[mirror_ovs.git] / tests / ovsdb-rbac.at

AT_BANNER([OVSDB -- ovsdb-server rbac])

AT_SETUP([ovsdb-server/rbac 2])
AT_KEYWORDS([ovsdb server rbac])
AT_SKIP_IF([test "$HAVE_OPENSSL" = no])

RBAC_PKIDIR="$(pwd)"
RBAC_PKI="sh $abs_top_srcdir/utilities/ovs-pki.in --dir=$RBAC_PKIDIR/pki --log=$RBAC_PKIDIR/rbac-pki.log"
$RBAC_PKI init
$RBAC_PKI req+sign ovsdb-server switch
$RBAC_PKI -u req+sign client-1 switch
$RBAC_PKI -u req+sign client-2 switch

AT_DATA([schema],
  [[{"name": "mydb",
     "tables": {
       "Root": {
         "columns": {
           "connections": {
             "type": {
               "key": {"type": "uuid", "refTable": "Connection"},
               "min": 0,
               "max": "unlimited"}}},
          "isRoot": true},
       "Connection": {
         "columns": {
           "target": {
             "type": "string"},
           "role": {
             "type": "string"}}},
        "RBAC_Role": {
            "columns": {
                "name": {"type": "string"},
                "permissions": {
                    "type": {"key": {"type": "string"},
                             "value": {"type": "uuid",
                                       "refTable": "RBAC_Permission",
                                       "refType": "weak"},
                                     "min": 0, "max": "unlimited"}}},
            "isRoot": true},
        "RBAC_Permission": {
            "columns": {
                "table": {"type": "string"},
                "authorization": {"type": {"key": "string",
                                           "min": 0,
                                           "max": "unlimited"}},
                "insert_delete": {"type": "boolean"},
                "update" : {"type": {"key": "string",
                                     "min": 0,
                                     "max": "unlimited"}}},
            "isRoot": true},
       "fixed_colors": {
         "columns": {
           "name": {"type": "string"}, "value": {"type": "integer"}},
         "indexes": [["name"]],
         "isRoot": true},
       "user_colors": {
         "columns": {
           "creator": {"type": "string"},
           "name": {"type": "string"},
           "value": {"type": "integer"}},
         "indexes": [["name"]],
         "isRoot": true},
       "other_colors": {
         "columns": {
           "creator": {
             "type": {"key": {"type": "string"},
                      "value": {"type": "string"},
                      "min": 0, "max": "unlimited"}},
           "name": {"type": "string"},
           "value": {"type": "integer"}},
         "indexes": [["name"]],
         "isRoot": true}
    },
     "version": "5.1.3",
     "cksum": "12345678 9"
}
]])

AT_CHECK([ovsdb-tool create db schema], [0], [ignore], [ignore])
AT_CHECK(
  [[ovsdb-tool transact db \
     '["mydb",
       {"op": "insert",
        "table": "Root",
        "row": {
          "connections": ["set", [["named-uuid", "x"]]]}},
       {"op": "insert",
        "table": "Connection",
        "uuid-name": "x",
        "row": {"target": "pssl:0:127.0.0.1",
                "role": "testrole"}},
       {"op": "insert",
        "table": "fixed_colors",
        "row": {"name": "red",
                "value": '16711680'}},
       {"op": "insert",
        "table": "RBAC_Role",
        "row": {"name": "testrole",
                "permissions": ["map", [["user_colors", ["named-uuid", "y"]],
                                        ["other_colors", ["named-uuid", "z"]]]]}},
       {"op": "insert",
        "table": "RBAC_Permission",
        "uuid-name": "y",
        "row": {"authorization": "creator",
                "insert_delete": true,
                "table": "user_colors",
                "update": ["set", ["name", "value"]]}},
       {"op": "insert",
        "table": "RBAC_Permission",
        "uuid-name": "z",
        "row": {"authorization": "creator:chassis",
                "insert_delete": true,
                "table": "user_colors",
                "update": ["set", ["name", "value"]]}}
]']], [0], [ignore], [ignore])

