Skip to content

Add ACL Policy for Debug service. This will enable the support of #244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add ACL Policy for Debug service. This will enable the support of #244

wants to merge 1 commit into from

Conversation

@marcushines
Copy link
Contributor

@marcushines marcushines commented Jan 6, 2025

per user per command ACL for the service.

this will allow the service to act as a grpc based replacement for ssh access that was previously acl'ed via username to tacacs

@marcushines
Add ACL Policy for Debug service. This will enable the support of
365b4a4 
per user per command ACL for the service.

this will allow the service to act as a grpc based replacement
for ssh access that was previously acl'ed via username to tacacs
@marcushines marcushines requested a review from robshakir January 6, 2025 18:21
@coveralls
Copy link

coveralls commented Jan 6, 2025

Pull Request Test Coverage Report for Build 12638036985

Details

  • 0 of 82 (0.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage decreased (-0.007%) to 1.13%
Changes Missing Coverage Covered Lines Changed/Added Lines %
debug/debug.pb.go 0 82 0.0%
Totals Coverage Status
Change from base Build 12636953794: -0.007%
Covered Lines: 166
Relevant Lines: 14686
💛 - Coveralls

robshakir
robshakir reviewed Jan 7, 2025
View reviewed changes
debug/debug.proto
repeated google.protobuf.Any details = 3;
}

// Policy defines a set of commands a list of users are allowed to execute
Copy link
Member

@robshakir robshakir Jan 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How is this provided to the device?

It seems a little odd that we don't have this in gNSI -- is there some opportunity to express this there akin to pathz?

Copy link
Contributor Author

@marcushines marcushines Jan 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can move it into gnsi as far as providing the gnsi.Debug.Rotate it just kinda feels a bit odd if that is really going to be a pattern we follow for all services

Copy link
Contributor Author

@marcushines marcushines Jan 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are you also suggesting trying to make pathz support other services? I am not sure it is worth trying to fit that - "role based access control" generally is tailored to the service implementation conversely the definition of Authz is generic only to grpc itself

@robshakir
Copy link
Member

robshakir commented Jan 10, 2025

I don't really understand what is happening with gNOI debug here -- it's not aligned with what I was understanding to need this kind of auth. Let's discuss.

@marcushines marcushines requested a review from robshakir March 15, 2025 00:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robshakir robshakir Awaiting requested review from robshakir

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@marcushines @coveralls @robshakir