RBAC role string as a command-line option to ovsdb-tool (Ben Pfaff). Signed-off-by: Lance Richardson <lrichard@redhat.com> Co-authored-by: Ben Pfaff <blp@ovn.org> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-05-31 19:04:32 -04:00
} else {
error = ovsdb_perm_error("RBAC rules for client \"%s\" role "
"\"%s\" prohibit mutate operation on "
"table \"%s\".",
x->id, x->role, table->schema->name);
}
ovsdb: Add new "mutation" operation to transactions.
2009-12-16 10:49:31 -08:00
json_object_put(result, "count", json_integer_create(mr.n_matches));
}
ovsdb_mutation_set_destroy(&mutations);
ovsdb_condition_destroy(&condition);
return error;
}
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
struct delete_row_cbdata {
size_t n_matches;
const struct ovsdb_table *table;
struct ovsdb_txn *txn;
};
static bool
delete_row_cb(const struct ovsdb_row *row, void *dr_)
{
struct delete_row_cbdata *dr = dr_;
dr->n_matches++;
ovsdb_txn_row_delete(dr->txn, row);
return true;
}
Add missing "static" keywords. Found by sparse.
2011-05-04 13:58:10 -07:00
static struct ovsdb_error *
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
ovsdb_execute_delete(struct ovsdb_execution *x, struct ovsdb_parser *parser,
struct json *result)
{
struct ovsdb_table *table;
const struct json *where;
ovsdb: optimize match_any_clause() condition evaluation Optimize ovsdb_condition_match_any_clause() to be in O(#columns in condition) and not O(#clauses) in case condition's caluses function is boolean or "==". Signed-off-by: Liran Schour <lirans@il.ibm.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2016-07-18 11:45:54 +03:00
struct ovsdb_condition condition = OVSDB_CONDITION_INITIALIZER(&condition);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
struct ovsdb_error *error;
where = ovsdb_parser_member(parser, "where", OP_ARRAY);
table = parse_table(x, parser, "table");
error = ovsdb_parser_get_error(parser);
if (!error) {
error = ovsdb_condition_from_json(table->schema, where, x->symtab,
&condition);
}
if (!error) {
struct delete_row_cbdata dr;
dr.n_matches = 0;
dr.table = table;
dr.txn = x->txn;
ovsdb: Use table indexes if available for ovsdb_query(). Currently all OVSDB database queries except for UUID lookups all result in linear lookups over the entire table, even if an index is present. This patch modifies ovsdb_query() to attempt an index lookup first, if possible. If no matching indexes are present then a linear index is still conducted. To test this, I set up an ovsdb database with a variable number of rows and timed the average of how long ovsdb-client took to query a single row. The first two tests involved a linear scan that didn't match any rows, so there was no overhead associated with sending or encoding output. The post-patch linear scan was a worst case scenario where the table did have an appropriate index but the conditions made its usage impossible. The indexed lookup test was for a matching row, which did also include overhead associated with a match. The results are included in the table below. Rows | 100k | 200k | 300k | 400k | 500k -----------------------+------+------+------+------+----- Pre-patch linear scan | 9ms | 24ms | 37ms | 49ms | 61ms Post-patch linear scan | 9ms | 24ms | 38ms | 49ms | 61ms Indexed lookup | 3ms | 3ms | 3ms | 3ms | 3ms I also tested the performance of ovsdb_query() by wrapping it in a loop and measuring the time it took to perform 1000 linear scans on 1, 10, 100k, and 200k rows. This test showed that the new index checking code did not slow down worst case lookups to a statistically detectable degree. Reported-at: https://issues.redhat.com/browse/FDP-590 Signed-off-by: Mike Pattrick <mkp@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2024-06-19 08:54:53 -04:00
if (ovsdb_rbac_delete(x->db, table, &condition, x->role, x->id,
x->txn)) {
ovsdb_query(table, &condition, delete_row_cb, &dr, x->txn);
ovsdb: add support for role-based access controls Add suport for ovsdb RBAC (role-based access control). This includes: - Support for "RBAC_Role" table. A db schema containing a table by this name will enable role-based access controls using this table for RBAC role configuration. The "RBAC_Role" table has one row per role, with each row having a "name" column (role name) and a "permissions" column (map of table name to UUID of row in separate permission table.) The permission table has one row per access control configuration, with the following columns: "name" - name of table to which this row applies "authorization" - set of column names and column:key pairs to be compared against client ID to determine authorization status "insert_delete" - boolean, true if insertions and authorized deletions are allowed. "update" - Set of columns and column:key pairs for which authorized updates are allowed. - Support for a new "role" column in the remote configuration table. - Logic for applying the RBAC role and permission tables, in combination with session role from the remote connection table and client id, to determine whether operations modifying database contents should be permitted. - Support for specifying RBAC role string as a command-line option to ovsdb-tool (Ben Pfaff). Signed-off-by: Lance Richardson <lrichard@redhat.com> Co-authored-by: Ben Pfaff <blp@ovn.org> Signed-off-by: Ben Pfaff <blp@ovn.org>
