matthew/sonic-buildimage
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[yang] Restrict AAA authorization with TACPLUS passkey (#18155)

Browse Source 
### Why I did it
Command cannot be executed when tacacs+ in AAA authorization is set and passkey in TACPLUs is not set. There should be such restriction in YANG model definition.
##### Work item tracking
- Microsoft ADO **(number only)**: 26898399

#### How I did it
Add restirction
#### How to verify it
unit test
This commit is contained in:
jingwenxie 2024-02-27 09:34:32 +08:00 committed by GitHub
parent 4783a6cafc
commit 6224d672ba
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 31 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/sonic-yang-models/tests/yang_model_tests/tests/aaa.json
View File

@ -18,6 +18,10 @@
"AAA_AUTHORIZATION_TEST": { "AAA_AUTHORIZATION_TEST": {
"desc": "Configure an authorization type in AAA table." "desc": "Configure an authorization type in AAA table."
}, },
"AAA_AUTHORIZATION_TEST_TACACS_WITHOUT_TACPLUS": {
"desc": "Configure tacacs in authorization type in AAA table without TACPLUS table.",
"eStr": ["Authorization with 'tacacs+' is not allowed when passkey not exists."]
},
"AAA_ACCOUNTING_TEST": { "AAA_ACCOUNTING_TEST": {
"desc": "Configure an accounting type in AAA table." "desc": "Configure an accounting type in AAA table."
} }

19
src/sonic-yang-models/tests/yang_model_tests/tests_config/aaa.json
View File

@ -46,6 +46,25 @@
}, },
"AAA_AUTHORIZATION_TEST": { "AAA_AUTHORIZATION_TEST": {
"sonic-system-aaa:sonic-system-aaa": {
"sonic-system-aaa:AAA": {
"AAA_LIST": [{
"type": "authorization",
"login": "tacacs+"
}]
}
},
"sonic-system-tacacs:sonic-system-tacacs": {
"sonic-system-tacacs:TACPLUS": {
"global": {
"timeout": 5,
"passkey": "aabb"
}
}
}
},
"AAA_AUTHORIZATION_TEST_TACACS_WITHOUT_TACPLUS": {
"sonic-system-aaa:sonic-system-aaa": { "sonic-system-aaa:sonic-system-aaa": {
"sonic-system-aaa:AAA": { "sonic-system-aaa:AAA": {
"AAA_LIST": [{ "AAA_LIST": [{

8
src/sonic-yang-models/yang-models/sonic-system-aaa.yang
View File

@ -7,6 +7,10 @@ module sonic-system-aaa {
prefix stypes; prefix stypes;
} }
import sonic-system-tacacs{
prefix tacacs;
}
revision 2021-10-12 { revision 2021-10-12 {
description "Add AAA authorization/accounting support."; description "Add AAA authorization/accounting support.";
} }
@ -39,6 +43,10 @@ module sonic-system-aaa {
default "local"; default "local";
} }
must 'not(./type = "authorization" and contains(./login, "tacacs+") and not(/tacacs:sonic-system-tacacs/tacacs:TACPLUS/tacacs:global/tacacs:passkey))' {
error-message "Authorization with 'tacacs+' is not allowed when passkey not exists.";
}
leaf failthrough { leaf failthrough {
type stypes:boolean_type; type stypes:boolean_type;
description "When set to true, authentication is attempted on next configured server/local in the list upon failure."; description "When set to true, authentication is attempted on next configured server/local in the list upon failure.";