Fix flaky tacacs authorization one server down case#7683
Merged
yejianquan merged 2 commits intosonic-net:masterfrom Mar 8, 2023
Merged
Fix flaky tacacs authorization one server down case#7683yejianquan merged 2 commits intosonic-net:masterfrom
yejianquan merged 2 commits intosonic-net:masterfrom
Conversation
The tacacs authorization test has a case to verify that authorization is still working if one of the tacacs servers is down. In case the previous authorization method is local, after it is switched to tacacs+, the tacacs client will start to contact the tacacs servers for authorization. If we immediately run a command after the authorization method is changed, this command may fail with authorization because the client is still trying the invalid tacacs server. The fix is to add a delay which is longer than the configured tacacs timeout after authorization method is changed from local to tacacs+. Extra improvements: * Fixed issues detected by pre-commit. * Created new test fixtures to configure and restore tacacs authorization configuration. * Improved the code for starting and stopping tacacs server. The existing method of stopping tacacs server takes up to 40 seconds. Overall testing time of test_authorization.py takes up to 270 seconds. After the improvement, overall test time of this script is around 70 seconds. Signed-off-by: Xin Wang <[email protected]>
liuh-80
previously approved these changes
Mar 8, 2023
liuh-80
approved these changes
Mar 8, 2023
yejianquan
pushed a commit
that referenced
this pull request
Mar 8, 2023
Approach What is the motivation for this PR? The tacacs authorization test has a case to verify that authorization is still working if one of the tacacs servers is down. In case the previous authorization method is local, after it is switched to tacacs+, the tacacs client will start to contact the tacacs servers for authorization. If we immediately run a command after the authorization method is changed, this command may fail with authorization because the client is still trying the invalid tacacs server. How did you do it? The fix is to add a delay which is longer than the configured tacacs timeout after authorization method is changed from local to tacacs+. Extra improvements: Fixed issues detected by pre-commit. Created new test fixtures to configure and restore tacacs authorization configuration. Improved the code for starting and stopping tacacs server. The existing method of stopping tacacs server takes up to 40 seconds. Overall testing time of test_authorization.py takes up to 270 seconds. After the improvement, overall test time of this script is around 70 seconds. Co-authorized by: [email protected]
yejianquan
pushed a commit
that referenced
this pull request
Mar 8, 2023
Approach What is the motivation for this PR? The tacacs authorization test has a case to verify that authorization is still working if one of the tacacs servers is down. In case the previous authorization method is local, after it is switched to tacacs+, the tacacs client will start to contact the tacacs servers for authorization. If we immediately run a command after the authorization method is changed, this command may fail with authorization because the client is still trying the invalid tacacs server. How did you do it? The fix is to add a delay which is longer than the configured tacacs timeout after authorization method is changed from local to tacacs+. Extra improvements: Fixed issues detected by pre-commit. Created new test fixtures to configure and restore tacacs authorization configuration. Improved the code for starting and stopping tacacs server. The existing method of stopping tacacs server takes up to 40 seconds. Overall testing time of test_authorization.py takes up to 270 seconds. After the improvement, overall test time of this script is around 70 seconds. Co-authorized by: [email protected]
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of PR
Summary:
Fixes # (issue)
Type of change
Back port request
Approach
What is the motivation for this PR?
The tacacs authorization test has a case to verify that authorization is still working if one of the tacacs servers is down.
In case the previous authorization method is local, after it is switched to tacacs+, the tacacs client will start to contact the tacacs servers for authorization. If we immediately run a command after the authorization method is changed, this command may fail with authorization because the client is still trying the invalid tacacs server.
How did you do it?
The fix is to add a delay which is longer than the configured tacacs timeout after authorization method is changed from local to tacacs+.
Extra improvements:
How did you verify/test it?
Any platform specific information?
Supported testbed topology if it's a new test case?
Documentation