[yang]: AAA login pattern

[ganglyu]

Signed-off-by: Gang Lv [email protected]

Why I did it

end2end test is blocked by Yang model for AAA login pattern.

How I did it

Add pattern to AAA yang models.

How to verify it

Run UT for sonc-yang-models.

Which release branch to backport (provide reason below if selected)

• 201811
• 201911
• 202006
• 202012
• 202106

Description for the changelog

Fix #9713

A picture of a cute animal (not mandatory but encouraged)

[ganglyu]

/azpw run Azure.sonic-buildimage

[mssonicbld]

/AzurePipelines run Azure.sonic-buildimage

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[wen587]

Verified locally

[qiluo-msft]

@liuh-80 @renukamanavalan Could you help review?

[qiluo-msft]

LGTM. Please wait a while for more eyes.

[wen587]

Found an issue here:
Each AAA sub-config doesn't share the same config.
authorization: [tacacs+ | local | '"tacacs+ local"']
authentication: [ {radius, tacacs+, local} | default ]
accounting: [disable | tacacs+ | local | '"tacacs+ local"']

admin@vlab-01:~/tacacs$ sudo config aaa authorization -h
Usage: config aaa authorization [OPTIONS] [[tacacs+|local|tacacs+ local]]...

  Switch AAA authorization [tacacs+ | local | '"tacacs+ local"']               <===========

Options:
  -h, -?, --help  Show this message and exit.
admin@vlab-01:~/tacacs$ sudo config aaa authentication login -h
Usage: config aaa authentication login [OPTIONS]
                                       [[radius|tacacs+|local|default]]...         

  Switch login authentication [ {radius, tacacs+, local} | default ]         <===========

Options:
  -?, -h, --help  Show this message and exit.
admin@vlab-01:~/tacacs$ sudo config aaa accounting -h
Usage: config aaa accounting [OPTIONS] [[disable|tacacs+|local|tacacs+ 
                             local]]...

  Switch AAA accounting [disable | tacacs+ | local | '"tacacs+ local"']    <==========

Options:
  -h, -?, --help  Show this message and exit.

New issue found.

[renukamanavalan]

Do we accommodate the value "default" in SONiC auth operations?

[liuh-80]

We do accommodate "default", the default will set authentication "login" parameter to "local" and remove all other authentication settings.

Share the same concern with @renukamanavalan

[dgsudharsan]

Can you please add config into https://github.com/Azure/sonic-buildimage/blob/master/src/sonic-yang-models/tests/files/sample_config_db.json ?

[dgsudharsan]

Please also add configuration schema here https://github.com/Azure/sonic-swss/blob/53c630b82d429db892bf288dd9f323c5a8370cd5/doc/Configuration.md

[liuh-80]

AAA setting already in sample_config_db.json:

    "AAA": {
        "authentication": {
            "login": "local"
        },
        "authorization": {
            "login": "local"
        },
        "accounting": {
            "login": "local"
        }
    },

[liuh-80]

Will update Configuration.md in another PR because it's in different repo.

[liuh-80]

Created a new PR for update configuration.md in sonic-swss repo: sonic-net/sonic-swss#2168

[ganglyu]

Need to confirm the pattern, abandon this PR.

[liuh-80]

should keep tacacs+ here, because sonic support login with tacacs+ protocol
#Closed

[liuh-80]

Fixed

[liuh-80]

This pattern need update to support multiple login method, for example following method will try authentication with tacacs+ protocol first, if tatacs+ authentication failed, will try use local authentication:
tacacs+,local
#Closed

[liuh-80]

Suggest use this regex for pattern: ((tacacs+|local|redus|default),{0,1})+

[liuh-80]

Fixed.

[liuh-80]

After offline sync with gang, he will handover this PR to me, I will continue to finish this PR.

[wen587]

Mannual test pass. LGTM

[renukamanavalan]

After offline sync with gang, he will handover this PR to me, I will continue to finish this PR.

So we wait till liuh-80 finish the PR update.