-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[TACACS] Stop authorization after user being rejected by server. #14249
[TACACS] Stop authorization after user being rejected by server. #14249
Conversation
close-reopen to trigger build validation. |
index 048745a..de26306 100644 | ||
--- a/nss_tacplus.c | ||
+++ b/nss_tacplus.c | ||
@@ -866,7 +866,12 @@ lookup_tacacs_user(struct pwbuf *pb) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The patch looks good to me. On the file location, I am thinking modifying 0001-Modify-user-map-profile.patch may be better since you are modifying a function which overlapped there. And it is really diffcult to read a patch on another patch.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed, I create this draft PR for code review: https://github.com/liuh-80/libnss-tacplus/pull/1/files
…8345) ### Description of PR Add UT for tacacs stop send request after first service reject user. Summary: Add UT for tacacs stop send request after first service reject user. New UT is for code change in sonic-net/sonic-buildimage#14249 ### Type of change - [ ] Bug fix - [ ] Testbed and Framework(new/improvement) - [x] Test case(new/improvement) ### Back port request - [ ] 201911 - [ ] 202012 - [ ] 202205 ### Approach #### What is the motivation for this PR? Add new UT to test and protect 'TACACS stop send request after first service reject user' feature. #### How did you do it? Add second tacacs server IP address, and login with invalid account, then validate TACACS stop send request after first TACACS server reject user login. #### How did you verify/test it? Manually test new UT. Pass PR validation. #### Any platform specific information? No #### Supported testbed topology if it's a new test case? Any ### Documentation <!-- (If it's a new feature, new test case) Did you update documentation/Wiki relevant to your implementation? Link to the wiki page? -->
…ic-net#14249) Stop authorization after user being rejected by server. #### Why I did it Fix nss_tacplus bug: after user being rejected by one TACACS+ server, nss_tacplus will try with next TACACS+ server. ##### Work item tracking - Microsoft ADO :15276692 #### How I did it Check authorization result, stop authorization after user being rejected by server. #### How to verify it Pass all E2E test. Create new UT: sonic-net/sonic-mgmt#8345 #### Description for the changelog Stop authorization after user being rejected by server. #### Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.
…onic-net#8345) ### Description of PR Add UT for tacacs stop send request after first service reject user. Summary: Add UT for tacacs stop send request after first service reject user. New UT is for code change in sonic-net/sonic-buildimage#14249 ### Type of change - [ ] Bug fix - [ ] Testbed and Framework(new/improvement) - [x] Test case(new/improvement) ### Back port request - [ ] 201911 - [ ] 202012 - [ ] 202205 ### Approach #### What is the motivation for this PR? Add new UT to test and protect 'TACACS stop send request after first service reject user' feature. #### How did you do it? Add second tacacs server IP address, and login with invalid account, then validate TACACS stop send request after first TACACS server reject user login. #### How did you verify/test it? Manually test new UT. Pass PR validation. #### Any platform specific information? No #### Supported testbed topology if it's a new test case? Any ### Documentation <!-- (If it's a new feature, new test case) Did you update documentation/Wiki relevant to your implementation? Link to the wiki page? -->
…onic-net#8345) ### Description of PR Add UT for tacacs stop send request after first service reject user. Summary: Add UT for tacacs stop send request after first service reject user. New UT is for code change in sonic-net/sonic-buildimage#14249 ### Type of change - [ ] Bug fix - [ ] Testbed and Framework(new/improvement) - [x] Test case(new/improvement) ### Back port request - [ ] 201911 - [ ] 202012 - [ ] 202205 ### Approach #### What is the motivation for this PR? Add new UT to test and protect 'TACACS stop send request after first service reject user' feature. #### How did you do it? Add second tacacs server IP address, and login with invalid account, then validate TACACS stop send request after first TACACS server reject user login. #### How did you verify/test it? Manually test new UT. Pass PR validation. #### Any platform specific information? No #### Supported testbed topology if it's a new test case? Any ### Documentation <!-- (If it's a new feature, new test case) Did you update documentation/Wiki relevant to your implementation? Link to the wiki page? -->
Stop authorization after user being rejected by server.
Why I did it
Fix nss_tacplus bug: after user being rejected by one TACACS+ server, nss_tacplus will try with next TACACS+ server.
Work item tracking
How I did it
Check authorization result, stop authorization after user being rejected by server.
How to verify it
Pass all E2E test.
Create new UT: sonic-net/sonic-mgmt#8345
Which release branch to backport (provide reason below if selected)
Tested branch (Please provide the tested image version)
Description for the changelog
Stop authorization after user being rejected by server.
Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)