AT_CHECK([ovsdb-server --log-file --detach --no-chdir --pidfile --remote=db:mydb,Root,connections \
        --private-key=$RBAC_PKIDIR/ovsdb-server-privkey.pem \
        --certificate=$RBAC_PKIDIR/ovsdb-server-cert.pem \
        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
        db], [0], [ignore], [ignore])
PARSE_LISTENING_PORT([ovsdb-server.log], [SSL_PORT])

# Test 1:
# Attempt to insert a row into the "fixed_colors" table.  This should
# fail as there are no permissions for role "testrole" for this table.
AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
        --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
        --certificate=$RBAC_PKIDIR/client-1-cert.pem \
        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
        ['["mydb",
         {"op": "insert",
          "table": "fixed_colors",
          "row": {"name": "chartreuse", "value": '8388352'}}
         ]']], [0], [stdout], [ignore])
cat stdout >> output
AT_CHECK([uuidfilt stdout], [0], [[[{"details":"RBAC rules for client \"client-1\" role \"testrole\" prohibit row insertion into table \"fixed_colors\".","error":"permission error"}]]
], [ignore])

# Test 2:
# Attempt to insert a row into the "user_colors" table with a client ID that
# does not match the value in the column used for authorization.  This should
# fail the authorization check for insertion.
AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
        --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
        --certificate=$RBAC_PKIDIR/client-1-cert.pem \
        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
        ['["mydb",
         {"op": "insert",
          "table": "user_colors",
          "row": {"creator": "client-2", "name": "chartreuse", "value": '8388352'}}
         ]']], [0], [stdout], [ignore])
cat stdout >> output
AT_CHECK([uuidfilt stdout], [0], [[[{"details":"RBAC rules for client \"client-1\" role \"testrole\" prohibit row insertion into table \"user_colors\".","error":"permission error"}]]
], [ignore])

# Test 3:
# Attempt to insert a row into the "user_colors" table.  This should
# succeed since role "testrole" has permissions for this table that
# allow row insertion.
AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
        --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
        --certificate=$RBAC_PKIDIR/client-1-cert.pem \
        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
        ['["mydb",
         {"op": "insert",
          "table": "user_colors",
          "row": {"creator": "client-1", "name": "chartreuse", "value": '8388352'}}
         ]']], [0], [stdout], [ignore])
cat stdout >> output
AT_CHECK([uuidfilt stdout], [0], [[[{"uuid":["uuid","<0>"]}]]
], [ignore])

# Test 4:
# Attempt to update a column in the "user_colors" table.  This should
# succeed since role "testrole" has permissions for this table that
# allow update of the "value" column when ID is equal to the value in
# the "creator" column.
AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
        --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
        --certificate=$RBAC_PKIDIR/client-1-cert.pem \
        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
        ['["mydb",
         {"op": "update",
          "table": "user_colors",
          "where": [["name", "==", "chartreuse"]],
          "row": {"value": '8388353'}}
         ]']], [0], [stdout], [ignore])
cat stdout >> output
AT_CHECK([uuidfilt stdout], [0], [[[{"count":1}]]
], [ignore])

# Test 5:
# Attempt to update a column in the "user_colors" table.  Same as
# previous test, but with a different client ID. This should fail
# the RBAC authorization test because "client-2" does not match the
# "creator" column for this row.
AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
        --private-key=$RBAC_PKIDIR/client-2-privkey.pem \
        --certificate=$RBAC_PKIDIR/client-2-cert.pem \
        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
        ['["mydb",
         {"op": "update",
          "table": "user_colors",
          "where": [["name", "==", "chartreuse"]],
          "row": {"value": '8388354'}}
         ]']], [0], [stdout], [ignore])
cat stdout >> output
AT_CHECK([uuidfilt stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit modification of table \"user_colors\".","error":"permission error"}]]
], [ignore])

