From 07cd4fff2900f1202f91ada2f9404903fec6f36a Mon Sep 17 00:00:00 2001 From: jingwenxie Date: Tue, 14 May 2024 08:08:11 +0800 Subject: [PATCH] [YANG] Align to authentication check with load_minigraph to cover more scenarios (#18908) #### Why I did it This will cover more cases for those only have authentication enabled with tacacs but not authorization enabled. Also, make it algin with the check in load_minigraph #### How I did it Change to authentication #### How to verify it unit test --- .../tests/yang_model_tests/tests/aaa.json | 10 +++++----- .../tests/yang_model_tests/tests_config/aaa.json | 10 +++++----- .../yang-models/sonic-system-aaa.yang | 4 ++-- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests/aaa.json b/src/sonic-yang-models/tests/yang_model_tests/tests/aaa.json index e1cf51385ac4..9b02a303e274 100644 --- a/src/sonic-yang-models/tests/yang_model_tests/tests/aaa.json +++ b/src/sonic-yang-models/tests/yang_model_tests/tests/aaa.json @@ -15,12 +15,12 @@ "eStrKey": "Pattern", "eStr": ["false|true|False|True"] }, - "AAA_AUTHORIZATION_TEST": { - "desc": "Configure an authorization type in AAA table." + "AAA_AUTHENTICATION_TEST": { + "desc": "Configure an authentication type in AAA table." }, - "AAA_AUTHORIZATION_TEST_TACACS_WITHOUT_TACPLUS": { - "desc": "Configure tacacs in authorization type in AAA table without TACPLUS table.", - "eStr": ["Authorization with 'tacacs+' is not allowed when passkey not exists."] + "AAA_AUTHENTICATION_TEST_TACACS_WITHOUT_TACPLUS": { + "desc": "Configure tacacs in authentication type in AAA table without TACPLUS table.", + "eStr": ["Authentication with 'tacacs+' is not allowed when passkey not exists."] }, "AAA_ACCOUNTING_TEST": { "desc": "Configure an accounting type in AAA table." diff --git a/src/sonic-yang-models/tests/yang_model_tests/tests_config/aaa.json b/src/sonic-yang-models/tests/yang_model_tests/tests_config/aaa.json index 0be9b4b1f500..ec7f4e961024 100644 --- a/src/sonic-yang-models/tests/yang_model_tests/tests_config/aaa.json +++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/aaa.json @@ -4,7 +4,7 @@ "sonic-system-aaa:AAA": { "AAA_LIST": [{ "type": "authentication", - "login": "tacacs+,local", + "login": "local", "failthrough": "True", "fallback": "True", "trace": "True", @@ -45,11 +45,11 @@ } }, - "AAA_AUTHORIZATION_TEST": { + "AAA_AUTHENTICATION_TEST": { "sonic-system-aaa:sonic-system-aaa": { "sonic-system-aaa:AAA": { "AAA_LIST": [{ - "type": "authorization", + "type": "authentication", "login": "tacacs+" }] } @@ -64,11 +64,11 @@ } }, - "AAA_AUTHORIZATION_TEST_TACACS_WITHOUT_TACPLUS": { + "AAA_AUTHENTICATION_TEST_TACACS_WITHOUT_TACPLUS": { "sonic-system-aaa:sonic-system-aaa": { "sonic-system-aaa:AAA": { "AAA_LIST": [{ - "type": "authorization", + "type": "authentication", "login": "tacacs+" }] } diff --git a/src/sonic-yang-models/yang-models/sonic-system-aaa.yang b/src/sonic-yang-models/yang-models/sonic-system-aaa.yang index 61fc9ab61841..360ff9195a54 100644 --- a/src/sonic-yang-models/yang-models/sonic-system-aaa.yang +++ b/src/sonic-yang-models/yang-models/sonic-system-aaa.yang @@ -43,8 +43,8 @@ module sonic-system-aaa { default "local"; } - must 'not(./type = "authorization" and contains(./login, "tacacs+") and not(/tacacs:sonic-system-tacacs/tacacs:TACPLUS/tacacs:global/tacacs:passkey))' { - error-message "Authorization with 'tacacs+' is not allowed when passkey not exists."; + must 'not(./type = "authentication" and contains(./login, "tacacs+") and not(/tacacs:sonic-system-tacacs/tacacs:TACPLUS/tacacs:global/tacacs:passkey))' { + error-message "Authentication with 'tacacs+' is not allowed when passkey not exists."; } leaf failthrough {