[mirror_ovs.git] / ovsdb / rbac.c

/*
 * Copyright (c) 2017 Red Hat, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at:
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
#include <config.h>

#include "rbac.h"

#include <limits.h>

#include "column.h"
#include "condition.h"
#include "condition.h"
#include "file.h"
#include "mutation.h"
#include "openvswitch/vlog.h"
#include "ovsdb-data.h"
#include "ovsdb-error.h"
#include "ovsdb-parser.h"
#include "ovsdb-util.h"
#include "ovsdb.h"
#include "query.h"
#include "row.h"
#include "server.h"
#include "table.h"
#include "timeval.h"
#include "transaction.h"

VLOG_DEFINE_THIS_MODULE(ovsdb_rbac);

static const struct ovsdb_row *
ovsdb_find_row_by_string_key(const struct ovsdb_table *table,
                             const char *column_name,
                             const char *key)
{
    const struct ovsdb_column *column;
    column = ovsdb_table_schema_get_column(table->schema, column_name);

    if (column) {
        /* XXX This is O(n) in the size of the table.  If the table has an
         * index on the column, then we could implement it in O(1). */
        const struct ovsdb_row *row;
        HMAP_FOR_EACH (row, hmap_node, &table->rows) {
            const struct ovsdb_datum *datum = &row->fields[column->index];
            for (size_t i = 0; i < datum->n; i++) {
                if (datum->keys[i].string[0] &&
                    !strcmp(key, datum->keys[i].string)) {
                    return row;
                }
            }
        }
    }

    return NULL;
}

static const struct ovsdb_row *
ovsdb_rbac_lookup_perms(const struct ovsdb *db, const char *role,
                        const char *table)
{
    static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
    const struct ovsdb_row *role_row, *perm_row;
    const struct ovsdb_column *column;

    /* Lookup role in roles table */
    role_row = ovsdb_find_row_by_string_key(db->rbac_role, "name", role);
    if (!role_row) {
        VLOG_INFO_RL(&rl, "rbac: role \"%s\" not found in rbac roles table",
                     role);
        return NULL;
    }

    /* Find row in permissions column for table from "permissions" column */
    column = ovsdb_table_schema_get_column(role_row->table->schema,
                                           "permissions");
    if (!column) {
        VLOG_INFO_RL(&rl, "rbac: \"permissions\" column not present in rbac "
                  "roles table");
        return NULL;
    }
    perm_row = ovsdb_util_read_map_string_uuid_column(role_row, "permissions",
                                                      table);

    return perm_row;
}

static bool
ovsdb_rbac_authorized(const struct ovsdb_row *perms,
                      const char *id,
                      const struct ovsdb_row *row)
{
    static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
    const struct ovsdb_datum *datum;
    size_t i;

    datum = ovsdb_util_get_datum(CONST_CAST(struct ovsdb_row *, perms),
                                 "authorization",
                                 OVSDB_TYPE_STRING, OVSDB_TYPE_VOID, UINT_MAX);

    if (!datum) {
        VLOG_INFO_RL(&rl, "rbac: error reading authorization column");
        return false;
    }

    for (i = 0; i < datum->n; i++) {
        const char *name = datum->keys[i].string;
        const char *value = NULL;
        bool is_map;

        if (name[0] == '\0') {
            /* empty string means all are authorized */
            return true;
        }

        is_map = strchr(name, ':') != NULL;

        if (is_map) {
            char *tmp = xstrdup(name);
            char *col_name, *key, *save_ptr = NULL;
            col_name = strtok_r(tmp, ":", &save_ptr);
            key = strtok_r(NULL, ":", &save_ptr);

            if (col_name && key) {
                value = ovsdb_util_read_map_string_column(row, col_name, key);
            }
            free(tmp);
        } else {
            ovsdb_util_read_string_column(row, name, &value);
        }
        if (value && !strcmp(value, id)) {
            return true;
        }
    }

    return false;
}

bool
ovsdb_rbac_insert(const struct ovsdb *db, const struct ovsdb_table *table,
                  const struct ovsdb_row *row,
                  const char *role, const char *id)
{
    const struct ovsdb_table_schema *ts = table->schema;
    const struct ovsdb_row *perms;
    bool insdel;

