[TACACS] Stop authorization after user being rejected by server.#14249
Merged
qiluo-msft merged 4 commits intosonic-net:masterfrom May 30, 2023
Merged
[TACACS] Stop authorization after user being rejected by server.#14249qiluo-msft merged 4 commits intosonic-net:masterfrom
qiluo-msft merged 4 commits intosonic-net:masterfrom
Conversation
Merged
6 tasks
Contributor
Author
|
close-reopen to trigger build validation. |
qiluo-msft
reviewed
May 19, 2023
| index 048745a..de26306 100644 | ||
| --- a/nss_tacplus.c | ||
| +++ b/nss_tacplus.c | ||
| @@ -866,7 +866,12 @@ lookup_tacacs_user(struct pwbuf *pb) |
Collaborator
There was a problem hiding this comment.
The patch looks good to me. On the file location, I am thinking modifying 0001-Modify-user-map-profile.patch may be better since you are modifying a function which overlapped there. And it is really diffcult to read a patch on another patch.
Contributor
Author
There was a problem hiding this comment.
Fixed, I create this draft PR for code review: https://github.com/liuh-80/libnss-tacplus/pull/1/files
qiluo-msft
approved these changes
May 30, 2023
liuh-80
added a commit
to sonic-net/sonic-mgmt
that referenced
this pull request
Jun 5, 2023
…8345) ### Description of PR Add UT for tacacs stop send request after first service reject user. Summary: Add UT for tacacs stop send request after first service reject user. New UT is for code change in sonic-net/sonic-buildimage#14249 ### Type of change - [ ] Bug fix - [ ] Testbed and Framework(new/improvement) - [x] Test case(new/improvement) ### Back port request - [ ] 201911 - [ ] 202012 - [ ] 202205 ### Approach #### What is the motivation for this PR? Add new UT to test and protect 'TACACS stop send request after first service reject user' feature. #### How did you do it? Add second tacacs server IP address, and login with invalid account, then validate TACACS stop send request after first TACACS server reject user login. #### How did you verify/test it? Manually test new UT. Pass PR validation. #### Any platform specific information? No #### Supported testbed topology if it's a new test case? Any ### Documentation <!-- (If it's a new feature, new test case) Did you update documentation/Wiki relevant to your implementation? Link to the wiki page? -->
sonic-otn
pushed a commit
to sonic-otn/sonic-buildimage
that referenced
this pull request
Sep 20, 2023
…ic-net#14249) Stop authorization after user being rejected by server. #### Why I did it Fix nss_tacplus bug: after user being rejected by one TACACS+ server, nss_tacplus will try with next TACACS+ server. ##### Work item tracking - Microsoft ADO :15276692 #### How I did it Check authorization result, stop authorization after user being rejected by server. #### How to verify it Pass all E2E test. Create new UT: sonic-net/sonic-mgmt#8345 #### Description for the changelog Stop authorization after user being rejected by server. #### Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.
mrkcmo
pushed a commit
to Azarack/sonic-mgmt
that referenced
this pull request
Oct 3, 2023
…onic-net#8345) ### Description of PR Add UT for tacacs stop send request after first service reject user. Summary: Add UT for tacacs stop send request after first service reject user. New UT is for code change in sonic-net/sonic-buildimage#14249 ### Type of change - [ ] Bug fix - [ ] Testbed and Framework(new/improvement) - [x] Test case(new/improvement) ### Back port request - [ ] 201911 - [ ] 202012 - [ ] 202205 ### Approach #### What is the motivation for this PR? Add new UT to test and protect 'TACACS stop send request after first service reject user' feature. #### How did you do it? Add second tacacs server IP address, and login with invalid account, then validate TACACS stop send request after first TACACS server reject user login. #### How did you verify/test it? Manually test new UT. Pass PR validation. #### Any platform specific information? No #### Supported testbed topology if it's a new test case? Any ### Documentation <!-- (If it's a new feature, new test case) Did you update documentation/Wiki relevant to your implementation? Link to the wiki page? -->
AharonMalkin
pushed a commit
to AharonMalkin/sonic-mgmt
that referenced
this pull request
Jan 25, 2024
…onic-net#8345) ### Description of PR Add UT for tacacs stop send request after first service reject user. Summary: Add UT for tacacs stop send request after first service reject user. New UT is for code change in sonic-net/sonic-buildimage#14249 ### Type of change - [ ] Bug fix - [ ] Testbed and Framework(new/improvement) - [x] Test case(new/improvement) ### Back port request - [ ] 201911 - [ ] 202012 - [ ] 202205 ### Approach #### What is the motivation for this PR? Add new UT to test and protect 'TACACS stop send request after first service reject user' feature. #### How did you do it? Add second tacacs server IP address, and login with invalid account, then validate TACACS stop send request after first TACACS server reject user login. #### How did you verify/test it? Manually test new UT. Pass PR validation. #### Any platform specific information? No #### Supported testbed topology if it's a new test case? Any ### Documentation <!-- (If it's a new feature, new test case) Did you update documentation/Wiki relevant to your implementation? Link to the wiki page? -->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Stop authorization after user being rejected by server.
Why I did it
Fix nss_tacplus bug: after user being rejected by one TACACS+ server, nss_tacplus will try with next TACACS+ server.
Work item tracking
How I did it
Check authorization result, stop authorization after user being rejected by server.
How to verify it
Pass all E2E test.
Create new UT: sonic-net/sonic-mgmt#8345
Which release branch to backport (provide reason below if selected)
Tested branch (Please provide the tested image version)
Description for the changelog
Stop authorization after user being rejected by server.
Ensure to add label/tag for the feature raised. example - PR#2174 under sonic-utilities repo. where, Generic Config and Update feature has been labelled as GCU.
Link to config_db schema for YANG module changes
A picture of a cute animal (not mandatory but encouraged)