matthew/sonic-buildimage
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

SONiC yang models for AAA and TACACS features (#7671)

Browse Source 
Signed-off-by: Arthi Sivanantham arthi_sivanantham@dell.com

Why I did it
SONiC YANG model support for AAA and TACACS features.

How I did it
Defined various AAA and TACACS YANG containers and lists based on config-DB schema.

How to verify it
Successful build of the following packages:
make target/python-wheels/sonic_yang_models-1.0-py3-none-any.whl
make target/python-wheels/sonic_yang_mgmt-1.0-py3-none-any.whl
This commit is contained in:
ArthiSivanantham 2021-06-21 13:55:43 -07:00 committed by GitHub
parent c88c3c7ba5
commit ec1667271b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 446 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/sonic-yang-models/setup.py
View File

@ -64,6 +64,8 @@ setup(
'./yang-models/sonic-route-common.yang',
'./yang-models/sonic-route-map.yang',
'./yang-models/sonic-routing-policy-sets.yang',
'./yang-models/sonic-system-aaa.yang',
'./yang-models/sonic-system-tacacs.yang',
'./yang-models/sonic-types.yang',
'./yang-models/sonic-versions.yang',
'./yang-models/sonic-vlan.yang',

17
src/sonic-yang-models/tests/files/sample_config_db.json
View File

@ -792,6 +792,22 @@
"polling_interval": "0"
}
},
"AAA": {
"authentication": {
"login": "local"
}
},
"TACPLUS": {
"global": {
"auth_type": "pap",
"timeout": "5"
}
},
"TACPLUS_SERVER": {
"192.168.1.1": {
"timeout": "10"
}
},
"NAT_BINDINGS": {
"bind1": {
@ -899,4 +915,5 @@
"Error": "This Table is for testing, This Table does not have YANG models."
}
}
}

13
src/sonic-yang-models/tests/yang_model_tests/tests/aaa.json Normal file
View File

@ -0,0 +1,13 @@
{
"AAA_TEST": {
"desc": "Configure an authentication type in AAA table."
},
"AAA_TEST_WRONG_TYPE": {
"desc": "Configure a wrong type in AAA table.",
"eStrKey": "InvalidValue"
},
"AAA_TEST_WRONG_FAILTHROUGH": {
"desc": "Configure a wrong failthrough in AAA table.",
"eStrKey": "InvalidValue"
}
}

32
src/sonic-yang-models/tests/yang_model_tests/tests/tacacs.json Normal file
View File

@ -0,0 +1,32 @@
{
"TACPLUS_TEST": {
"desc": "Tacplus global configuration in TACPLUS table."
},
"TACPLUS_INVALID_TIMEOUT_TEST": {
"desc": "Tacplus global configuration with invalid timeout value in TACPLUS table.",
"eStr": "TACACS timeout must be 1..60"
},
"TACPLUS_NOT_PRESENT_SRC_INTF_TEST": {
"desc": "Tacplus global configuration with a non existent port in TACPLUS table.",
"eStrKey": "InvalidValue"
},
"TACPLUS_SERVER_TEST" : {
"desc": "Tacplus server configuration in TACPLUS_SERVER table."
},
"TACPLUS_SERVER_INVALID_PRIORITY_TEST": {
"desc": "Tacplus server configuration with invalid priority value in TACPLUS_SERVER table.",
"eStr": "TACACS server priority must be 1..64"
},
"TACPLUS_SERVER_INVALID_TIMEOUT_TEST" : {
"desc": "Tacplus server configuration with invalid timeout value in TACPLUS_SERVER table.",
"eStr": "TACACS server timeout must be 1..60"
},
"TACPLUS_SERVER_INVALID_AUTH_TYPE_TEST" : {
"desc": "Tacplus server configuration with invalid auth type in TACPLUS_SERVER table.",
"eStrKey": "InvalidValue"
},
"TACPLUS_SERVER_INVALID_VRF_TEST" : {
"desc": "Tacplus server configuration with invalid VRF in TACPLUS_SERVER table.",
"eStr": "Invalid VRF name"
}
}

35
src/sonic-yang-models/tests/yang_model_tests/tests_config/aaa.json Normal file
View File