    if (!db->rbac_role || !role || *role == '\0') {
        return true;
    }

    if (!id) {
        goto denied;
    }

    perms = ovsdb_rbac_lookup_perms(db, role, ts->name);

    if (!perms) {
        goto denied;
    }

    if (!ovsdb_rbac_authorized(perms, id, row)) {
        goto denied;
    }

    if (!ovsdb_util_read_bool_column(perms, "insert_delete", &insdel)) {
        return false;
    }

    if (insdel) {
        return true;
    }

denied:
    return false;
}

struct rbac_delete_cbdata {
    const struct ovsdb_table *table;
    const struct ovsdb_row *perms;
    const char *role;
    const char *id;
    bool permitted;
};

static bool
rbac_delete_cb(const struct ovsdb_row *row, void *rd_)
{
    struct rbac_delete_cbdata *rd = rd_;
    bool insdel;

    if (!ovsdb_rbac_authorized(rd->perms, rd->id, row)) {
        goto denied;
    }

    if (!ovsdb_util_read_bool_column(rd->perms, "insert_delete", &insdel)) {
        goto denied;
    }

    if (!insdel) {
        goto denied;
    }
    return true;

denied:
    rd->permitted = false;
    return false;
}

bool
ovsdb_rbac_delete(const struct ovsdb *db, struct ovsdb_table *table,
                  struct ovsdb_condition *condition,
                  const char *role, const char *id)
{
    const struct ovsdb_table_schema *ts = table->schema;
    const struct ovsdb_row *perms;
    struct rbac_delete_cbdata rd;

    if (!db->rbac_role || !role || *role == '\0') {
        return true;
    }
    if (!id) {
        goto denied;
    }

    perms = ovsdb_rbac_lookup_perms(db, role, ts->name);

    if (!perms) {
        goto denied;
    }

    rd.permitted = true;
    rd.perms = perms;
    rd.table = table;
    rd.role = role;
    rd.id = id;

    ovsdb_query(table, condition, rbac_delete_cb, &rd);

    if (rd.permitted) {
        return true;
    }

denied:
    return false;
}

struct rbac_update_cbdata {
    const struct ovsdb_table *table;
    const struct ovsdb_column_set *columns; /* columns to be modified */
    const struct ovsdb_datum *modifiable; /* modifiable column names */
    const struct ovsdb_row *perms;
    const char *role;
    const char *id;
    bool permitted;
};

static bool
rbac_column_modification_permitted(const struct ovsdb_column *column,
                                   const struct ovsdb_datum *modifiable)
{
    size_t i;

    for (i = 0; i < modifiable->n; i++) {
        char *name = modifiable->keys[i].string;

        if (!strcmp(name, column->name)) {
            return true;
        }
    }
    return false;
}

static bool
rbac_update_cb(const struct ovsdb_row *row, void *ru_)
{
    struct rbac_update_cbdata *ru = ru_;
    size_t i;

    if (!ovsdb_rbac_authorized(ru->perms, ru->id, row)) {
        goto denied;
    }

    for (i = 0; i < ru->columns->n_columns; i++) {
        const struct ovsdb_column *column = ru->columns->columns[i];

        if (!rbac_column_modification_permitted(column, ru->modifiable)) {
            goto denied;
        }
    }
    return true;

denied:
    ru->permitted = false;
    return false;
}

bool
ovsdb_rbac_update(const struct ovsdb *db,
                  struct ovsdb_table *table,
                  struct ovsdb_column_set *columns,
                  struct ovsdb_condition *condition,
                  const char *role, const char *id)
{
    static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
    const struct ovsdb_table_schema *ts = table->schema;
    const struct ovsdb_datum *datum;
    const struct ovsdb_row *perms;
    struct rbac_update_cbdata ru;

    if (!db->rbac_role || !role || *role == '\0') {
        return true;
    }
    if (!id) {
        goto denied;
    }

    perms = ovsdb_rbac_lookup_perms(db, role, ts->name);

