Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feat(eos_cli_config_gen): add SNMPv3 hashed user passphrases support #1721

Merged
merged 14 commits into from
May 5, 2022
Merged

Feat(eos_cli_config_gen): add SNMPv3 hashed user passphrases support #1721

merged 14 commits into from
May 5, 2022

Conversation

gmuloc
Copy link
Contributor

@gmuloc gmuloc commented Apr 13, 2022

Change Summary

As of now the eos_cli_config_gen module only support the following syntax:

snmp-server user <USER> <GROUP> v3 [auth <AUTH_ALGORITHM> <CLEARTEXT_AUTH_PASSPHRASE> [priv <PRIV_ALGORITHM> <CLEARTEXT_PRIV_PASSPHRASE>]]

(though the documentation indicates "encrypted" passphrases for auth and priv, this is not accurate as the passphrases will be rehashed with the local engineID when configured on the switch.)

This feature request intends to allow the configuration of:

snmp-server user <USER> <GROUP> v3 localized <ENGINE-ID> [auth <AUTH_ALGORITHM> <HASHED_AUTH_PASSPHRASE> [priv <PRIV_ALGORITHM> <HASHED_PRIV_PASSPHRASE>]]

Related Issue(s)

Fixes #1720

Component(s) name

arista.avd.eos_cli_config_gen

Proposed changes

Modification of the snmp-settings.j2 template to:

  • Add the support for local engineID (remote can be added in the future as it is not needed for this feature)
  • Add the capability to detect the presence of the localized keyword that indicate that the engineID is

Documentation template has been updated to indicate the configured Local Engine ID.

README.md updated

CAVEATS:

  • if the snmp_server.engineid.local is not configured the current behavior (which can be changed) is that the template will revert to non localized syntax (the one is use currently in the repo). However passing hashed passphrases to the non localized syntax will eventually fail as the passphrases will be rehashed with the device engineID (the default one if none is configured) at configuration time. This faulty behavior is already allowed in the current AVD version - and the passphrases in this version MUST be passed in cleartext (contrary to what the documentation indicates).

How to test

Run molecule

Checklist

User Checklist

  • N/A

Repository Checklist

  • My code has been rebased from devel before I start
  • I have read the CONTRIBUTING document.
  • My change requires a change to the documentation and documentation have been updated accordingly.
  • I have updated molecule CI testing accordingly. (check the box if not applicable)

@gmuloc
feat(eos_cli_config_gen): add SNMPv3 hashed user passphrases support
fceda85 
* Can now use local engineID
* Can use localized at the user level to indicate that the passphrases
  (auth and priv) have been hashed using the correct engineID
* Behavioral question
* Added tests to verify every single combination of noauth/auth/priv and
  localized or not
* Fixed documentation

Potential gap:
* if using user.localized without setting an engineID, the config
  generation will silently generate the non localized version (expecting
  cleartext passphrases) - maybe could add a warning here.
@gmuloc gmuloc requested a review from a team as a code owner April 13, 2022 15:26
@github-actions github-actions bot added role: eos_cli_config_gen issue related to eos_cli_config_gen role state: CI Updated CI scenario have been updated in the PR state: Documentation role Updated labels Apr 13, 2022
@gmuloc gmuloc changed the title feat(eos_cli_config_gen): add SNMPv3 hashed user passphrases support Feat(eos_cli_config_gen): add SNMPv3 hashed user passphrases support Apr 13, 2022
@gmuloc
Copy link
Contributor Author

gmuloc commented Apr 13, 2022

So the changes are changing some outputs in some molecule:

  • eos_cli_config_gen_v4.0
  • evpn_underlay_ebgp_overlay_ebgp

this is because of the change in documentation - is the process to regenerate all these molecules as well?

@tgodaA
Copy link
Contributor

tgodaA commented Apr 15, 2022

Yes, we need to update molecule on all scenarios.

@gmuloc
Copy link
Contributor Author

gmuloc commented Apr 15, 2022

Yes, we need to update molecule on all scenarios.

this has already been done in the latest commit

@ClausHolbechArista ClausHolbechArista mentioned this pull request Apr 19, 2022
Closed
4 tasks
@gmuloc
Refactor(eos_cli_config_gen): changes as per PR review
f219642 
* change engine_ids/remote to remotes
* change engined_ids/remotes name to id
* change engined_ids/remotes ip to address
* changed snmp users/remote_ip to remote_address
* fix comments in the eos_cli_config_gen/templates/eos/snmp-settings.j2
* update in the eos_cli_config_gen/templates/documentation/snmp-settings.j2 as per PR
* update README
* update molecule tests
@gmuloc
Refactor(eos_cli_config_gen): address PR comments
81d0d63 
* remove redundant check in templates/eos/snmp-settings.j2
* remove extra blank lines in templates/documentation/snmp-settings.j2
ClausHolbechArista
ClausHolbechArista requested changes Apr 26, 2022
View reviewed changes
Copy link
Contributor

@ClausHolbechArista ClausHolbechArista left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor adjustments. I have added them as suggestions, so you can just add them to batch and commit everything on github.

...ble_collections/arista/avd/roles/eos_cli_config_gen/templates/documentation/snmp-settings.j2 Outdated Show resolved Hide resolved
...ble_collections/arista/avd/roles/eos_cli_config_gen/templates/documentation/snmp-settings.j2 Outdated Show resolved Hide resolved
ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/snmp-settings.j2 Outdated Show resolved Hide resolved
gmuloc and others added 2 commits April 26, 2022 09:17
ClausHolbechArista
ClausHolbechArista approved these changes Apr 29, 2022
View reviewed changes
Copy link
Contributor

@ClausHolbechArista ClausHolbechArista left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ClausHolbechArista ClausHolbechArista requested a review from a team April 29, 2022 06:37
gmuloc added 2 commits May 5, 2022 10:49
@gmuloc
Refactor(eos_cli_config_gen): address PR comments
c61a518 
* Rename port to udp_port
* Fix engine_id description (engine_name -> engine_id)
* Move remote engineIDs after contact and location to match CLI
* Move the
* Simplify documentation/snmp-settings.j2 as per PR
* Fix documentation/snmp-settings.j2 engineIDs table
* Fix the test input variables to accommodate the changes
* Run the test suite to update the expected output

Did not:
* update udp port descirption
* change the README.md info for remote engineIDs address
@gmuloc
Refactor(eos_cli_config_gen): fix engineID fields description in README
82f1c1d
tgodaA
tgodaA approved these changes May 5, 2022
View reviewed changes
Copy link
Contributor

@tgodaA tgodaA left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tgodaA tgodaA merged commit 7af7a26 into aristanetworks:devel May 5, 2022
@gmuloc gmuloc deleted the feature-snmpv3 branch November 21, 2022 12:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ccsnw ccsnw ccsnw left review comments

@tgodaA tgodaA tgodaA approved these changes

@ClausHolbechArista ClausHolbechArista ClausHolbechArista approved these changes

Assignees

@gmuloc gmuloc

Labels
role: eos_cli_config_gen issue related to eos_cli_config_gen role state: CI Updated CI scenario have been updated in the PR state: Documentation role Updated
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

(eos_cli_config_gen): Add support for SNMPv3 user localized syntax
4 participants
@gmuloc @tgodaA @ClausHolbechArista @ccsnw