# Test 6:
# Attempt to mutate a column in the "user_colors" table.  This should
# succeed since role "testrole" has permissions for this table that
# allow update of the "value" column when ID is equal to the value in
# the "creator" column.
AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
        --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
        --certificate=$RBAC_PKIDIR/client-1-cert.pem \
        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
        ['["mydb",
         {"op": "mutate",
          "table": "user_colors",
          "where": [["name", "==", "chartreuse"]],
          "mutations": [["value", "+=", '10']]}
         ]']], [0], [stdout], [ignore])
cat stdout >> output
AT_CHECK([uuidfilt stdout], [0], [[[{"count":1}]]
], [ignore])

# Test 7:
# Attempt to mutate a column in the "user_colors" table.  Same as
# previous test, but with a different client ID. This should fail
# the RBAC authorization test because "client-2" does not match the
# "creator" column for this row.
AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
        --private-key=$RBAC_PKIDIR/client-2-privkey.pem \
        --certificate=$RBAC_PKIDIR/client-2-cert.pem \
        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
        ['["mydb",
         {"op": "mutate",
          "table": "user_colors",
          "where": [["name", "==", "chartreuse"]],
          "mutations": [["value", "+=", '10']]}
         ]']], [0], [stdout], [ignore])
cat stdout >> output
AT_CHECK([uuidfilt stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit mutate operation on table \"user_colors\".","error":"permission error"}]]
], [ignore])

# Test 8:
# Attempt to delete a row from the "user_colors" table. This should fail
# the RBAC authorization test because "client-2" does not match the
# "creator" column for this row.
AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
        --private-key=$RBAC_PKIDIR/client-2-privkey.pem \
        --certificate=$RBAC_PKIDIR/client-2-cert.pem \
        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
        ['["mydb",
         {"op": "delete",
          "table": "user_colors",
          "where": [["name", "==", "chartreuse"]]}
         ]']], [0], [stdout], [ignore])
cat stdout >> output
AT_CHECK([uuidfilt stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit row deletion from table \"user_colors\".","error":"permission error"}]]
], [ignore])

# Test 9:
# Attempt to delete a row from the "user_colors" table. This should pass
# the RBAC authorization test because "client-1" does matches the
# "creator" column for this row.
AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
        --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
        --certificate=$RBAC_PKIDIR/client-1-cert.pem \
        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
        ['["mydb",
         {"op": "delete",
          "table": "user_colors",
          "where": [["name", "==", "chartreuse"]]}
         ]']], [0], [stdout], [ignore])
cat stdout >> output
AT_CHECK([uuidfilt stdout], [0], [[[{"count":1}]]
], [ignore])

# Test 10:
# Attempt to insert a row into the "other_colors" table.  This should
# succeed since role "testrole" has permissions for this table that
# allow row insertion.
AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
        --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
        --certificate=$RBAC_PKIDIR/client-1-cert.pem \
        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
        ['["mydb",
         {"op": "insert",
          "table": "other_colors",
          "row": {"creator": ["map",[["chassis", "client-1"]]], "name": "seafoam", "value": '7466680'}}
         ]']], [0], [stdout], [ignore])
cat stdout >> output
AT_CHECK([uuidfilt stdout], [0], [[[{"uuid":["uuid","<0>"]}]]
], [ignore])

# Test 11:
# Attempt to update a column in the "user_colors" table.  This should
# succeed since role "testrole" has permissions for this table that
# allow update of the "value" column when ID is equal to the value in
# the "creator" column.
AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
        --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
        --certificate=$RBAC_PKIDIR/client-1-cert.pem \
        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
        ['["mydb",
         {"op": "update",
          "table": "other_colors",
          "where": [["name", "==", "seafoam"]],
          "row": {"value": '8388353'}}
         ]']], [0], [stdout], [ignore])
cat stdout >> output
AT_CHECK([uuidfilt stdout], [0], [[[{"count":1}]]
], [ignore])

