Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use reference of servers in /system/aaa/server-groups. Move the actual server list to top level of /system/aaa. #1105

Open
wants to merge 15 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 12 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion release/models/system/openconfig-aaa-radius.yang
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,13 @@ submodule openconfig-aaa-radius {
related to the RADIUS protocol for authentication,
authorization, and accounting.";

oc-ext:openconfig-version "1.0.0";
oc-ext:openconfig-version "1.1.0";

revision "2024-05-03" {
description
"Deprecate auth-port and make the port a common key for aaa servers";
reference "1.1.0";
}

revision "2022-07-29" {
description
Expand Down Expand Up @@ -91,6 +97,7 @@ submodule openconfig-aaa-radius {

leaf auth-port {
type oc-inet:port-number;
status deprecated;
default 1812;
description
"Port number for authentication requests";
Expand Down
9 changes: 8 additions & 1 deletion release/models/system/openconfig-aaa-tacacs.yang
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,13 @@ submodule openconfig-aaa-tacacs {
related to the TACACS+ protocol for authentication,
authorization, and accounting.";

oc-ext:openconfig-version "1.0.0";
oc-ext:openconfig-version "1.1.0";

revision "2024-05-03" {
description
"Deprecate port and make it a common key for aaa servers";
reference "1.1.0";
}

revision "2022-07-29" {
description
Expand Down Expand Up @@ -91,6 +97,7 @@ submodule openconfig-aaa-tacacs {

leaf port {
type oc-inet:port-number;
status deprecated;
default 49;
description
"The port number on which to contact the TACACS server";
Expand Down
178 changes: 174 additions & 4 deletions release/models/system/openconfig-aaa.yang
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ module openconfig-aaa {
import openconfig-inet-types { prefix oc-inet; }
import openconfig-yang-types { prefix oc-yang; }
import openconfig-aaa-types { prefix oc-aaa-types; }
import openconfig-network-instance { prefix "oc-ni"; }

include openconfig-aaa-tacacs;
include openconfig-aaa-radius;
Expand All @@ -32,7 +33,13 @@ module openconfig-aaa {
Portions of this model reuse data definitions or structure from
RFC 7317 - A YANG Data Model for System Management";

oc-ext:openconfig-version "1.0.0";
oc-ext:openconfig-version "1.1.0";

revision "2024-05-03" {
description
"Use reference of servers in server groups";
reference "1.1.0";
}

revision "2022-07-29" {
description
Expand Down Expand Up @@ -124,6 +131,66 @@ module openconfig-aaa {
//TODO: add list of group members as opstate
}

grouping aaa-servergroup-member-config {
description
"Common configuration data for server group member";

leaf name {
type leafref {
// Reference to /system/aaa/servers/server/name
path "../../../../../../servers/server/name";
}
description
"Reference to the name of the server group member";
}
}

grouping aaa-servergroup-member-state {
description
"Operational state data for server group member";
}

grouping aaa-servergroup-member-top {
description
"Top-level grouping for list of AAA servers";

container group-members {
description
"Enclosing container for server group members";

list group-member {
key "name";
description
"List of server group members";

leaf name {
type leafref {
path "../config/name";
}
description
"Reference to the name of the server group member";
}

container config {
description
"Configuration data ";

uses aaa-servergroup-member-config;
}

container state {
config false;

description
"Operational state data ";

uses aaa-servergroup-member-config;
uses aaa-servergroup-common-state;
}
}
}
}

grouping aaa-servergroup-common-top {
description
"Top-level grouping for AAA server groups";
Expand Down Expand Up @@ -164,14 +231,19 @@ module openconfig-aaa {
uses aaa-servergroup-common-state;
}

uses aaa-server-top;
uses aaa-servergroup-member-top;

uses aaa-server-top {
status deprecated;
}
}
}
}

grouping aaa-server-config {
description
"Common configuration data for AAA servers";
status deprecated;

leaf name {
type string;
Expand All @@ -194,6 +266,49 @@ module openconfig-aaa {
}
}

grouping aaa-server-config-data {
description
"Common configuration data for AAA servers";

leaf name {
type string;
description
"Name assigned to the server";
}

leaf address {
type oc-inet:ip-address;
description "Address of the authentication server";
}

leaf port {
type oc-inet:port-number;
description "Port of the authentication server";
}

leaf network-instance {
type oc-ni:network-instance-ref;
description "Network-instance of the authentication server";
}

leaf type {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This aaa server type overlaps/conflicts with the type defined at the server-group level. Do we need this defined per server?

Also, I observe that there is only one base type, so maybe we don't really even need type at all?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for reviewing Darren.
This aaa server type overlaps/conflicts with the type defined at the server-group level. Do we need this defined per server?
An AAA server can be used either directly by itself or within a server group, so we need this type defined per server as well. Vendors can decide what to do if they see a conflict between the type of the group and the type of the server.

Also, I observe that there is only one base type, so maybe we don't really even need type at all?
leaf type here is an identityref which has existing identity RADIUS and TACACS added to it from their own files:



so it seems to have two types with it. Am I using this wrong?

type identityref {
base oc-aaa-types:AAA_SERVER_TYPE;
}
description
"AAA server type";
}

leaf timeout {
type uint16;
units seconds;
description
"Set the timeout in seconds on responses from the AAA
server";
}
}


grouping aaa-server-state {
description
"Common operational state data for AAA servers";
Expand Down Expand Up @@ -251,9 +366,59 @@ module openconfig-aaa {

}

grouping aaa-server-list-top {
description
"Top-level grouping for list of AAA servers";

container servers {
description
"Enclosing container the list of servers";

list server {
key "name";
description
"List of AAA servers";

leaf name {
type leafref {
path "../config/name";
}
description
"Reference to the configured name of the AAA server";
}

container config {
description
"Configuration data ";

uses aaa-server-config-data;
}

container state {
config false;

description
"Operational state data ";

uses aaa-server-config-data;
uses aaa-server-state;
}

uses aaa-tacacs-server-top {
when "config/type = 'oc-aaa:TACACS'";
}

uses aaa-radius-server-top {
when "config/type = 'oc-aaa:RADIUS'";
}
}
}
}

grouping aaa-server-top {
description
"Top-level grouping for list of AAA servers";
status deprecated;

container servers {
description
Expand All @@ -276,7 +441,9 @@ module openconfig-aaa {
description
"Configuration data ";

uses aaa-server-config;
uses aaa-server-config {
status deprecated;
}
}

container state {
Expand All @@ -285,7 +452,9 @@ module openconfig-aaa {
description
"Operational state data ";

uses aaa-server-config;
uses aaa-server-config {
status deprecated;
}
uses aaa-server-state;
}

Expand Down Expand Up @@ -834,6 +1003,7 @@ module openconfig-aaa {
uses aaa-authentication-top;
uses aaa-authorization-top;
uses aaa-accounting-top;
uses aaa-server-list-top;
uses aaa-servergroup-common-top;

}
Expand Down
Loading