2017-05-31 19:04:32 -04:00
} else {
error = ovsdb_perm_error("RBAC rules for client \"%s\" role "
"\"%s\" prohibit row deletion from "
"table \"%s\".",
x->id, x->role, table->schema->name);
}
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
json_object_put(result, "count", json_integer_create(dr.n_matches));
}
ovsdb_condition_destroy(&condition);
return error;
}
struct wait_auxdata {
struct ovsdb_row_hash *actual;
struct ovsdb_row_hash *expected;
bool *equal;
};
static bool
ovsdb_execute_wait_query_cb(const struct ovsdb_row *row, void *aux_)
{
struct wait_auxdata *aux = aux_;
if (ovsdb_row_hash_contains(aux->expected, row)) {
ovsdb_row_hash_insert(aux->actual, row);
return true;
} else {
/* The query row isn't in the expected result set, so the actual and
* expected results sets definitely differ and we can short-circuit the
* rest of the query. */
*aux->equal = false;
return false;
}
}
static struct ovsdb_error *
ovsdb_execute_wait(struct ovsdb_execution *x, struct ovsdb_parser *parser,
Merge "master" into "next". The main change here is the need to update all of the uses of UNUSED in the next branch to OVS_UNUSED as it is now spelled on "master".
2010-02-11 11:11:23 -08:00
struct json *result OVS_UNUSED)
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
{
struct ovsdb_table *table;
const struct json *timeout, *where, *columns_json, *until, *rows;
ovsdb: optimize match_any_clause() condition evaluation Optimize ovsdb_condition_match_any_clause() to be in O(#columns in condition) and not O(#clauses) in case condition's caluses function is boolean or "==". Signed-off-by: Liran Schour <lirans@il.ibm.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2016-07-18 11:45:54 +03:00
struct ovsdb_condition condition = OVSDB_CONDITION_INITIALIZER(&condition);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
struct ovsdb_column_set columns = OVSDB_COLUMN_SET_INITIALIZER;
struct ovsdb_row_hash expected = OVSDB_ROW_HASH_INITIALIZER(expected);
struct ovsdb_row_hash actual = OVSDB_ROW_HASH_INITIALIZER(actual);
struct ovsdb_error *error;
struct wait_auxdata aux;
long long int timeout_msec = 0;
json: Use functions to access json arrays. Internal implementation of JSON array will be changed in the future commits. Add access functions that users can rely on instead of accessing the internals of 'struct json' directly and convert all the users. Structure fields are intentionally renamed to make sure that no code is using the old fields directly. json_array() function is removed, as not needed anymore. Added new functions: json_array_size(), json_array_at(), json_array_set() and json_array_pop(). These are enough to cover all the use cases within OVS. The change is fairly large, however, IMO, it's a much overdue cleanup that we need even without changing the underlying implementation. Acked-by: Mike Pattrick <mkp@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2025-06-24 21:54:33 +02:00
size_t i, n;
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
ovsdb: Fix timeout type for wait operation. According to RFC 7047, 'timeout' is an integer field: 5.2.6. Wait The "wait" object contains the following members: "op": "wait" required "timeout": <integer> optional ... For some reason initial implementation treated it as a real number. This causes a build issue with clang that complains that LLONG_MAX could not be represented as double: ovsdb/execution.c:733:32: error: implicit conversion from 'long long' to 'double' changes value from 9223372036854775807 to 9223372036854775808 timeout_msec = MIN(LLONG_MAX, json_real(timeout)); ~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /usr/include/sys/limits.h:69:19: note: expanded from macro 'LLONG_MAX' #define LLONG_MAX __LLONG_MAX /* max for a long long */ ^~~~~~~~~~~ /usr/include/x86/_limits.h:74:21: note: expanded from macro '__LLONG_MAX' #define __LLONG_MAX 0x7fffffffffffffffLL /* max value for a long long */ ^~~~~~~~~~~~~~~~~~~~ ./lib/util.h:90:21: note: expanded from macro 'MIN' #define MIN(X, Y) ((X) < (Y) ? (X) : (Y)) ^ ~ Fix that by changing parser to treat 'timeout' as integer. Fixes clang build on FreeBSD 12.1 in CirrusCI. Fixes: f85f8ebbfac9 ("Initial implementation of OVSDB.") Acked-by: Han Zhou <hzhou@ovn.org> Acked-by: Numan Siddique <numans@ovn.org> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2020-05-25 18:21:39 +02:00
