Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[TACACS] Stop authorization after user being rejected by server. #14249

Merged
merged 4 commits into from
May 30, 2023

Conversation

liuh-80
Copy link
Contributor

@liuh-80 liuh-80 commented Mar 15, 2023

Stop authorization after user being rejected by server.

Why I did it

Fix nss_tacplus bug: after user being rejected by one TACACS+ server, nss_tacplus will try with next TACACS+ server.

Work item tracking
  • Microsoft ADO :15276692

How I did it

Check authorization result, stop authorization after user being rejected by server.

How to verify it

Pass all E2E test.
Create new UT: sonic-net/sonic-mgmt#8345

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111
  • 202205
  • 202211

Tested branch (Please provide the tested image version)

  • master

Description for the changelog

Stop authorization after user being rejected by server.

Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

@liuh-80 liuh-80 closed this May 15, 2023
@liuh-80 liuh-80 reopened this May 15, 2023
@liuh-80 liuh-80 requested a review from qiluo-msft May 18, 2023 02:24
@liuh-80 liuh-80 marked this pull request as ready for review May 18, 2023 02:24
@liuh-80 liuh-80 closed this May 18, 2023
@liuh-80
Copy link
Contributor Author

liuh-80 commented May 18, 2023

close-reopen to trigger build validation.

@liuh-80 liuh-80 reopened this May 18, 2023
index 048745a..de26306 100644
--- a/nss_tacplus.c
+++ b/nss_tacplus.c
@@ -866,7 +866,12 @@ lookup_tacacs_user(struct pwbuf *pb)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The patch looks good to me. On the file location, I am thinking modifying 0001-Modify-user-map-profile.patch may be better since you are modifying a function which overlapped there. And it is really diffcult to read a patch on another patch.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed, I create this draft PR for code review: https://github.com/liuh-80/libnss-tacplus/pull/1/files

@qiluo-msft qiluo-msft merged commit b444817 into sonic-net:master May 30, 2023
liuh-80 added a commit to sonic-net/sonic-mgmt that referenced this pull request Jun 5, 2023
…8345)

### Description of PR
Add UT for tacacs stop send request after first service reject user.

Summary:
Add UT for tacacs stop send request after first service reject user.
New UT is for code change in sonic-net/sonic-buildimage#14249

### Type of change

- [ ] Bug fix
- [ ] Testbed and Framework(new/improvement)
- [x] Test case(new/improvement)


### Back port request
- [ ] 201911
- [ ] 202012
- [ ] 202205

### Approach
#### What is the motivation for this PR?
Add new UT to test and protect 'TACACS stop send request after first service reject user' feature.

#### How did you do it?
Add second tacacs server IP address, and login with invalid account, then validate TACACS stop send request after first TACACS server reject user login.

#### How did you verify/test it?
Manually test new UT.
Pass PR validation.

#### Any platform specific information?
No

#### Supported testbed topology if it's a new test case?
Any

### Documentation
<!--
(If it's a new feature, new test case)
Did you update documentation/Wiki relevant to your implementation?
Link to the wiki page?
-->
sonic-otn pushed a commit to sonic-otn/sonic-buildimage that referenced this pull request Sep 20, 2023
…ic-net#14249)

Stop authorization after user being rejected by server.

#### Why I did it
Fix nss_tacplus bug: after user being rejected by one TACACS+ server, nss_tacplus will try with next TACACS+ server.

##### Work item tracking
- Microsoft ADO :15276692

#### How I did it
Check authorization result, stop authorization after user being rejected by server.

#### How to verify it
Pass all E2E test.
Create new UT: sonic-net/sonic-mgmt#8345

#### Description for the changelog
Stop authorization after user being rejected by server.

#### Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.
mrkcmo pushed a commit to Azarack/sonic-mgmt that referenced this pull request Oct 3, 2023
…onic-net#8345)

### Description of PR
Add UT for tacacs stop send request after first service reject user.

Summary:
Add UT for tacacs stop send request after first service reject user.
New UT is for code change in sonic-net/sonic-buildimage#14249

### Type of change

- [ ] Bug fix
- [ ] Testbed and Framework(new/improvement)
- [x] Test case(new/improvement)


### Back port request
- [ ] 201911
- [ ] 202012
- [ ] 202205

### Approach
#### What is the motivation for this PR?
Add new UT to test and protect 'TACACS stop send request after first service reject user' feature.

#### How did you do it?
Add second tacacs server IP address, and login with invalid account, then validate TACACS stop send request after first TACACS server reject user login.

#### How did you verify/test it?
Manually test new UT.
Pass PR validation.

#### Any platform specific information?
No

#### Supported testbed topology if it's a new test case?
Any

### Documentation
<!--
(If it's a new feature, new test case)
Did you update documentation/Wiki relevant to your implementation?
Link to the wiki page?
-->
AharonMalkin pushed a commit to AharonMalkin/sonic-mgmt that referenced this pull request Jan 25, 2024
…onic-net#8345)

### Description of PR
Add UT for tacacs stop send request after first service reject user.

Summary:
Add UT for tacacs stop send request after first service reject user.
New UT is for code change in sonic-net/sonic-buildimage#14249

### Type of change

- [ ] Bug fix
- [ ] Testbed and Framework(new/improvement)
- [x] Test case(new/improvement)


### Back port request
- [ ] 201911
- [ ] 202012
- [ ] 202205

### Approach
#### What is the motivation for this PR?
Add new UT to test and protect 'TACACS stop send request after first service reject user' feature.

#### How did you do it?
Add second tacacs server IP address, and login with invalid account, then validate TACACS stop send request after first TACACS server reject user login.

#### How did you verify/test it?
Manually test new UT.
Pass PR validation.

#### Any platform specific information?
No

#### Supported testbed topology if it's a new test case?
Any

### Documentation
<!--
(If it's a new feature, new test case)
Did you update documentation/Wiki relevant to your implementation?
Link to the wiki page?
-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants