Skip to content

Commit 6e00327

Browse files
authored
Add GNMI client cert cname check support. (#18709) (#20792)
Add GNMI client cert cname list to yang model. #### Why I did it Allow gnmi service authentication client cert by cname. ### How I did it Add GNMI client cert cname list to yang model. #### How to verify it Pass all UT. ### Description for the changelog Add GNMI client cert cname list to yang model.
1 parent 444ce37 commit 6e00327

File tree

6 files changed

+68
-0
lines changed

6 files changed

+68
-0
lines changed

dockers/docker-sonic-gnmi/gnmi-native.sh

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,8 @@ if [ -n "$CERTS" ]; then
3333
if [ ! -z $CA_CRT ]; then
3434
TELEMETRY_ARGS+=" --ca_crt $CA_CRT"
3535
fi
36+
37+
TELEMETRY_ARGS+=" --config_table_name GNMI_CLIENT_CERT"
3638
elif [ -n "$X509" ]; then
3739
SERVER_CRT=$(echo $X509 | jq -r '.server_crt')
3840
SERVER_KEY=$(echo $X509 | jq -r '.server_key')

dockers/docker-sonic-telemetry/telemetry.sh

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,9 @@ if [ -n "$CERTS" ]; then
3434
if [ ! -z $CA_CRT ]; then
3535
TELEMETRY_ARGS+=" --ca_crt $CA_CRT"
3636
fi
37+
38+
# Reuse GNMI_CLIENT_CERT for telemetry service
39+
TELEMETRY_ARGS+=" --config_table_name GNMI_CLIENT_CERT"
3740
elif [ -n "$X509" ]; then
3841
SERVER_CRT=$(echo $X509 | jq -r '.server_crt')
3942
SERVER_KEY=$(echo $X509 | jq -r '.server_key')

src/sonic-yang-models/tests/files/sample_config_db.json

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1263,6 +1263,14 @@
12631263
"port": "50052"
12641264
}
12651265
},
1266+
"GNMI_CLIENT_CERT": {
1267+
"testcert1": {
1268+
"role": "RW"
1269+
},
1270+
"testcert2": {
1271+
"role": "RO"
1272+
}
1273+
},
12661274
"TUNNEL": {
12671275
"MuxTunnel0": {
12681276
"dscp_mode": "uniform",

src/sonic-yang-models/tests/yang_model_tests/tests/gnmi.json

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,5 +13,12 @@
1313
},
1414
"GNMI_TABLE_WITH_VALID_CONFIG": {
1515
"desc": "TABLE WITH VALID CONFIG."
16+
},
17+
"GNMI_CLIENT_CERT_LIST_TABLE_WITH_MISSING_ROLE": {
18+
"desc": "CLIENT_CERT_LIST_TABLE_WITH_MISSING_ROLE failure.",
19+
"eStrKey": "Mandatory"
20+
},
21+
"GNMI_CLIENT_CERT_LIST_TABLE_WITH_VALID_CONFIG": {
22+
"desc": "TABLE WITH VALID CONFIG."
1623
}
1724
}

src/sonic-yang-models/tests/yang_model_tests/tests_config/gnmi.json

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,5 +62,32 @@
6262
}
6363
}
6464
}
65+
},
66+
"GNMI_CLIENT_CERT_LIST_TABLE_WITH_MISSING_ROLE": {
67+
"sonic-gnmi:sonic-gnmi": {
68+
"sonic-gnmi:GNMI_CLIENT_CERT": {
69+
"GNMI_CLIENT_CERT_LIST": [
70+
{
71+
"cert_cname": "testcert1"
72+
}
73+
]
74+
}
75+
}
76+
},
77+
"GNMI_CLIENT_CERT_LIST_TABLE_WITH_VALID_CONFIG": {
78+
"sonic-gnmi:sonic-gnmi": {
79+
"sonic-gnmi:GNMI_CLIENT_CERT": {
80+
"GNMI_CLIENT_CERT_LIST": [
81+
{
82+
"cert_cname": "testcert1",
83+
"role": "RW"
84+
},
85+
{
86+
"cert_cname": "testcert2",
87+
"role": "RO"
88+
}
89+
]
90+
}
91+
}
6592
}
6693
}

src/sonic-yang-models/yang-models/sonic-gnmi.yang

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -72,7 +72,28 @@ module sonic-gnmi {
7272
}
7373

7474
}
75+
}
76+
77+
container GNMI_CLIENT_CERT {
78+
description "GNMI client cert list";
7579

80+
list GNMI_CLIENT_CERT_LIST {
81+
max-elements 8;
82+
key "cert_cname";
83+
84+
leaf cert_cname {
85+
type string;
86+
description
87+
"client cert common name";
88+
}
89+
90+
leaf role {
91+
type string;
92+
mandatory true;
93+
description
94+
"role of client cert common name";
95+
}
96+
}
7697
}
7798
}
7899
}

0 commit comments

Comments
 (0)