Skip to content

Add accounting-method and authorization-method leaf-lists inside the /system/aaa/accounting/events/event and /system/aaa/authorization/events/event lists, respectively. #1332

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
LeonGWang wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Add accounting-method and authorization-method leaf-lists inside the /system/aaa/accounting/events/event and /system/aaa/authorization/events/event lists, respectively. #1332

LeonGWang wants to merge 5 commits into from

Conversation

@LeonGWang
Copy link
Contributor

@LeonGWang LeonGWang commented Jul 8, 2025
edited
Loading

(M) system/openconfig-aaa.yang

Change Scope

AAA accounting-method and authorization-method should be able to be configured per event-type.
For example event-type=AAA_ACCOUNTING_EVENT_COMMAND can have a different accounting-method configured vs. event-type=AAA_ACCOUNTING_EVENT_LOGIN.

This change is an addition of AAA capabilities for accounting-method and authorization-method and is a non-breaking (backwards-compatible) change.

Platform Implementations

Arista AAA configuration:
accounting and authorization can have different accounting-methods and authorization-methods configured (e.g. group tacacs+, group radius, local, logging) per event type (e.g. commands, exec, etc.).

(config)#aaa accounting commands all console start-stop group tacacs+
(config)#aaa accounting exec console start-stop group radius logging
(config)#aaa authorization commands all default group radius
(config)#aaa authorization exec default group tacacs+ local

Arista documentation for authorization

Arista documentation for accounting

Pyang output for the new model:

module: openconfig-system
  +--rw system
     +--rw aaa
        +--rw config
        +--ro state
        +--rw authorization
        |  +--rw config
        |  |  +--rw authorization-method*   union [DEPRECATED]
        |  +--ro state
        |  |  +--ro authorization-method*   union [DEPRECATED]
        |  +--rw events
        |     +--rw event* [event-type]
        |        +--rw event-type    -> ../config/event-type
        |        +--rw config
        |        |  +--rw event-type?             identityref
        |        |  +--rw authorization-method*   union [NEW]
        |        +--ro state
        |           +--ro event-type?             identityref
        |           +--ro authorization-method*   union [NEW]
        +--rw accounting
        |  +--rw config
        |  |  +--rw accounting-method*   union [DEPRECATED]
        |  +--ro state
        |  |  +--ro accounting-method*   union [DEPRECATED]
        |  +--rw events
        |     +--rw event* [event-type]
        |        +--rw event-type    -> ../config/event-type
        |        +--rw config
        |        |  +--rw event-type?          identityref
        |        |  +--rw record?              enumeration
        |        |  +--rw accounting-method*   union [NEW]
        |        +--ro state
        |           +--ro event-type?          identityref
        |           +--ro record?              enumeration
        |           +--ro accounting-method*   union [NEW]

P. S. As an aside (not the topic of this PR), certain event types (e.g. commands) can have privilege levels associated, usually between 0 (unprivileged) to 15 (full privilege). To accommodate privilege levels, we can either:

  1. add more event-type identities with privilege level suffix attached such as AAA_ACCOUNTING_EVENT_COMMAND_07 and AAA_ACCOUNTING_EVENT_COMMAND_15 and keep the current tree structure (i.e. backwards compatible)
  2. or add an additional list such as privilege-level[level=?] under .../events/event/..., such as
        |     +--rw event* [event-type]
        |        +--rw event-type    -> ../config/event-type
        |        +--rw privilege-level* [level]
        |        |  +--rw level
        |        |  +--rw config
        |        |    +--rw event-type?          identityref
        |        |    +--rw record?              enumeration
        |        |    +--rw accounting-method*   union
        |        |  +--ro state
        |        |    +--ro event-type?          identityref
        |        |    +--ro record?              enumeration
        |        |    +--ro accounting-method*   union

For event-type with only 1 privilege-level, the key could be level=all, and for event-type with multiple privilege levels, the level can be more customized such as level=5. This better delineates between event-type and privilege-level but is a breaking change.

Without either of the 2 changes above, the YANG model would not be able to configure or represent full Aaa accounting and authorization on a vendor switch.