# Test 12:
# Attempt to update a column in the "other_colors" table.  Same as
# previous test, but with a different client ID. This should fail
# the RBAC authorization test because "client-2" does not match the
# "creator" column for this row.
AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
        --private-key=$RBAC_PKIDIR/client-2-privkey.pem \
        --certificate=$RBAC_PKIDIR/client-2-cert.pem \
        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
        ['["mydb",
         {"op": "update",
          "table": "other_colors",
          "where": [["name", "==", "seafoam"]],
          "row": {"value": '8388354'}}
         ]']], [0], [stdout], [ignore])
cat stdout >> output
AT_CHECK([uuidfilt stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit modification of table \"other_colors\".","error":"permission error"}]]
], [ignore])

# Test 13:
# Attempt to delete a row from the "other_colors" table. This should fail
# the RBAC authorization test because "client-2" does not match the
# "creator" column for this row.
AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
        --private-key=$RBAC_PKIDIR/client-2-privkey.pem \
        --certificate=$RBAC_PKIDIR/client-2-cert.pem \
        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
        ['["mydb",
         {"op": "delete",
          "table": "other_colors",
          "where": [["name", "==", "seafoam"]]}
         ]']], [0], [stdout], [ignore])
cat stdout >> output
AT_CHECK([uuidfilt stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit row deletion from table \"other_colors\".","error":"permission error"}]]
], [ignore])

# Test 14:
# Attempt to delete a row from the "other_colors" table. This should pass
# the RBAC authorization test because "client-1" does matches the
# "creator" column for this row.
AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
        --private-key=$RBAC_PKIDIR/client-1-privkey.pem \
        --certificate=$RBAC_PKIDIR/client-1-cert.pem \
        --ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
        ['["mydb",
         {"op": "delete",
          "table": "other_colors",
          "where": [["name", "==", "seafoam"]]}
         ]']], [0], [stdout], [ignore])
cat stdout >> output
AT_CHECK([uuidfilt stdout], [0], [[[{"count":1}]]
], [ignore])