    if (!perms) {
        goto denied;
    }

    datum = ovsdb_util_get_datum(CONST_CAST(struct ovsdb_row *, perms),
                                 "update",
                                 OVSDB_TYPE_STRING, OVSDB_TYPE_VOID, UINT_MAX);

    if (!datum) {
        VLOG_INFO_RL(&rl, "ovsdb_rbac_update: could not read \"update\" "
                     "column");
        goto denied;
    }

    ru.table = table;
    ru.columns = columns;
    ru.role = role;
    ru.id = id;
    ru.perms = perms;
    ru.modifiable = datum;
    ru.permitted = true;

    ovsdb_query(table, condition, rbac_update_cb, &ru);

    if (ru.permitted) {
        return true;
    }

denied:
    return false;
}

struct rbac_mutate_cbdata {
    const struct ovsdb_table *table;
    const struct ovsdb_mutation_set *mutations; /* columns to be mutated */
    const struct ovsdb_datum *modifiable; /* modifiable column names */
    const struct ovsdb_row *perms;
    const char *role;
    const char *id;
    bool permitted;
};

static bool
rbac_mutate_cb(const struct ovsdb_row *row, void *rm_)
{
    struct rbac_mutate_cbdata *rm = rm_;
    size_t i;

    if (!ovsdb_rbac_authorized(rm->perms, rm->id, row)) {
        goto denied;
    }

    for (i = 0; i < rm->mutations->n_mutations; i++) {
        const struct ovsdb_column *column = rm->mutations->mutations[i].column;

        if (!rbac_column_modification_permitted(column, rm->modifiable)) {
            goto denied;
        }
    }

    return true;

denied:
    rm->permitted = false;
    return false;
}

bool
ovsdb_rbac_mutate(const struct ovsdb *db,
                  struct ovsdb_table *table,
                  struct ovsdb_mutation_set *mutations,
                  struct ovsdb_condition *condition,
                  const char *role, const char *id)
{
    static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
    const struct ovsdb_table_schema *ts = table->schema;
    const struct ovsdb_datum *datum;
    const struct ovsdb_row *perms;
    struct rbac_mutate_cbdata rm;

    if (!db->rbac_role || !role || *role == '\0') {
        return true;
    }
    if (!id) {
        goto denied;
    }

    perms = ovsdb_rbac_lookup_perms(db, role, ts->name);

    if (!perms) {
        goto denied;
    }

    datum = ovsdb_util_get_datum(CONST_CAST(struct ovsdb_row *, perms),
                                 "update",
                                 OVSDB_TYPE_STRING, OVSDB_TYPE_VOID, UINT_MAX);

    if (!datum) {
        VLOG_INFO_RL(&rl, "ovsdb_rbac_mutate: could not read \"update\" "
                     "column");
        goto denied;
    }

    rm.table = table;
    rm.mutations = mutations;
    rm.role = role;
    rm.id = id;
    rm.perms = perms;
    rm.modifiable = datum;
    rm.permitted = true;

    ovsdb_query(table, condition, rbac_mutate_cb, &rm);