@ -0,0 +1,35 @@
{
"AAA_TEST": {
"sonic-system-aaa:sonic-system-aaa": {
"sonic-system-aaa:AAA": {
"AAA_LIST": [{
"type": "authentication",
"login": "tacacs+,local",
"failthrough": "true",
"debug": "true"
}]
}
}
},
"AAA_TEST_WRONG_TYPE": {
"sonic-system-aaa:sonic-system-aaa": {
"sonic-system-aaa:AAA": {
"AAA_LIST": [{
"type": "authorization"
}]
}
}
},
"AAA_TEST_WRONG_FAILTHROUGH": {
"sonic-system-aaa:sonic-system-aaa": {
"sonic-system-aaa:AAA": {
"AAA_LIST": [{
"type": "authentication",
"failthrough": "enable"
}]
}
}
}
}

131
src/sonic-yang-models/tests/yang_model_tests/tests_config/tacacs.json Normal file
View File

@ -0,0 +1,131 @@
{
"TACPLUS_TEST": {
"sonic-port:sonic-port": {
"sonic-port:PORT": {
"PORT_LIST": [
{
"admin_status": "up",
"alias": "eth8",
"description": "Ethernet8",
"lanes": "65",
"mtu": 9000,
"name": "Ethernet0",
"speed": 25000
}
]
}
},
"sonic-system-tacacs:sonic-system-tacacs": {
"sonic-system-tacacs:TACPLUS": {
"global": {
"auth_type": "chap",
"timeout": 5,
"passkey": "dellsonic",
"src_intf": "Ethernet0"
}
}
}
},
"TACPLUS_INVALID_TIMEOUT_TEST": {
"sonic-system-tacacs:sonic-system-tacacs": {
"sonic-system-tacacs:TACPLUS": {
"global": {
"auth_type": "chap",
"timeout": 70
}
}
}
},
"TACPLUS_NOT_PRESENT_SRC_INTF_TEST": {
"sonic-system-tacacs:sonic-system-tacacs": {
"sonic-system-tacacs:TACPLUS": {
"global": {
"auth_type": "chap",
"timeout": 5,
"passkey": "dellsonic",
"src_intf": "Ethernet0"
}
}
}
},
"TACPLUS_SERVER_TEST": {
"sonic-system-tacacs:sonic-system-tacacs": {
"sonic-system-tacacs:TACPLUS_SERVER": {
"TACPLUS_SERVER_LIST": [
{
"ipaddress": "192.168.1.1",
"priority": 5,
"tcp_port": 50,
"timeout": 10,
"auth_type": "chap",
"passkey": "dellsonic",
"vrf": "default"
},
{
"ipaddress": "tacserver1",
"priority": 2,
"tcp_port": 51,
"timeout": 15,
"auth_type": "pap",
"passkey": "dellsonic1",
"vrf": "mgmt"
}
]
}
}
},
"TACPLUS_SERVER_INVALID_PRIORITY_TEST": {
"sonic-system-tacacs:sonic-system-tacacs": {
"sonic-system-tacacs:TACPLUS_SERVER": {
"TACPLUS_SERVER_LIST": [
{
"ipaddress": "192.168.1.1",
"priority": 70
}
]
}
}
},
"TACPLUS_SERVER_INVALID_TIMEOUT_TEST": {
"sonic-system-tacacs:sonic-system-tacacs": {
"sonic-system-tacacs:TACPLUS_SERVER": {
"TACPLUS_SERVER_LIST": [
{
"ipaddress": "192.168.1.1",
"timeout": 70
}
]
}
}
},
"TACPLUS_SERVER_INVALID_AUTH_TYPE_TEST": {
"sonic-system-tacacs:sonic-system-tacacs": {
"sonic-system-tacacs:TACPLUS_SERVER": {
"TACPLUS_SERVER_LIST": [
{
"ipaddress": "192.168.1.1",
"auth_type": "123"
}
]
}
}
},
"TACPLUS_SERVER_INVALID_VRF_TEST": {
"sonic-system-tacacs:sonic-system-tacacs": {
"sonic-system-tacacs:TACPLUS_SERVER": {
"TACPLUS_SERVER_LIST": [
{
"ipaddress": "192.168.1.1",
"vrf": "Vrf1"
}
]
}
}
}
}