OVSDB_SERVER_SHUTDOWN
AT_CLEANUP
Commit	Line	Data
d6db7b3c LR	1	AT_BANNER([OVSDB -- ovsdb-server rbac])
	2
	3	AT_SETUP([ovsdb-server/rbac 2])
	4	AT_KEYWORDS([ovsdb server rbac])
	5	AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
	6
	7	RBAC_PKIDIR="$(pwd)"
	8	RBAC_PKI="sh $abs_top_srcdir/utilities/ovs-pki.in --dir=$RBAC_PKIDIR/pki --log=$RBAC_PKIDIR/rbac-pki.log"
3391136c TR	9	$RBAC_PKI init
	10	$RBAC_PKI req+sign ovsdb-server switch
	11	$RBAC_PKI -u req+sign client-1 switch
	12	$RBAC_PKI -u req+sign client-2 switch
d6db7b3c LR	13
	14	AT_DATA([schema],
	15	[[{"name": "mydb",
	16	"tables": {
	17	"Root": {
	18	"columns": {
	19	"connections": {
	20	"type": {
	21	"key": {"type": "uuid", "refTable": "Connection"},
	22	"min": 0,
	23	"max": "unlimited"}}},
	24	"isRoot": true},
	25	"Connection": {
	26	"columns": {
	27	"target": {
	28	"type": "string"},
	29	"role": {
	30	"type": "string"}}},
	31	"RBAC_Role": {
	32	"columns": {
	33	"name": {"type": "string"},
	34	"permissions": {
	35	"type": {"key": {"type": "string"},
	36	"value": {"type": "uuid",
	37	"refTable": "RBAC_Permission",
	38	"refType": "weak"},
	39	"min": 0, "max": "unlimited"}}},
	40	"isRoot": true},
	41	"RBAC_Permission": {
	42	"columns": {
	43	"table": {"type": "string"},
	44	"authorization": {"type": {"key": "string",
	45	"min": 0,
	46	"max": "unlimited"}},
	47	"insert_delete": {"type": "boolean"},
	48	"update" : {"type": {"key": "string",
	49	"min": 0,
	50	"max": "unlimited"}}},
	51	"isRoot": true},
	52	"fixed_colors": {
	53	"columns": {
	54	"name": {"type": "string"}, "value": {"type": "integer"}},
	55	"indexes": [["name"]],
	56	"isRoot": true},
	57	"user_colors": {
	58	"columns": {
	59	"creator": {"type": "string"},
	60	"name": {"type": "string"},
	61	"value": {"type": "integer"}},
	62	"indexes": [["name"]],
	63	"isRoot": true},
	64	"other_colors": {
	65	"columns": {
	66	"creator": {
	67	"type": {"key": {"type": "string"},
	68	"value": {"type": "string"},
	69	"min": 0, "max": "unlimited"}},
	70	"name": {"type": "string"},
	71	"value": {"type": "integer"}},
	72	"indexes": [["name"]],
	73	"isRoot": true}
	74	},
	75	"version": "5.1.3",
	76	"cksum": "12345678 9"
77	}
78	]])
79
80	AT_CHECK([ovsdb-tool create db schema], [0], [ignore], [ignore])
81	AT_CHECK(
82	[[ovsdb-tool transact db \
83	'["mydb",
84	{"op": "insert",
85	"table": "Root",
86	"row": {
87	"connections": ["set", [["named-uuid", "x"]]]}},
88	{"op": "insert",
89	"table": "Connection",
90	"uuid-name": "x",
91	"row": {"target": "pssl:0:127.0.0.1",
92	"role": "testrole"}},
93	{"op": "insert",
94	"table": "fixed_colors",
95	"row": {"name": "red",
96	"value": '16711680'}},
97	{"op": "insert",
98	"table": "RBAC_Role",
99	"row": {"name": "testrole",
100	"permissions": ["map", [["user_colors", ["named-uuid", "y"]],
101	["other_colors", ["named-uuid", "z"]]]]}},
102	{"op": "insert",
103	"table": "RBAC_Permission",
104	"uuid-name": "y",
105	"row": {"authorization": "creator",
106	"insert_delete": true,
107	"table": "user_colors",
108	"update": ["set", ["name", "value"]]}},
109	{"op": "insert",
110	"table": "RBAC_Permission",
111	"uuid-name": "z",
112	"row": {"authorization": "creator:chassis",
113	"insert_delete": true,
114	"table": "user_colors",
115	"update": ["set", ["name", "value"]]}}
116	]']], [0], [ignore], [ignore])
117
118	AT_CHECK([ovsdb-server --log-file --detach --no-chdir --pidfile --remote=db:mydb,Root,connections \
119	--private-key=$RBAC_PKIDIR/ovsdb-server-privkey.pem \
120	--certificate=$RBAC_PKIDIR/ovsdb-server-cert.pem \
121	--ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
122	db], [0], [ignore], [ignore])
123	PARSE_LISTENING_PORT([ovsdb-server.log], [SSL_PORT])
124
125	# Test 1:
126	# Attempt to insert a row into the "fixed_colors" table. This should