    if (rm.permitted) {
        return true;
    }

denied:
    return false;
}
Commit	Line	Data
d6db7b3c LR	1	/*
	2	* Copyright (c) 2017 Red Hat, Inc.
	3	*
	4	* Licensed under the Apache License, Version 2.0 (the "License");
	5	* you may not use this file except in compliance with the License.
	6	* You may obtain a copy of the License at:
	7	*
	8	* http://www.apache.org/licenses/LICENSE-2.0
	9	*
	10	* Unless required by applicable law or agreed to in writing, software
	11	* distributed under the License is distributed on an "AS IS" BASIS,
	12	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	13	* See the License for the specific language governing permissions and
	14	* limitations under the License.
	15	*/
	16	#include <config.h>
	17
	18	#include "rbac.h"
	19
	20	#include <limits.h>
	21
	22	#include "column.h"
	23	#include "condition.h"
	24	#include "condition.h"
	25	#include "file.h"
	26	#include "mutation.h"
	27	#include "openvswitch/vlog.h"
	28	#include "ovsdb-data.h"
	29	#include "ovsdb-error.h"
	30	#include "ovsdb-parser.h"
	31	#include "ovsdb-util.h"
	32	#include "ovsdb.h"
	33	#include "query.h"
	34	#include "row.h"
	35	#include "server.h"
	36	#include "table.h"
	37	#include "timeval.h"
	38	#include "transaction.h"
	39
	40	VLOG_DEFINE_THIS_MODULE(ovsdb_rbac);
	41
	42	static const struct ovsdb_row *
	43	ovsdb_find_row_by_string_key(const struct ovsdb_table *table,
	44	const char *column_name,
	45	const char *key)
	46	{
	47	const struct ovsdb_column *column;
	48	column = ovsdb_table_schema_get_column(table->schema, column_name);
	49
	50	if (column) {
	51	/* XXX This is O(n) in the size of the table. If the table has an
	52	* index on the column, then we could implement it in O(1). */
	53	const struct ovsdb_row *row;
	54	HMAP_FOR_EACH (row, hmap_node, &table->rows) {
	55	const struct ovsdb_datum *datum = &row->fields[column->index];
	56	for (size_t i = 0; i < datum->n; i++) {
	57	if (datum->keys[i].string[0] &&
	58	!strcmp(key, datum->keys[i].string)) {
	59	return row;
	60	}
	61	}
	62	}
	63	}
	64
65	return NULL;
66	}
67
68	static const struct ovsdb_row *
69	ovsdb_rbac_lookup_perms(const struct ovsdb db, const char role,
70	const char *table)
71	{
72	static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
73	const struct ovsdb_row role_row, perm_row;
74	const struct ovsdb_column *column;
75
76	/* Lookup role in roles table */
77	role_row = ovsdb_find_row_by_string_key(db->rbac_role, "name", role);
78	if (!role_row) {
79	VLOG_INFO_RL(&rl, "rbac: role \"%s\" not found in rbac roles table",
80	role);
81	return NULL;
82	}
83
84	/* Find row in permissions column for table from "permissions" column */
85	column = ovsdb_table_schema_get_column(role_row->table->schema,
86	"permissions");
87	if (!column) {
88	VLOG_INFO_RL(&rl, "rbac: \"permissions\" column not present in rbac "
89	"roles table");
90	return NULL;
91	}
92	perm_row = ovsdb_util_read_map_string_uuid_column(role_row, "permissions",
93	table);
94
95	return perm_row;
96	}
97
98	static bool
99	ovsdb_rbac_authorized(const struct ovsdb_row *perms,
100	const char *id,
101	const struct ovsdb_row *row)
102	{
103	static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
104	const struct ovsdb_datum *datum;
105	size_t i;
106
107	datum = ovsdb_util_get_datum(CONST_CAST(struct ovsdb_row *, perms),
108	"authorization",
109	OVSDB_TYPE_STRING, OVSDB_TYPE_VOID, UINT_MAX);
110
111	if (!datum) {
112	VLOG_INFO_RL(&rl, "rbac: error reading authorization column");
113	return false;
114	}
115
116	for (i = 0; i < datum->n; i++) {
117	const char *name = datum->keys[i].string;
118	const char *value = NULL;
119	bool is_map;
120
121	if (name[0] == '\0') {
