Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Host Account Management (HAM) project #5553

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Add Host Account Management (HAM) project #5553

wants to merge 4 commits into from

Conversation

martin-belanger
Copy link

- Dependencies
It wasn't clear how to put a dependency between two pull requests, hence I added this section.
This pull request depends on sonic-swss-common #390 being merged first.

- Why I did it
As described in AAA Improvements, there is a need for a central location to manage user accounts. The solution is "Host Account Management" or HAM, which acts as the single source of truth for user accounts. Some of the features of HAM include:

  • Automatically assign Linux user credentials (UID, GID) to RADIUS/TACACS+ user accounts.
  • Allow applications running in containers to retrieve Linux user credentials (UID, GID) from the host.
  • Allow applications running in containers (such as a REST server) to create/modify/delete local user accounts on the host. This is only allowed for users with admin privileges.
  • Fixes several problems related to RADIUS/TACACS+ login (for the full list refer to the document cited above).

- How I did it
Not sure what "How I did it" means. I wrote C/C++ code?
For a description of how to use HAM, refer to the src/ham/README.md.

- How to verify it
This pull request adds a new building block called HAM. In this pull request we do not hook HAM up to any other components in SONiC. In a second phase, we will hook up RADIUS/TACACS+ to use HAM. In a third phase, the sonic-management-framework will also use HAM. Since HAM is not hooked up to anything in this first phase, the only way to verify that things are in place is through the debug utility "hamctl". This can be invoked at the bash shell.

- Which release branch to backport (provide reason below if selected)
No backport needed. This is a new feature.

- Description for the changelog
New Host Account Management feature. A detailed description of HAM can be found in: https://github.com/Azure/SONiC/blob/master/doc/aaa/AAA%20Improvements/AAA%20Improvements.md

@renukamanavalan
Copy link
Contributor

The new guidelines as I understand is to associate test with every new code to be checked in. This is indeed a big new code for a new feature.

What is the plan for tests?

@martin-belanger
Copy link
Author

Hi @renukamanavalan ,

Agreed, tests for HAM need to be added. I will find some time to add a test framework for HAM (hopefully soon). By the way, are there any test guidelines? I assume tests are run in a VM? In other words, if a test fails in such a way that it leaves the system in a wonky state, it's only the test VM that will be affected. Any pointers would be greatly appreciated.

NOTE: Currently, hamd is not used by anything. In other words, the risk level is very low. Regardless, I will start working on tests as soon as I can.

Regards,
Martin

Martin Belanger added 2 commits November 4, 2020 15:17
Let's not migrate ROLES to GECOS in this initial merge request. We ca…
edbf603 
…n add that on a second merge request. We just want to run more tests first.
Merge branch 'master' of https://github.com/Azure/sonic-buildimage
ac9eab9 
Manually resolved conflicts
@martin-belanger martin-belanger mentioned this pull request Dec 4, 2020
Open
renukamanavalan
renukamanavalan reviewed Jan 5, 2021
View reviewed changes
rules/ham.mk
$(HAM)_DEPENDS = $(LIBSWSSCOMMON_DEV)
$(HAM)_RDEPENDS = $(LIBSWSSCOMMON)

SONIC_DPKG_DEBS += $(HAM)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we make this conditional include using a build time flag?

@kwangsuk kwangsuk mentioned this pull request Jan 7, 2021
Merged
3 tasks
@jeff-yin jeff-yin mentioned this pull request Dec 14, 2022
Closed
@davidpil2002
Copy link
Contributor

davidpil2002 commented Jan 16, 2023
edited
Loading

Hi,
Few Q:
1.Its this AAA enhancement going to create some backward compatibility with the existing SONiC commands ?
2.its this flow going to affect the existing hostcfgd flow?
3. there is some estimation time when the feature will be merged, or which branch will support this feature?
@martin-belanger @lguohan
Thanks

@jeff-yin jeff-yin mentioned this pull request Mar 6, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@renukamanavalan renukamanavalan renukamanavalan left review comments

@lguohan lguohan Awaiting requested review from lguohan lguohan is a code owner

@qiluo-msft qiluo-msft Awaiting requested review from qiluo-msft qiluo-msft is a code owner

@xumia xumia Awaiting requested review from xumia xumia is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@martin-belanger @renukamanavalan @davidpil2002