127	# fail as there are no permissions for role "testrole" for this table.
128	AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
129	--private-key=$RBAC_PKIDIR/client-1-privkey.pem \
130	--certificate=$RBAC_PKIDIR/client-1-cert.pem \
131	--ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
132	['["mydb",
133	{"op": "insert",
134	"table": "fixed_colors",
135	"row": {"name": "chartreuse", "value": '8388352'}}
136	]']], [0], [stdout], [ignore])
137	cat stdout >> output
c724bd67	138	AT_CHECK([uuidfilt stdout], [0], [[[{"details":"RBAC rules for client \"client-1\" role \"testrole\" prohibit row insertion into table \"fixed_colors\".","error":"permission error"}]]
d6db7b3c LR	139	], [ignore])
	140
	141	# Test 2:
	142	# Attempt to insert a row into the "user_colors" table with a client ID that
	143	# does not match the value in the column used for authorization. This should
	144	# fail the authorization check for insertion.
	145	AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
	146	--private-key=$RBAC_PKIDIR/client-1-privkey.pem \
	147	--certificate=$RBAC_PKIDIR/client-1-cert.pem \
	148	--ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
	149	['["mydb",
	150	{"op": "insert",
	151	"table": "user_colors",
	152	"row": {"creator": "client-2", "name": "chartreuse", "value": '8388352'}}
	153	]']], [0], [stdout], [ignore])
	154	cat stdout >> output
c724bd67	155	AT_CHECK([uuidfilt stdout], [0], [[[{"details":"RBAC rules for client \"client-1\" role \"testrole\" prohibit row insertion into table \"user_colors\".","error":"permission error"}]]
d6db7b3c LR	156	], [ignore])
	157
	158	# Test 3:
	159	# Attempt to insert a row into the "user_colors" table. This should
	160	# succeed since role "testrole" has permissions for this table that
	161	# allow row insertion.
	162	AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
	163	--private-key=$RBAC_PKIDIR/client-1-privkey.pem \
	164	--certificate=$RBAC_PKIDIR/client-1-cert.pem \
	165	--ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
	166	['["mydb",
	167	{"op": "insert",
	168	"table": "user_colors",
	169	"row": {"creator": "client-1", "name": "chartreuse", "value": '8388352'}}
	170	]']], [0], [stdout], [ignore])
	171	cat stdout >> output
c724bd67	172	AT_CHECK([uuidfilt stdout], [0], [[[{"uuid":["uuid","<0>"]}]]
d6db7b3c LR	173	], [ignore])
	174
	175	# Test 4:
	176	# Attempt to update a column in the "user_colors" table. This should
	177	# succeed since role "testrole" has permissions for this table that
	178	# allow update of the "value" column when ID is equal to the value in
	179	# the "creator" column.
	180	AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
	181	--private-key=$RBAC_PKIDIR/client-1-privkey.pem \
	182	--certificate=$RBAC_PKIDIR/client-1-cert.pem \
	183	--ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
	184	['["mydb",
	185	{"op": "update",
	186	"table": "user_colors",
	187	"where": [["name", "==", "chartreuse"]],
	188	"row": {"value": '8388353'}}
	189	]']], [0], [stdout], [ignore])
	190	cat stdout >> output
c724bd67	191	AT_CHECK([uuidfilt stdout], [0], [[[{"count":1}]]
d6db7b3c LR	192	], [ignore])
	193
	194	# Test 5:
	195	# Attempt to update a column in the "user_colors" table. Same as
	196	# previous test, but with a different client ID. This should fail
	197	# the RBAC authorization test because "client-2" does not match the
	198	# "creator" column for this row.
	199	AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
	200	--private-key=$RBAC_PKIDIR/client-2-privkey.pem \
	201	--certificate=$RBAC_PKIDIR/client-2-cert.pem \
	202	--ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
	203	['["mydb",
	204	{"op": "update",
	205	"table": "user_colors",
	206	"where": [["name", "==", "chartreuse"]],
	207	"row": {"value": '8388354'}}