timeout = ovsdb_parser_member(parser, "timeout", OP_INTEGER | OP_OPTIONAL);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
where = ovsdb_parser_member(parser, "where", OP_ARRAY);
columns_json = ovsdb_parser_member(parser, "columns",
OP_ARRAY | OP_OPTIONAL);
until = ovsdb_parser_member(parser, "until", OP_STRING);
rows = ovsdb_parser_member(parser, "rows", OP_ARRAY);
table = parse_table(x, parser, "table");
error = ovsdb_parser_get_error(parser);
if (!error) {
error = ovsdb_condition_from_json(table->schema, where, x->symtab,
&condition);
}
if (!error) {
ovsdb: Make ovsdb_column_set_from_json() take table schema instead of table. This function took a struct ovsdb_table but only used the 'schema' member. An upcoming patch needs to parse a column set when only the schema is available, so to prepare for that this patch changes ovsdb_column_set_from_json() to only take the schema that it really needs.
2011-06-01 16:14:46 -07:00
error = ovsdb_column_set_from_json(columns_json, table->schema,
&columns);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
}
if (!error) {
if (timeout) {
ovsdb: Fix timeout type for wait operation. According to RFC 7047, 'timeout' is an integer field: 5.2.6. Wait The "wait" object contains the following members: "op": "wait" required "timeout": <integer> optional ... For some reason initial implementation treated it as a real number. This causes a build issue with clang that complains that LLONG_MAX could not be represented as double: ovsdb/execution.c:733:32: error: implicit conversion from 'long long' to 'double' changes value from 9223372036854775807 to 9223372036854775808 timeout_msec = MIN(LLONG_MAX, json_real(timeout)); ~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /usr/include/sys/limits.h:69:19: note: expanded from macro 'LLONG_MAX' #define LLONG_MAX __LLONG_MAX /* max for a long long */ ^~~~~~~~~~~ /usr/include/x86/_limits.h:74:21: note: expanded from macro '__LLONG_MAX' #define __LLONG_MAX 0x7fffffffffffffffLL /* max value for a long long */ ^~~~~~~~~~~~~~~~~~~~ ./lib/util.h:90:21: note: expanded from macro 'MIN' #define MIN(X, Y) ((X) < (Y) ? (X) : (Y)) ^ ~ Fix that by changing parser to treat 'timeout' as integer. Fixes clang build on FreeBSD 12.1 in CirrusCI. Fixes: f85f8ebbfac9 ("Initial implementation of OVSDB.") Acked-by: Han Zhou <hzhou@ovn.org> Acked-by: Numan Siddique <numans@ovn.org> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2020-05-25 18:21:39 +02:00
timeout_msec = json_integer(timeout);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
if (timeout_msec < 0) {
error = ovsdb_syntax_error(timeout, NULL,
"timeout must be nonnegative");
} else if (timeout_msec < x->timeout_msec) {
x->timeout_msec = timeout_msec;
}
} else {
timeout_msec = LLONG_MAX;
}
ovsdb: Fix error leak for negative timeout and invalid until case Although the check for negative timeout is present, the error string is overwritten if an invalid "until" is found right after. This leaks an error string and results in not reporting the negative timeout back to the user even though it is encountered first. Signed-off-by: Thomas Graf <tgraf@noironetworks.com> Signed-off-by: Ben Pfaff <blp@nicira.com>
2014-08-28 14:40:50 +02:00
}
if (!error) {
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
if (strcmp(json_string(until), "==")
&& strcmp(json_string(until), "!=")) {
error = ovsdb_syntax_error(until, NULL,
"\"until\" must be \"==\" or \"!=\"");
}
}
if (!error) {
/* Parse "rows" into 'expected'. */
ovsdb_row_hash_init(&expected, &columns);
json: Use functions to access json arrays. Internal implementation of JSON array will be changed in the future commits. Add access functions that users can rely on instead of accessing the internals of 'struct json' directly and convert all the users. Structure fields are intentionally renamed to make sure that no code is using the old fields directly. json_array() function is removed, as not needed anymore. Added new functions: json_array_size(), json_array_at(), json_array_set() and json_array_pop(). These are enough to cover all the use cases within OVS. The change is fairly large, however, IMO, it's a much overdue cleanup that we need even without changing the underlying implementation. Acked-by: Mike Pattrick <mkp@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2025-06-24 21:54:33 +02:00
n = json_array_size(rows);
for (i = 0; i < n; i++) {
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
struct ovsdb_row *row;
row = ovsdb_row_create(table);