44
src/sonic-yang-models/yang-models/sonic-system-aaa.yang Normal file
View File

@ -0,0 +1,44 @@
module sonic-system-aaa {
namespace "http://github.com/Azure/sonic-system-aaa";
prefix ssys;
yang-version 1.1;
revision 2021-04-15 {
description "Initial revision.";
}
container sonic-system-aaa {
container AAA {
list AAA_LIST {
key "type";
leaf type {
type enumeration {
enum authentication;
}
description "AAA type authentication";
}
leaf login {
type string;
description "AAA authentication methods - local/tacacs+";
default "local";
}
leaf failthrough {
type boolean;
description "When set to true, authentication is attempted on next configured server/local in the list upon failure.";
default false;
}
leaf debug {
type boolean;
description "Enable/disable AAA debugging";
default false;
}
}
}
}
}

172
src/sonic-yang-models/yang-models/sonic-system-tacacs.yang Normal file
View File

@ -0,0 +1,172 @@
module sonic-system-tacacs {
namespace "http://github.com/Azure/sonic-system-tacacs";
prefix ssys;
yang-version 1.1;
import ietf-inet-types {
prefix inet;
}
import sonic-port {
prefix port;
}
import sonic-portchannel {
prefix lag;
}
/*
import sonic-vlan {
prefix vlan;
}
*/
import sonic-loopback-interface {
prefix loopback;
}
import sonic-interface {
prefix interface;
}
import sonic-mgmt_port {
prefix mgmt-port;
}
revision 2021-04-15 {
description "Initial revision.";
}
typedef auth_type_enumeration {
type enumeration {
enum pap;
enum chap;
enum mschap;
enum login;
}
}
container sonic-system-tacacs {
container TACPLUS_SERVER {
list TACPLUS_SERVER_LIST {
max-elements 8;
key "ipaddress";
leaf ipaddress {
type inet:host;
description
"TACACS+ server's Domain name or IP address (IPv4 or IPv6)";
}
leaf priority {
default 1;
type uint8 {
range "1..64" {
error-message "TACACS server priority must be 1..64";
}
}
description "Server priority";
}
leaf tcp_port {
type inet:port-number;
default 49;
description "TCP port to communite with TACACS+ server";
}
leaf timeout {
default 5;
type uint16 {
range "1..60" {
error-message "TACACS server timeout must be 1..60";
}
}
description "TACACS+ server timeout";
}
leaf auth_type {
type auth_type_enumeration;
default pap;
description "Authentication type";
}
leaf passkey {
type string {
length "1..65";
pattern "[^ #,]*" {
error-message 'TACACS shared secret (Valid chars are ASCII printable except SPACE, "#", and ",")';
}
}
}
leaf vrf {
type string {
pattern "mgmt|default" {
error-message "Error: Invalid VRF name";
}
}
description
"VRF name";
}
}
}
container TACPLUS {
container global {
leaf auth_type {
type auth_type_enumeration;
default pap;
}
leaf timeout {
type uint16 {
range "1..60" {
error-message "TACACS timeout must be 1..60";
}
}
default 5;
}
leaf passkey {
type string {
length "1..65";
pattern "[^ #,]*" {
error-message 'TACACS shared secret (Valid chars are ASCII printable except SPACE, "#", and ",")';
}
}
description "Shared secret used for encrypting the communication";
}
leaf src_intf {
type union {
type leafref {
path "/port:sonic-port/port:PORT/port:PORT_LIST/port:name";
}
type leafref {
path "/lag:sonic-portchannel/lag:PORTCHANNEL/lag:PORTCHANNEL_LIST/lag:name";
}
/*
type leafref {
path "/vlan:sonic-vlan/vlan:VLAN/vlan:VLAN_LIST/vlan:name";
}
*/
type string {
pattern 'Vlan([0-9]{1,3}|[1-3][0-9]{3}|[4][0][0-8][0-9]|[4][0][9][0-4])';
}
type leafref {
path "/loopback:sonic-loopback-interface/loopback:LOOPBACK_INTERFACE/loopback:LOOPBACK_INTERFACE_LIST/loopback:name";
}
type leafref {
path "/mgmt-port:sonic-mgmt_port/mgmt-port:MGMT_PORT/mgmt-port:MGMT_PORT_LIST/mgmt-port:name";
}
}
description "Source IP to use from source interface for TACACS+ server communication.";
}
}
}
}
}