	208	]']], [0], [stdout], [ignore])
	209	cat stdout >> output
c724bd67	210	AT_CHECK([uuidfilt stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit modification of table \"user_colors\".","error":"permission error"}]]
d6db7b3c LR	211	], [ignore])
	212
	213	# Test 6:
	214	# Attempt to mutate a column in the "user_colors" table. This should
	215	# succeed since role "testrole" has permissions for this table that
	216	# allow update of the "value" column when ID is equal to the value in
	217	# the "creator" column.
	218	AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
	219	--private-key=$RBAC_PKIDIR/client-1-privkey.pem \
	220	--certificate=$RBAC_PKIDIR/client-1-cert.pem \
	221	--ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
	222	['["mydb",
	223	{"op": "mutate",
	224	"table": "user_colors",
	225	"where": [["name", "==", "chartreuse"]],
	226	"mutations": [["value", "+=", '10']]}
	227	]']], [0], [stdout], [ignore])
	228	cat stdout >> output
c724bd67	229	AT_CHECK([uuidfilt stdout], [0], [[[{"count":1}]]
d6db7b3c LR	230	], [ignore])
	231
	232	# Test 7:
	233	# Attempt to mutate a column in the "user_colors" table. Same as
	234	# previous test, but with a different client ID. This should fail
	235	# the RBAC authorization test because "client-2" does not match the
	236	# "creator" column for this row.
	237	AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
	238	--private-key=$RBAC_PKIDIR/client-2-privkey.pem \
	239	--certificate=$RBAC_PKIDIR/client-2-cert.pem \
	240	--ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
	241	['["mydb",
	242	{"op": "mutate",
	243	"table": "user_colors",
	244	"where": [["name", "==", "chartreuse"]],
	245	"mutations": [["value", "+=", '10']]}
	246	]']], [0], [stdout], [ignore])
	247	cat stdout >> output
c724bd67	248	AT_CHECK([uuidfilt stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit mutate operation on table \"user_colors\".","error":"permission error"}]]
d6db7b3c LR	249	], [ignore])
	250
	251	# Test 8:
	252	# Attempt to delete a row from the "user_colors" table. This should fail
	253	# the RBAC authorization test because "client-2" does not match the
	254	# "creator" column for this row.
	255	AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
	256	--private-key=$RBAC_PKIDIR/client-2-privkey.pem \
	257	--certificate=$RBAC_PKIDIR/client-2-cert.pem \
	258	--ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
	259	['["mydb",
	260	{"op": "delete",
	261	"table": "user_colors",
	262	"where": [["name", "==", "chartreuse"]]}
	263	]']], [0], [stdout], [ignore])
	264	cat stdout >> output
c724bd67	265	AT_CHECK([uuidfilt stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit row deletion from table \"user_colors\".","error":"permission error"}]]
d6db7b3c LR	266	], [ignore])
	267
	268	# Test 9:
	269	# Attempt to delete a row from the "user_colors" table. This should pass
	270	# the RBAC authorization test because "client-1" does matches the
	271	# "creator" column for this row.
	272	AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
	273	--private-key=$RBAC_PKIDIR/client-1-privkey.pem \
	274	--certificate=$RBAC_PKIDIR/client-1-cert.pem \
	275	--ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
	276	['["mydb",
	277	{"op": "delete",
	278	"table": "user_colors",
	279	"where": [["name", "==", "chartreuse"]]}
	280	]']], [0], [stdout], [ignore])
	281	cat stdout >> output
c724bd67	282	AT_CHECK([uuidfilt stdout], [0], [[[{"count":1}]]
d6db7b3c LR	283	], [ignore])
	284
	285	# Test 10:
	286	# Attempt to insert a row into the "other_colors" table. This should
	287	# succeed since role "testrole" has permissions for this table that
	288	# allow row insertion.
	289	AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