@LeonGWang LeonGWang requested a review from a team as a code owner July 8, 2025 06:59
@dplore
Copy link
Member

dplore commented Jul 8, 2025

Hi @LeonGWang , thanks for this PR. Please refactor to make this a non-breaking change. One way you could do this is by introducing only new containers/leaves. (ie: instead of move, simply add the authorization-method to the events/event list.).

@dplore
Copy link
Member

dplore commented Jul 8, 2025

/gcbrun

@OpenConfigBot
Copy link

OpenConfigBot commented Jul 8, 2025
edited
Loading

No major YANG version changes in commit 9f151cb

@LeonGWang LeonGWang changed the title Move accounting-method and authorization-method leaf-lists inside the /system/aaa/accounting/events/event and /system/aaa/authorization/events/event lists, respectively. Add accounting-method and authorization-method leaf-lists inside the /system/aaa/accounting/events/event and /system/aaa/authorization/events/event lists, respectively. Jul 9, 2025
@LeonGWang
Copy link
Contributor Author

LeonGWang commented Jul 9, 2025

Hi @LeonGWang , thanks for this PR. Please refactor to make this a non-breaking change. One way you could do this is by introducing only new containers/leaves. (ie: instead of move, simply add the authorization-method to the events/event list.).

Thanks for the quick review @dplore. I've added back the original leaf-lists but marked them as deprecated. This is now a non-breaking changes.

I have also changed the title, the description, and the pyang output.

@dplore
Copy link
Member

dplore commented Jul 10, 2025

/gcbrun

@dplore dplore moved this to Ready to discuss in OC Operator Review Jul 10, 2025
@LeonGWang LeonGWang force-pushed the aaa-acct-authz-methods branch from 4cc96fb to 69846c3 Compare July 17, 2025 05:11
@LeonGWang
Copy link
Contributor Author

LeonGWang commented Jul 17, 2025

Updated the submodules openconfig-aaa-radius.yang and openconfig-aaa-tacacs.yang to version 1.1.0 as well. This should satisfy the failing check.

@jsterne
Copy link

jsterne commented Jul 17, 2025

Should we not be referencing at least a few other references to implementations with this granularity in this PR?

Although this is not currently a non-backwards-compatible change, by marking the current approach deprecated we are signalling the intent to remove it later (and break current implementations).

jsterne
jsterne reviewed Jul 17, 2025
View reviewed changes
@LeonGWang
Copy link
Contributor Author

LeonGWang commented Jul 18, 2025

Thanks for the feedback @jsterne

Should we not be referencing at least a few other references to implementations with this granularity in this PR?

As per company (Arista) policy, unfortunately I am unable to provide references outside of Arista. Usually @dplore is kind enough to provide additional references should that be required.

Although this is not currently a non-backwards-compatible change, by marking the current approach deprecated we are signalling the intent to remove it later (and break current implementations).

This is intended. The newly added *-method leaf-lists at a more granular level provides a functional superset of the original, so there is no reason to keep the original leaf-lists.

@LeonGWang
Copy link
Contributor Author

LeonGWang commented Jul 21, 2025

/gcbrun

1 similar comment
@dplore
Copy link
Member

dplore commented Jul 21, 2025

/gcbrun

LeonGWang added 3 commits July 22, 2025 17:14
@LeonGWang
Moved accounting-method and authorization-method leaf-lists
7028545 
inside the accounting/events/event and authorization/events/event lists,
respectively.
@LeonGWang
Added back the original accounting-method and authorization-method le…
15938fe 
…af-lists

but marked them as deprecated.
@LeonGWang
Update version to 1.1.0 for submodules openconfig-aaa-radius.yang and…
9f151cb 
… openconfig-aaa-tacacs.yang
@LeonGWang LeonGWang force-pushed the aaa-acct-authz-methods branch from 69846c3 to 9f151cb Compare July 23, 2025 00:14
@LeonGWang
Copy link
Contributor Author

LeonGWang commented Jul 23, 2025

/gcbrun

1 similar comment
@dplore
Copy link
Member

dplore commented Jul 23, 2025

/gcbrun

@ElodinLaarz
Copy link
Contributor

ElodinLaarz commented Oct 7, 2025

Discussed at OC Operators Meeting Oct 07:

Can we (1) get a better diff of the change (marking which leaves are deprecated and highlighting the leaves that have moved), and (2) @dplore (or anyone) can include a second vendor's implementation to elaborate on the need to move the configuration under events?