json: Use functions to access json arrays. Internal implementation of JSON array will be changed in the future commits. Add access functions that users can rely on instead of accessing the internals of 'struct json' directly and convert all the users. Structure fields are intentionally renamed to make sure that no code is using the old fields directly. json_array() function is removed, as not needed anymore. Added new functions: json_array_size(), json_array_at(), json_array_set() and json_array_pop(). These are enough to cover all the use cases within OVS. The change is fairly large, however, IMO, it's a much overdue cleanup that we need even without changing the underlying implementation. Acked-by: Mike Pattrick <mkp@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2025-06-24 21:54:33 +02:00
error = ovsdb_row_from_json(row, json_array_at(rows, i), x->symtab,
ovsdb: relay: Fix handling of XOR updates with size constraints. Relay servers apply updates via ovsdb_table_execute_update(). XOR updates contain datum diffs, and datum diffs can be larger than the type constraints. Currently, relay will fail to parse such update into ovsdb row triggering a syntax error and a re-connection. Fix that by relaxing the size constraints for this kind of updates. Fixes: 026c77c58ddb ("ovsdb: New ovsdb 'relay' service model.") Acked-by: Dumitru Ceara <dceara@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2023-07-25 11:32:19 +02:00
NULL, false);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
if (error) {
Fix memory leaks in error paths. Found by Fortify. Signed-off-by: yinpeijun <yinpeijun@huawei.com> Signed-off-by: Ben Pfaff <blp@nicira.com>
2014-08-27 09:52:54 +08:00
ovsdb_row_destroy(row);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
break;
}
if (!ovsdb_row_hash_insert(&expected, row)) {
/* XXX Perhaps we should abort with an error or log a
* warning. */
ovsdb_row_destroy(row);
}
}
}
if (!error) {
/* Execute query. */
bool equal = true;
ovsdb_row_hash_init(&actual, &columns);
aux.actual = &actual;
aux.expected = &expected;
aux.equal = &equal;
ovsdb: Use table indexes if available for ovsdb_query(). Currently all OVSDB database queries except for UUID lookups all result in linear lookups over the entire table, even if an index is present. This patch modifies ovsdb_query() to attempt an index lookup first, if possible. If no matching indexes are present then a linear index is still conducted. To test this, I set up an ovsdb database with a variable number of rows and timed the average of how long ovsdb-client took to query a single row. The first two tests involved a linear scan that didn't match any rows, so there was no overhead associated with sending or encoding output. The post-patch linear scan was a worst case scenario where the table did have an appropriate index but the conditions made its usage impossible. The indexed lookup test was for a matching row, which did also include overhead associated with a match. The results are included in the table below. Rows | 100k | 200k | 300k | 400k | 500k -----------------------+------+------+------+------+----- Pre-patch linear scan | 9ms | 24ms | 37ms | 49ms | 61ms Post-patch linear scan | 9ms | 24ms | 38ms | 49ms | 61ms Indexed lookup | 3ms | 3ms | 3ms | 3ms | 3ms I also tested the performance of ovsdb_query() by wrapping it in a loop and measuring the time it took to perform 1000 linear scans on 1, 10, 100k, and 200k rows. This test showed that the new index checking code did not slow down worst case lookups to a statistically detectable degree. Reported-at: https://issues.redhat.com/browse/FDP-590 Signed-off-by: Mike Pattrick <mkp@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2024-06-19 08:54:53 -04:00
ovsdb_query(table, &condition, ovsdb_execute_wait_query_cb, &aux,
x->txn);
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
if (equal) {
/* We know that every row in 'actual' is also in 'expected'. We
* also know that all of the rows in 'actual' are distinct and that
* all of the rows in 'expected' are distinct. Therefore, if
* 'actual' and 'expected' have the same number of rows, then they
* have the same content. */
size_t n_actual = ovsdb_row_hash_count(&actual);
size_t n_expected = ovsdb_row_hash_count(&expected);
equal = n_actual == n_expected;
}
if (!strcmp(json_string(until), "==") != equal) {
if (timeout && x->elapsed_msec >= timeout_msec) {
if (x->elapsed_msec) {
error = ovsdb_error("timed out",
"\"wait\" timed out after %lld ms",
x->elapsed_msec);
} else {
ovsdb: Use better error message for "timeout" without waiting. When setting a where clause, if the timeout is set to a value of 0, the clause is tested once and if it fails, a message of '"wait" timed out' is returned. This can be misleading because there wasn't any real time, so change the message to '"where" clause test failed'. Signed-off-by: Ryan Moats <rmoats@us.ibm.com> Reported-by: Ryan Moats <rmoats@us.ibm.com> Reported-at: http://openvswitch.org/pipermail/dev/2016-August/077083.html Fixes: f85f8ebb ("Initial implementation of OVSDB.") Signed-off-by: Ben Pfaff <blp@ovn.org>
2016-08-03 19:07:38 +00:00
error = ovsdb_error("timed out",
"\"where\" clause test failed");
Initial implementation of OVSDB.
