Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RBAC HLD #37

Merged
merged 17 commits into from
Dec 12, 2019
Merged

RBAC HLD #37

merged 17 commits into from
Dec 12, 2019

Conversation

jeff-yin
Copy link
Collaborator

No description provided.

jeff-yin and others added 13 commits October 22, 2019 21:06
@jeff-yin
Initial draft of RBAC HLD
6b57400
@jeff-yin
Fixed title of RBAC HLD
7384d26 
It probably shouldn't begin with "Feature Name"...
@jeff-yin
RBAC HLD: Fixed spacing issues
37c3c35 
Fixed some issues with line breaks in the document.
@jeff-yin
RBAC HLD: Combine PW/Token auth
c08aee0 
* Tie the token-based auth more closely with password-based auth.
* Clearly call out places where we need to finalize on some design decisions (CLI-to-REST auth, JWT)
@mm0930
Update SONiC RBAC HLD.md
e010e05
@anand-kumar-subramanian
Update SONiC RBAC HLD.md
19dcfd0
@anand-kumar-subramanian
Merge pull request #34 from mm0930/patch-2
7ac6f83 
Update SONiC RBAC HLD.md
@jeff-yin
Update RBAC HLD w/ cert considerations
e177555 
- Added 1.1.1.5 certificate-based authentication for REST and gNMI, describing the fact that certs must be managed outside of the NBIs, and certain assumptions made about the certs.
- Added a work-item about the REST server -- it currently only allows one form of auth at a time; need to extend it to multiple.
- Resolved my question about whether a user will be "dropped into" the KLISH shell, as that is outside of the scope of this doc.
@jeff-yin
RBAC HLD: Add local user mgmt
497e4c1 
- Added sections about local user management requirements
- Made certificate-based client authentication for REST server optional, contingent on CLI authentication needs.
- Added a question about User Table
@jeff-yin
RBAC: Finalized on CLI-to-REST authentication
94ab071 
- Finalized approach for 1.1.1.2 CLI Authentication to REST server
- Restored requirement for certificate-based authentication for REST server
- Answered question about how to register for file system events.
@jeff-yin
RBAC: Update post-review
305edcb 
- Updated RBAC document after joint review session between Dell and Broadcom.
@jeff-yin
RBAC: Add details about UserDB Sync
28ffb3a 
- Added details about UserDB sync with Linux users.
- Moved the responsibility for UserDB sync out of Translib and into a host service.
@jeff-yin
RBAC HLD: Remote Users Clarification
1332616 
- Clarified that remote users will share the same certs and home directory.
@santoshv522
Copy link

what are the privileges for Operator? Can we modify the privileges for Admin and Operator?
How we are restricting the users by module wise(ACL,BGP,...) or specific commands by using any SONIC CLI commands ? Can you please provide all supported CLI and show commands?

a-barboza
a-barboza reviewed Nov 15, 2019
View reviewed changes
doc/aaa/SONiC RBAC HLD.md Outdated Show resolved Hide resolved
doc/aaa/SONiC RBAC HLD.md Show resolved Hide resolved
doc/aaa/SONiC RBAC HLD.md Outdated Show resolved Hide resolved
doc/aaa/SONiC RBAC HLD.md Show resolved Hide resolved
doc/aaa/SONiC RBAC HLD.md Outdated Show resolved Hide resolved
doc/aaa/SONiC RBAC HLD.md Show resolved Hide resolved
doc/aaa/SONiC RBAC HLD.md Show resolved Hide resolved
doc/aaa/SONiC RBAC HLD.md Show resolved Hide resolved
doc/aaa/SONiC RBAC HLD.md Show resolved Hide resolved
@jeff-yin
Copy link
Collaborator Author

what are the privileges for Operator? Can we modify the privileges for Admin and Operator?
How we are restricting the users by module wise(ACL,BGP,...) or specific commands by using any SONIC CLI commands ? Can you please provide all supported CLI and show commands?

@santoshv522 -- Operator is read-only, whereas Admin is read/write across all attributes. I have added that info to the doc. Initially, the user cannot modify privileges for Admin and Operator. The privileges are enforced by Translib and the initial support for RBAC will be to just hard-code these limitations for these roles.
In the future, when full User DB support is implemented in RBAC, the ability to modify roles to increase/decrease their privileges will be made available, and CLIs will be provided. For now, User DB support is not implemented in RBAC.

@jeff-yin
RBAC HLD -- Addressed PR comments
5e07452 
Addressed first set of PR comments.
* clarified that operators are read-only and admins are read/write
* clarified details around CLI authentication and how CLI uses certificates.
* clarified details about how certificates are used by REST and gNMI.
@santoshv522
Copy link

what are the privileges for Operator? Can we modify the privileges for Admin and Operator?
How we are restricting the users by module wise(ACL,BGP,...) or specific commands by using any SONIC CLI commands ? Can you please provide all supported CLI and show commands?

@santoshv522 -- Operator is read-only, whereas Admin is read/write across all attributes. I have added that info to the doc. Initially, the user cannot modify privileges for Admin and Operator. The privileges are enforced by Translib and the initial support for RBAC will be to just hard-code these limitations for these roles.
In the future, when full User DB support is implemented in RBAC, the ability to modify roles to increase/decrease their privileges will be made available, and CLIs will be provided. For now, User DB support is not implemented in RBAC.

For now,what are the rules hard-coded for these roles to validate the functionality for respective users?
What are the remote users supported ? Do we have any limitations on max users(local/remote)?

@jeff-yin
Copy link
Collaborator Author

jeff-yin commented Nov 26, 2019
edited
Loading

For now,what are the rules hard-coded for these roles to validate the functionality for respective users?
What are the remote users supported ? Do we have any limitations on max users(local/remote)?

@santoshv522 Sorry, Not sure I understand the first question, beyond what I've already stated. Users with the operator role (who are in the operator Linux group) are limited to "read" operations only (i.e., GET operations in REST/gNMI, "show" commands on the CLI). Users with the admin role (who are in the admin Linux group) are able to do "read/write" operations (i.e., GET/CREATE/REPLACE/UPDATE/DELETE).
The remote users are outlined in Section 1.1.1.4. As I mentioned to @a-barboza:
Remote users will share the same account on the system, depending on their role.

  • Remote users with Operator role are mapped to the same global remote-user user who is part of operator group
  • Remote users with Admin role are mapped to the same global remote-user-su user who is part of admin group and is a sudoer

To be sure, there are various limitations to this, and we should fix this as part of a future effort. We're not doing any syncing or special mapping of remote users, except to log them into the switch as remote-user or remote-user-su.

Max users isn't covered in the scope of this HLD.

@jeff-yin jeff-yin merged commit b53d7df into master Dec 12, 2019
@santoshv522
Copy link

Do we have any other document to get the all supported show and CLI commands? if yes,can you please provide the details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@a-barboza a-barboza a-barboza left review comments

@anand-kumar-subramanian anand-kumar-subramanian Awaiting requested review from anand-kumar-subramanian

@ben-gale ben-gale Awaiting requested review from ben-gale

@dutta-partha dutta-partha Awaiting requested review from dutta-partha

@sachinholla sachinholla Awaiting requested review from sachinholla

@suresh-rupanagudi suresh-rupanagudi Awaiting requested review from suresh-rupanagudi

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@jeff-yin @santoshv522 @a-barboza @mm0930 @anand-kumar-subramanian @nirenjan @martin-belanger