[tacacs] Support privilege level 0 #1442
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
@liuqu, could you kindly help review? |
liuqu
suggested changes
Mar 2, 2018
| @@ -463,7 +463,7 @@ index 79e62b9..ecfa0b0 100644 | |||
| +{ | |||
| + char *token; | |||
| + char delim[] = ";\n\r"; | |||
| + int priv = 0; | |||
| + int priv = -1; | |||
There was a problem hiding this comment.
The default value of “priv_level” in function got_tacacs_user() also need to be changed
There was a problem hiding this comment.
TACACS priv-level 0 is seldom used and defined as non-privilege in general. Any scenarios need to support it?
There was a problem hiding this comment.
does non-privilege mean normal user?
There was a problem hiding this comment.
privilege level 0 = seldom used, but includes 5 commands: disable, enable, exit, help, and logout
it is still valid, we should still enable it.
There was a problem hiding this comment.
Why do we need to modify default value in got_tacacs_user()? I think current behavior is that to treat user as least privileged (0) if search fails?
There was a problem hiding this comment.
The original design is that the priv-lvl for the user configuration on the TACACS + server should be set as a valid value(1-15) explicitly. If priv-lvl search fails, it will be set as privileged(0) and not allowed to login in.
If priv-lvl(0) is treated as valid value, the default value should be set as invalid value. Unless we don't care priv-lvl.
There was a problem hiding this comment.
I think non-privilege means the user has less command privilege. There is no authorization for current SONiC cli, so the original design is to filter non-privilege user to avoid unsafe operation. Maybe it's too hard-coded to limit user's configuration.
lguohan
approved these changes
Mar 3, 2018
|
@taoyl-ms , do we still need this? |
abdosi
added a commit
that referenced
this pull request
Sep 19, 2020
Avoid adding loopback interface (ip link add) when setting nat zone on loopback interface (#1434) [acl] Remove Ethertype from L3V6 qualifiers (#1433) Sflow fixes during DEL processing (#1427) Fix #3971 by skipping create-only SAI attributes when modifying buffer pools or profiles in orchagent (#1430) Fix issue: bufferorch only pass the first attribute to sai when setting attribute (#1442) Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
abdosi
added a commit
to abdosi/sonic-buildimage
that referenced
this pull request
Sep 29, 2020
be51ebc Add IPv6 key item support to request parser (sonic-net#1449) 76e2251 When teamd feature state is disabled the Netdevice created by teamd were (sonic-net#1450) 6aa97ce Use .clear() after std::move() (sonic-net#1444) d5757db Add libzmq to README dependencies (sonic-net#1447) c7b262e Add libzmq to Makefiles (sonic-net#1443) 0b2e59a [drop counters] Clarify log messages for initial counter setup (sonic-net#1445) 003cf24 [dvs] Refactor and add buffer pool wm test (sonic-net#1446) 2f5d2d9 [acl] Remove Ethertype from L3V6 qualifiers (sonic-net#1433) f7b974f Fix issue: bufferorch only pass the first attribute to sai when setting attribute (sonic-net#1442) Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
lguohan
pushed a commit
that referenced
this pull request
Oct 2, 2020
be51ebc Add IPv6 key item support to request parser (#1449) 76e2251 When teamd feature state is disabled the Netdevice created by teamd were (#1450) 6aa97ce Use .clear() after std::move() (#1444) d5757db Add libzmq to README dependencies (#1447) c7b262e Add libzmq to Makefiles (#1443) 0b2e59a [drop counters] Clarify log messages for initial counter setup (#1445) 003cf24 [dvs] Refactor and add buffer pool wm test (#1446) 2f5d2d9 [acl] Remove Ethertype from L3V6 qualifiers (#1433) f7b974f Fix issue: bufferorch only pass the first attribute to sai when setting attribute (#1442) Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
raphaelt-nvidia
pushed a commit
to raphaelt-nvidia/sonic-buildimage
that referenced
this pull request
Jan 14, 2021
…ng attribute (sonic-net#1442) Signed-off-by: Stephen Sun <stephens@nvidia.com>
santhosh-kt
pushed a commit
to santhosh-kt/sonic-buildimage
that referenced
this pull request
Feb 25, 2021
be51ebc Add IPv6 key item support to request parser (sonic-net#1449) 76e2251 When teamd feature state is disabled the Netdevice created by teamd were (sonic-net#1450) 6aa97ce Use .clear() after std::move() (sonic-net#1444) d5757db Add libzmq to README dependencies (sonic-net#1447) c7b262e Add libzmq to Makefiles (sonic-net#1443) 0b2e59a [drop counters] Clarify log messages for initial counter setup (sonic-net#1445) 003cf24 [dvs] Refactor and add buffer pool wm test (sonic-net#1446) 2f5d2d9 [acl] Remove Ethertype from L3V6 qualifiers (sonic-net#1433) f7b974f Fix issue: bufferorch only pass the first attribute to sai when setting attribute (sonic-net#1442) Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
theasianpianist
pushed a commit
to theasianpianist/sonic-buildimage
that referenced
this pull request
Feb 5, 2022
…ng attribute (sonic-net#1442) Signed-off-by: Stephen Sun <stephens@nvidia.com>
mssonicbld
added a commit
that referenced
this pull request
Oct 31, 2024
…tically (#20540) #### Why I did it src/sonic-sairedis ``` * e394ced7 - (HEAD -> master, origin/master, origin/HEAD) Fix compilation on Buster (#1449) (11 hours ago) [Saikrishna Arcot] * 4d504ff8 - Rename file name to fit case insensitive file system. (#1444) (2 days ago) [Liu Shilong] * fe650bb7 - [syncd] Add workaround for port error status notification (#1430) (6 days ago) [Kamil Cudnik] * cd2773a3 - [syncd] Fix inspect asic command (#1434) (7 days ago) [Kamil Cudnik] * 2d873766 - [syncd] Make sure notification queue release memory when drained (#1427) (8 days ago) [Kamil Cudnik] * b8a8856a - Fix adding flex counter to wrong context (#1421) (8 days ago) [byu343] * 40979e0b - [fastboot] Notify SAI that fastboot is done (#1396) (8 days ago) [Junchao-Mellanox] * 952ee406 - [codeql] Change pull_request_target to pull_request (#1442) (9 days ago) [Kamil Cudnik] * 697d86b5 - [syncd] Create neighbor entries before next hop (#1432) (9 days ago) [Kamil Cudnik] * fa76ca13 - [codeql] Remove git ancestry (#1441) (10 days ago) [Kamil Cudnik] * 3838d7ee - [codeql] Show git ancestry graph (#1440) (10 days ago) [Kamil Cudnik] * 2e7d946b - [codeql] Show gcc version before compile (#1438) (10 days ago) [Kamil Cudnik] * a1e93f58 - [submodule] Update SAI to latest master (#1431) (2 weeks ago) [Kamil Cudnik] ``` #### How I did it #### How to verify it #### Description for the changelog
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
- What I did
To support tacacs user privilege level 0 by setting
MIN_TACACS_USER_PRIV = 0in tacacs-nss patch.