122	/* empty string means all are authorized */
123	return true;
124	}
125
126	is_map = strchr(name, ':') != NULL;
127
128	if (is_map) {
129	char *tmp = xstrdup(name);
130	char col_name, key, *save_ptr = NULL;
131	col_name = strtok_r(tmp, ":", &save_ptr);
132	key = strtok_r(NULL, ":", &save_ptr);
133
134	if (col_name && key) {
135	value = ovsdb_util_read_map_string_column(row, col_name, key);
136	}
137	free(tmp);
138	} else {
139	ovsdb_util_read_string_column(row, name, &value);
140	}
141	if (value && !strcmp(value, id)) {
142	return true;
143	}
144	}
145
146	return false;
147	}
148
149	bool
150	ovsdb_rbac_insert(const struct ovsdb db, const struct ovsdb_table table,
151	const struct ovsdb_row *row,
152	const char role, const char id)
153	{
154	const struct ovsdb_table_schema *ts = table->schema;
155	const struct ovsdb_row *perms;
156	bool insdel;
157
158	if (!db->rbac_role \|\| !role \|\| *role == '\0') {
159	return true;
160	}
161
162	if (!id) {
163	goto denied;
164	}
165
166	perms = ovsdb_rbac_lookup_perms(db, role, ts->name);
167
168	if (!perms) {
169	goto denied;
170	}
171
172	if (!ovsdb_rbac_authorized(perms, id, row)) {
173	goto denied;
174	}
175
176	if (!ovsdb_util_read_bool_column(perms, "insert_delete", &insdel)) {
177	return false;
178	}
179
180	if (insdel) {
181	return true;
182	}
183
184	denied:
185	return false;
186	}
187
188	struct rbac_delete_cbdata {
189	const struct ovsdb_table *table;
190	const struct ovsdb_row *perms;
191	const char *role;
192	const char *id;
193	bool permitted;
194	};
195
196	static bool
197	rbac_delete_cb(const struct ovsdb_row row, void rd_)
198	{
199	struct rbac_delete_cbdata *rd = rd_;
200	bool insdel;
201
202	if (!ovsdb_rbac_authorized(rd->perms, rd->id, row)) {
203	goto denied;
204	}
205
206	if (!ovsdb_util_read_bool_column(rd->perms, "insert_delete", &insdel)) {
207	goto denied;
208	}
209
210	if (!insdel) {
211	goto denied;
212	}
213	return true;
214
215	denied:
216	rd->permitted = false;
217	return false;
218	}
219
220	bool
221	ovsdb_rbac_delete(const struct ovsdb db, struct ovsdb_table table,
222	struct ovsdb_condition *condition,
223	const char role, const char id)
224	{
225	const struct ovsdb_table_schema *ts = table->schema;
226	const struct ovsdb_row *perms;
227	struct rbac_delete_cbdata rd;
228
229	if (!db->rbac_role \|\| !role \|\| *role == '\0') {
230	return true;
231	}
232	if (!id) {
233	goto denied;
234	}
235
236	perms = ovsdb_rbac_lookup_perms(db, role, ts->name);
237
238	if (!perms) {
239	goto denied;
240	}
241
242	rd.permitted = true;
243	rd.perms = perms;
244	rd.table = table;
245	rd.role = role;
246	rd.id = id;
247
248	ovsdb_query(table, condition, rbac_delete_cb, &rd);
249
250	if (rd.permitted) {
251	return true;
252	}
253
254	denied:
255	return false;
256	}
257
258	struct rbac_update_cbdata {
259	const struct ovsdb_table *table;
260	const struct ovsdb_column_set columns; / columns to be modified */
261	const struct ovsdb_datum modifiable; / modifiable column names */
262	const struct ovsdb_row *perms;
263	const char *role;
264	const char *id;
265	bool permitted;
266	};
267
268	static bool
269	rbac_column_modification_permitted(const struct ovsdb_column *column,
270	const struct ovsdb_datum *modifiable)
271	{
272	size_t i;
273
274	for (i = 0; i < modifiable->n; i++) {
275	char *name = modifiable->keys[i].string;
276
277	if (!strcmp(name, column->name)) {
278	return true;
279	}
280	}
281	return false;
282	}
283
284	static bool
285	rbac_update_cb(const struct ovsdb_row row, void ru_)
286	{
287	struct rbac_update_cbdata *ru = ru_;
288	size_t i;
289
290	if (!ovsdb_rbac_authorized(ru->perms, ru->id, row)) {
291	goto denied;
292	}
293