2009-11-04 15:11:44 -08:00
}
} else {
/* ovsdb_execute() will change this, if triggers really are
* supported. */
error = ovsdb_error("not supported", "triggers not supported");
}
}
}
ovsdb_row_hash_destroy(&expected, true);
ovsdb_row_hash_destroy(&actual, false);
ovsdb_column_set_destroy(&columns);
ovsdb_condition_destroy(&condition);
return error;
}
ovsdb: Implement new "declare" operation.
2009-12-07 11:47:48 -08:00
ovsdb: Add "comment" feature to transactions and make ovs-vsctl use them. The idea here is that transaction comments get copied to the ovsdb-server's transaction log, which can then make it clear later why a particular change was made to the database, to ease debugging.
2009-12-16 13:30:53 -08:00
static struct ovsdb_error *
ovsdb_execute_comment(struct ovsdb_execution *x, struct ovsdb_parser *parser,
Merge "master" into "next". The main change here is the need to update all of the uses of UNUSED in the next branch to OVS_UNUSED as it is now spelled on "master".
2010-02-11 11:11:23 -08:00
struct json *result OVS_UNUSED)
ovsdb: Add "comment" feature to transactions and make ovs-vsctl use them. The idea here is that transaction comments get copied to the ovsdb-server's transaction log, which can then make it clear later why a particular change was made to the database, to ease debugging.
2009-12-16 13:30:53 -08:00
{
const struct json *comment;
comment = ovsdb_parser_member(parser, "comment", OP_STRING);
if (!comment) {
return NULL;
}
ovsdb_txn_add_comment(x->txn, json_string(comment));
return NULL;
}
ovsdb: Implement a "lock" feature in the database protocol. This provides clients a way to coordinate their access to the database. This is a voluntary, not mandatory, locking protocols, that is, clients are not prevented from modifying the database unless they cooperate with the locking protocol. It is also not related to any of the ACID properties of database transactions. It is strictly a way for clients to coordinate among themselves. The following commit will introduce one user.
2011-07-26 10:24:17 -07:00
static struct ovsdb_error *
ovsdb_execute_assert(struct ovsdb_execution *x, struct ovsdb_parser *parser,
struct json *result OVS_UNUSED)
{
const struct json *lock_name;
ovsdb: Correct specification inconsistency between "lock" and "assert". The "lock" request requires the lock name to be an <id> but it is shown as <string> in the "assert" operation. This corrects the "assert" specification and fixes the suggested naming convention (since ":" is not valid in an <id>). This commit also updates the implementation to match the specification. Reported-by: Jeremy Stribling <strib@nicira.com>
2011-08-05 15:56:05 -07:00
lock_name = ovsdb_parser_member(parser, "lock", OP_ID);
ovsdb: Implement a "lock" feature in the database protocol. This provides clients a way to coordinate their access to the database. This is a voluntary, not mandatory, locking protocols, that is, clients are not prevented from modifying the database unless they cooperate with the locking protocol. It is also not related to any of the ACID properties of database transactions. It is strictly a way for clients to coordinate among themselves. The following commit will introduce one user.
2011-07-26 10:24:17 -07:00
if (!lock_name) {
return NULL;
}
if (x->session) {
const struct ovsdb_lock_waiter *waiter;
waiter = ovsdb_session_get_lock_waiter(x->session,
json_string(lock_name));
if (waiter && ovsdb_lock_waiter_is_owner(waiter)) {
return NULL;
}
}
return ovsdb_error("not owner", "Asserted lock %s not held.",
json_string(lock_name));
}
Reference in New Issue Copy Permalink