[TACACS+] Add Bash TACACS+ plugin for per-command authorization.#8715
Merged
liuh-80 merged 24 commits intosonic-net:masterfrom Nov 13, 2021
Merged
[TACACS+] Add Bash TACACS+ plugin for per-command authorization.#8715liuh-80 merged 24 commits intosonic-net:masterfrom
liuh-80 merged 24 commits intosonic-net:masterfrom
Conversation
Contributor
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
qiluo-msft
reviewed
Sep 10, 2021
qiluo-msft
reviewed
Sep 10, 2021
qiluo-msft
reviewed
Sep 10, 2021
qiluo-msft
reviewed
Sep 10, 2021
qiluo-msft
reviewed
Sep 10, 2021
qiluo-msft
reviewed
Sep 10, 2021
qiluo-msft
reviewed
Sep 10, 2021
qiluo-msft
reviewed
Sep 10, 2021
qiluo-msft
reviewed
Sep 10, 2021
qiluo-msft
reviewed
Sep 10, 2021
qiluo-msft
reviewed
Sep 10, 2021
qiluo-msft
reviewed
Sep 10, 2021
qiluo-msft
reviewed
Sep 10, 2021
qiluo-msft
reviewed
Sep 10, 2021
qiluo-msft
reviewed
Sep 18, 2021
qiluo-msft
reviewed
Sep 18, 2021
qiluo-msft
reviewed
Sep 18, 2021
liuh-80
force-pushed
the
dev/liuh/bash_tacplus
branch
from
a94028c to
db26d95
Compare
# Conflicts: # src/tacacs/pam/Makefile
qiluo-msft
reviewed
Oct 30, 2021
qiluo-msft
reviewed
Oct 30, 2021
qiluo-msft
reviewed
Oct 30, 2021
| From: liuh-80 <[email protected]> | ||
| Date: Tue, 12 Oct 2021 10:09:10 +0800 | ||
| Subject: [PATCH 3/4] Extract tacacs support functions into library. | ||
| Subject: [PATCH] Extract tacacs support functions into library. |
Collaborator
Contributor
Author
There was a problem hiding this comment.
There are some code bug in this patch file:
- When parse nss_tacplus.conf, can't get TACACS server passkey, because the file format little different with upstream file format.
- Not release tacacs server data before load tacacs config file.
Contributor
Author
There was a problem hiding this comment.
For the code change in this file, please check this PR: https://github.com/liuh-80/pam_tacplus/pull/4/files
Contributor
Author
There was a problem hiding this comment.
1 comments about code position fixed in this patch file.
the other comments about debug code change replied, it's necessary for debug.
Contributor
Author
There was a problem hiding this comment.
According to discussion, update the patch and this code to only support debug, which is the upstream project beahvior.
Collaborator
There was a problem hiding this comment.
Discussed offline: we will not use pam_tacplus function to parse nss_tacplus config in future. Then we will abandon this patch.
xumia
reviewed
Nov 10, 2021
liuh-80
commented
Nov 10, 2021
qiluo-msft
approved these changes
Nov 12, 2021
liuh-80
added a commit
to liuh-80/sonic-buildimage
that referenced
this pull request
Jul 11, 2023
liuh-80
added a commit
to liuh-80/sonic-buildimage
that referenced
this pull request
Jul 11, 2023
qiluo-msft
pushed a commit
that referenced
this pull request
Jul 13, 2023
Fix libtacsupport.so can't parse tacplus_nss.conf issue and not reset server list before parse config file issue.
##### Work item tracking
- Microsoft ADO **(number only)**: 24433713
#### Why I did it
1. Fix libtacsupport.so can't parse tacplus_nss.conf correctly issue:
Support debug=on setting.
Support put server address and secret in same row.
2. Fix the parse_config_file method not reset server list before parse config file issue.
#### How I did it
Fix libtacsupport.so can't parse tacplus_nss.conf issue and not reset server list before parse config file issue.
#### How to verify it
UT with CUnit cover all code in this plugin.
Also pass all current UT.
#### Which release branch to backport (provide reason below if selected)
N/A
#### Tested branch (Please provide the tested image version)
Extract tacacs support functions into library, this will share TACACS config file parse code with other project.
Also fix memory leak issue in parse config code.
- [ ] SONiC.202012-15723.312602-e230e2d3e
#### Description for the changelog
Fix libtacsupport.so can't parse tacplus_nss.conf issue and not reset server list before parse config file issue.
1 task
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request add a bash plugin for TACACS+ per-command authorization
Why I did it
Support debug=on setting.
Support put server address and secret in same row.
How I did it
The bash plugin will be called before every user command, and check user command with remote TACACS+ server for per-command authorization.
How to verify it
UT with CUnit cover all code in this plugin.
Also pass all current UT.
Which release branch to backport (provide reason below if selected)
N/A
Description for the changelog
Add Bash TACACS+ plugin.
A picture of a cute animal (not mandatory but encouraged)