Add sonic-launch-shell to invoke appropriate shell based upon user's … #14466
Conversation
|
Commenter does not have sufficient privileges for PR 14466 in repo sonic-net/sonic-buildimage |
|
/azp run |
|
Commenter does not have sufficient privileges for PR 14466 in repo sonic-net/sonic-buildimage |
|
/azpw run Azure.sonic-buildimage |
|
/AzurePipelines run Azure.sonic-buildimage |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
@shdasari , i doubt people are using sonic-mgmt framework in this case. |
Agreed. sonic-launch-shell is only being packaged as a part of docker-sonic-mgmt-framework. It will be installed on the host at /usr/bin/sonic-launch-shell. sonic-launch-shell is a script that determines if user is to be presented with the linux shell or sonic-mgt-framework based sonic-cli shell based upon user privileges. Hence, it is being packaged as part of sonic-mgmt-framework package. |
| if /usr/bin/id -Gn | tr " " "\n" | /bin/grep -qw "^admin$"; then | ||
| exec /bin/bash "$@" | ||
| else | ||
| exec /usr/bin/sonic-cli |
There was a problem hiding this comment.
Current sonic-cli does not provide all commands supported, like the Click commands. Hence, it is not a good idea to launch sonic-cli for remote user. Instead, bash shall be launched where the user can perform CRUD operations via Click commands.
Also, for TACACS, bash is being launched now. Hence to maintain consistency across all remote users, we shall retain TACACS shell launch behavior for RADIUS too.
#13141 addressing the proper approach.
|
Note: as this issue was originally detected on 202211, i suggest to have this cherry picked/backport to 202211 once it is merged. Added labels. |
…privilege level.
Why I did it
fixes #11352.
Login to switch via RADIUS authentication fails due to missing sonic-launch-shell script that invokes appropriate shell for the user based upon privilege level.
How I did it
Added sonic-launch-shell script that checks the user's privilege level and loads the appropriate shell for the user.
Admin users will be presented the /bin/bash shell. Operator users (non-admin users) are presented sonic-cli.
Note that sonic-cli invocation currently fails as shown below. Until this is fixed, non-admin users will not get access to the switch.
:
$ sonic-cli$Error: Unresolved PTYPE "MCLAG_KA_INTERVAL_RANGE" in PARAM "KA"
:
How to verify it
Configure Radius Server with admin user.
Configure aaa authentication on Sonic Switch
config aaa authentication login radius local
Config radius server on Sonic Switch
config radius add {RadiusServerIP} -k {RadiusServerPassword}
Try to connect by ssh to Sonic Switch with admin user credentials.
Which release branch to backport (provide reason below if selected)
Description for the changelog
Added sonic-launch-shell to invoke appropriate shell for the user post authentication.
Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)