@ElodinLaarz ElodinLaarz requested a review from a team as a code owner October 7, 2025 16:41
@ElodinLaarz ElodinLaarz moved this from Ready to discuss to Waiting for author in OC Operator Review Oct 7, 2025
@LeonGWang
Copy link
Contributor Author

LeonGWang commented Oct 14, 2025

P. S. As an aside (not the topic of this PR), certain event types (e.g. commands) can have privilege levels associated, usually between 0 (unprivileged) to 15 (full privilege). To accommodate privilege levels, we can either:

  1. add more event-type identities with privilege level suffix attached such as AAA_ACCOUNTING_EVENT_COMMAND_07 and AAA_ACCOUNTING_EVENT_COMMAND_15 and keep the current tree structure (i.e. backwards compatible)
  2. or add an additional list such as privilege-level[level=?] under .../events/event/..., such as
        |     +--rw event* [event-type]
        |        +--rw event-type    -> ../config/event-type
        |        +--rw privilege-level* [level]
        |        |  +--rw level
        |        |  +--rw config
        |        |    +--rw event-type?          identityref
        |        |    +--rw record?              enumeration
        |        |    +--rw accounting-method*   union
        |        |  +--ro state
        |        |    +--ro event-type?          identityref
        |        |    +--ro record?              enumeration
        |        |    +--ro accounting-method*   union

For event-type with only 1 privilege-level, the key could be level=all, and for event-type with multiple privilege levels, the level can be more customized such as level=5. This better delineates between event-type and privilege-level but is a breaking change.

Without either of the 2 changes above, the YANG model would not be able to configure or represent full Aaa accounting and authorization on a vendor switch.

@jsterne
Copy link

jsterne commented Oct 14, 2025

I think we still need to show how any of these changes are necessary on more than 1 implementation. Isn't that supposed to be done by the person proposing these types of changes? The intent here is to eventually break the current model so we should only be doing that if it is needed across a broad set of implementations.

@LeonGWang
Copy link
Contributor Author

LeonGWang commented Nov 27, 2025
edited
Loading

Discussed at OC Operators Meeting Oct 07:

Can we (1) get a better diff of the change (marking which leaves are deprecated and highlighting the leaves that have moved), and (2) @dplore (or anyone) can include a second vendor's implementation to elaborate on the need to move the configuration under events?

Hi I updated the diff in the original comment to annotate deprecated and new leaves with [DEPRECATED] and [NEW]. Below is a copy of the edited version (now also in the original comment):

module: openconfig-system
  +--rw system
     +--rw aaa
        +--rw config
        +--ro state
        +--rw authorization
        |  +--rw config
        |  |  +--rw authorization-method*   union [DEPRECATED]
        |  +--ro state
        |  |  +--ro authorization-method*   union [DEPRECATED]
        |  +--rw events
        |     +--rw event* [event-type]
        |        +--rw event-type    -> ../config/event-type
        |        +--rw config
        |        |  +--rw event-type?             identityref
        |        |  +--rw authorization-method*   union [NEW]
        |        +--ro state
        |           +--ro event-type?             identityref
        |           +--ro authorization-method*   union [NEW]
        +--rw accounting
        |  +--rw config
        |  |  +--rw accounting-method*   union [DEPRECATED]
        |  +--ro state
        |  |  +--ro accounting-method*   union [DEPRECATED]
        |  +--rw events
        |     +--rw event* [event-type]
        |        +--rw event-type    -> ../config/event-type
        |        +--rw config
        |        |  +--rw event-type?          identityref
        |        |  +--rw record?              enumeration
        |        |  +--rw accounting-method*   union [NEW]
        |        +--ro state
        |           +--ro event-type?          identityref
        |           +--ro record?              enumeration
        |           +--ro accounting-method*   union [NEW]

As for other vendor implementation, @dplore can you check if other vendors have similar privilege level configurations for Aaa?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jsterne jsterne jsterne left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

non-breaking

Projects

OC Operator Review
Status: Waiting for author

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@LeonGWang @dplore @OpenConfigBot @jsterne @ElodinLaarz