Migrate AAA table per-command authorization in db_migrator (#3296)

Migrate AAA table per-command authorization in db_migrator #### Why I did it per-command AAA need enable in warm-upgrade case #### How I did it Add code to migrate per-command aunthorization #### How to verify it Pass all test case. Add new test case. #### Which release branch to backport (provide reason below if selected) N/A #### Description for the changelog Migrate AAA table per-command authorization in db_migrator #### A picture of a cute animal (not mandatory but encouraged)
sonic-net · May 15, 2024 · 61d0ec9 · 61d0ec9
1 parent 8629b68
commit 61d0ec9
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 0 deletions.
diff --git a/scripts/db_migrator.py b/scripts/db_migrator.py
@@ -840,6 +840,22 @@ def migrate_aaa(self):
             self.configDB.set_entry("AAA", "accounting", accounting_new)
             log.log_info('Migrate AAA accounting: {}'.format(accounting_new))
 
+        # setup per-command authorization
+        tacplus_config = self.configDB.get_entry('TACPLUS', 'global')
+        if 'passkey' in tacplus_config and '' != tacplus_config.get('passkey'):
+            authorization = self.configDB.get_entry('AAA', 'authorization')
+            if not authorization:
+                authorization_new = aaa_new.get("authorization")
+                self.configDB.set_entry("AAA", "authorization", authorization_new)
+                log.log_info('Migrate AAA authorization: {}'.format(authorization_new))
+        else:
+            # If no passkey, setup per-command authorization will block remote user command
+            log.log_info('TACACS passkey does not exist, disable per-command authorization.')
+            authorization_key = "AAA|authorization"
+            keys = self.configDB.keys(self.configDB.CONFIG_DB, authorization_key)
+            if keys:
+                self.configDB.delete(self.configDB.CONFIG_DB, authorization_key)
+
     def version_unknown(self):
         """
         version_unknown tracks all SONiC versions that doesn't have a version

diff --git a/tests/db_migrator_input/config_db/per_command_aaa_enable_expected.json b/tests/db_migrator_input/config_db/per_command_aaa_enable_expected.json
@@ -5,6 +5,9 @@
     "AAA|authentication": {
         "login": "tacacs+"
     },
+    "AAA|authorization": {
+        "login": "tacacs+"
+    },
     "TACPLUS|global": {
         "auth_type": "login",
         "passkey": "testpasskey"

diff --git a/tests/db_migrator_input/config_db/per_command_aaa_no_authentication_expected.json b/tests/db_migrator_input/config_db/per_command_aaa_no_authentication_expected.json
@@ -5,6 +5,9 @@
     "AAA|authentication": {
         "login": "tacacs+"
     },
+    "AAA|authorization": {
+        "login": "tacacs+"
+    },
     "TACPLUS|global": {
         "auth_type": "login",
         "passkey": "testpasskey"

diff --git a/tests/db_migrator_input/config_db/per_command_aaa_no_passkey.json b/tests/db_migrator_input/config_db/per_command_aaa_no_passkey.json
@@ -2,6 +2,9 @@
     "AAA|authentication": {
         "login": "tacacs+"
     },
+    "AAA|authorization": {
+        "login": "tacacs+"
+    },
     "TACPLUS|global": {
         "auth_type": "login"
     }

diff --git a/tests/db_migrator_input/config_db/per_command_aaa_no_tacplus_expected.json b/tests/db_migrator_input/config_db/per_command_aaa_no_tacplus_expected.json
@@ -5,6 +5,9 @@
     "AAA|authentication": {
         "login": "tacacs+"
     },
+    "AAA|authorization": {
+        "login": "tacacs+"
+    },
     "TACPLUS|global": {
         "auth_type": "login",
         "passkey": "testpasskey"