294	for (i = 0; i < ru->columns->n_columns; i++) {
295	const struct ovsdb_column *column = ru->columns->columns[i];
296
297	if (!rbac_column_modification_permitted(column, ru->modifiable)) {
298	goto denied;
299	}
300	}
301	return true;
302
303	denied:
304	ru->permitted = false;
305	return false;
306	}
307
308	bool
309	ovsdb_rbac_update(const struct ovsdb *db,
310	struct ovsdb_table *table,
311	struct ovsdb_column_set *columns,
312	struct ovsdb_condition *condition,
313	const char role, const char id)
314	{
315	static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
316	const struct ovsdb_table_schema *ts = table->schema;
317	const struct ovsdb_datum *datum;
318	const struct ovsdb_row *perms;
319	struct rbac_update_cbdata ru;
320
321	if (!db->rbac_role \|\| !role \|\| *role == '\0') {
322	return true;
323	}
324	if (!id) {
325	goto denied;
326	}
327
328	perms = ovsdb_rbac_lookup_perms(db, role, ts->name);
329
330	if (!perms) {
331	goto denied;
332	}
333
334	datum = ovsdb_util_get_datum(CONST_CAST(struct ovsdb_row *, perms),
335	"update",
336	OVSDB_TYPE_STRING, OVSDB_TYPE_VOID, UINT_MAX);
337
338	if (!datum) {
339	VLOG_INFO_RL(&rl, "ovsdb_rbac_update: could not read \"update\" "
340	"column");
341	goto denied;
342	}
343
344	ru.table = table;
345	ru.columns = columns;
346	ru.role = role;
347	ru.id = id;
348	ru.perms = perms;
349	ru.modifiable = datum;
350	ru.permitted = true;
351
352	ovsdb_query(table, condition, rbac_update_cb, &ru);
353
354	if (ru.permitted) {
355	return true;
356	}
357
358	denied:
359	return false;
360	}
361
362	struct rbac_mutate_cbdata {
363	const struct ovsdb_table *table;
364	const struct ovsdb_mutation_set mutations; / columns to be mutated */
365	const struct ovsdb_datum modifiable; / modifiable column names */
366	const struct ovsdb_row *perms;
367	const char *role;
368	const char *id;
369	bool permitted;
370	};
371
372	static bool
373	rbac_mutate_cb(const struct ovsdb_row row, void rm_)
374	{
375	struct rbac_mutate_cbdata *rm = rm_;
376	size_t i;
377
378	if (!ovsdb_rbac_authorized(rm->perms, rm->id, row)) {
379	goto denied;
380	}
381
382	for (i = 0; i < rm->mutations->n_mutations; i++) {
383	const struct ovsdb_column *column = rm->mutations->mutations[i].column;
384
385	if (!rbac_column_modification_permitted(column, rm->modifiable)) {
386	goto denied;
387	}
388	}
389
390	return true;
391
392	denied:
393	rm->permitted = false;
394	return false;
395	}
396
397	bool
398	ovsdb_rbac_mutate(const struct ovsdb *db,
399	struct ovsdb_table *table,
400	struct ovsdb_mutation_set *mutations,
401	struct ovsdb_condition *condition,
402	const char role, const char id)
403	{
404	static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(1, 1);
405	const struct ovsdb_table_schema *ts = table->schema;
406	const struct ovsdb_datum *datum;
407	const struct ovsdb_row *perms;
408	struct rbac_mutate_cbdata rm;
409
410	if (!db->rbac_role \|\| !role \|\| *role == '\0') {
411	return true;
412	}
413	if (!id) {
414	goto denied;
415	}
416
417	perms = ovsdb_rbac_lookup_perms(db, role, ts->name);
418
419	if (!perms) {
420	goto denied;
421	}
422
423	datum = ovsdb_util_get_datum(CONST_CAST(struct ovsdb_row *, perms),
424	"update",
425	OVSDB_TYPE_STRING, OVSDB_TYPE_VOID, UINT_MAX);
426
427	if (!datum) {
428	VLOG_INFO_RL(&rl, "ovsdb_rbac_mutate: could not read \"update\" "
429	"column");
430	goto denied;
431	}
432
433	rm.table = table;
434	rm.mutations = mutations;
435	rm.role = role;
436	rm.id = id;
437	rm.perms = perms;
438	rm.modifiable = datum;
439	rm.permitted = true;
440
441	ovsdb_query(table, condition, rbac_mutate_cb, &rm);
442
443	if (rm.permitted) {
444	return true;
445	}
446
447	denied:
448	return false;
449	}