	290	--private-key=$RBAC_PKIDIR/client-1-privkey.pem \
	291	--certificate=$RBAC_PKIDIR/client-1-cert.pem \
	292	--ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
	293	['["mydb",
	294	{"op": "insert",
	295	"table": "other_colors",
	296	"row": {"creator": ["map",[["chassis", "client-1"]]], "name": "seafoam", "value": '7466680'}}
	297	]']], [0], [stdout], [ignore])
	298	cat stdout >> output
c724bd67	299	AT_CHECK([uuidfilt stdout], [0], [[[{"uuid":["uuid","<0>"]}]]
d6db7b3c LR	300	], [ignore])
	301
	302	# Test 11:
	303	# Attempt to update a column in the "user_colors" table. This should
	304	# succeed since role "testrole" has permissions for this table that
	305	# allow update of the "value" column when ID is equal to the value in
	306	# the "creator" column.
	307	AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
	308	--private-key=$RBAC_PKIDIR/client-1-privkey.pem \
	309	--certificate=$RBAC_PKIDIR/client-1-cert.pem \
	310	--ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
	311	['["mydb",
	312	{"op": "update",
	313	"table": "other_colors",
	314	"where": [["name", "==", "seafoam"]],
	315	"row": {"value": '8388353'}}
	316	]']], [0], [stdout], [ignore])
	317	cat stdout >> output
c724bd67	318	AT_CHECK([uuidfilt stdout], [0], [[[{"count":1}]]
d6db7b3c LR	319	], [ignore])
	320
	321	# Test 12:
	322	# Attempt to update a column in the "other_colors" table. Same as
	323	# previous test, but with a different client ID. This should fail
	324	# the RBAC authorization test because "client-2" does not match the
	325	# "creator" column for this row.
	326	AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
	327	--private-key=$RBAC_PKIDIR/client-2-privkey.pem \
	328	--certificate=$RBAC_PKIDIR/client-2-cert.pem \
	329	--ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
	330	['["mydb",
	331	{"op": "update",
	332	"table": "other_colors",
	333	"where": [["name", "==", "seafoam"]],
	334	"row": {"value": '8388354'}}
	335	]']], [0], [stdout], [ignore])
	336	cat stdout >> output
c724bd67	337	AT_CHECK([uuidfilt stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit modification of table \"other_colors\".","error":"permission error"}]]
d6db7b3c LR	338	], [ignore])
	339
	340	# Test 13:
	341	# Attempt to delete a row from the "other_colors" table. This should fail
	342	# the RBAC authorization test because "client-2" does not match the
	343	# "creator" column for this row.
	344	AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
	345	--private-key=$RBAC_PKIDIR/client-2-privkey.pem \
	346	--certificate=$RBAC_PKIDIR/client-2-cert.pem \
	347	--ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
	348	['["mydb",
	349	{"op": "delete",
	350	"table": "other_colors",
	351	"where": [["name", "==", "seafoam"]]}
	352	]']], [0], [stdout], [ignore])
	353	cat stdout >> output
c724bd67	354	AT_CHECK([uuidfilt stdout], [0], [[[{"details":"RBAC rules for client \"client-2\" role \"testrole\" prohibit row deletion from table \"other_colors\".","error":"permission error"}]]
d6db7b3c LR	355	], [ignore])
	356
	357	# Test 14:
	358	# Attempt to delete a row from the "other_colors" table. This should pass
	359	# the RBAC authorization test because "client-1" does matches the
	360	# "creator" column for this row.
	361	AT_CHECK([ovsdb-client transact ssl:127.0.0.1:$SSL_PORT \
	362	--private-key=$RBAC_PKIDIR/client-1-privkey.pem \
	363	--certificate=$RBAC_PKIDIR/client-1-cert.pem \
	364	--ca-cert=$RBAC_PKIDIR/pki/switchca/cacert.pem \
	365	['["mydb",
	366	{"op": "delete",
	367	"table": "other_colors",
	368	"where": [["name", "==", "seafoam"]]}
	369	]']], [0], [stdout], [ignore])
	370	cat stdout >> output
c724bd67	371	AT_CHECK([uuidfilt stdout], [0], [[[{"count":1}]]
d6db7b3c LR	372	], [ignore])
	373
	374	OVSDB_SERVER_SHUTDOWN
	375	AT_CLEANUP