Add credentialz endpoints to manage system role accounts.

[avanpo]

It seems there is no way to manage system role accounts via openconfig today, meaning it's necessary to know about the NOS or underlying OS in order to get that done.

[nmahabaleshwar]

Some implementations need a password to create an account, would suggest add Password which can be optional.

We might also want to clarify if Password is not specified we want to create an account with,

1. Disabled password (prevent authentication via password) OR
2. No password (password not required for authentication)

[morrowc]

(picking long past old PR)

Either specifying in the proto/docs:
"If a passwd is required, but not provided, an error is returned"
or:
"where a password is required and not provided the device will provide an unusable password"
(like username:*:userid:groupid:comment:shell on standard unix-like platforms)

seems ok.

[LimeHat]

I'm not sure why my previous comment was marked as resolved, but I still would like to get an answer to that question.

Would be good to add a strict definition what a "system role account" is.

OpenConfig has SYSTEM_ROLE_ADMIN https://github.com/openconfig/public/blob/db78d44e93a97cef4db27f82bba3fba454e907a5/release/models/system/openconfig-aaa-types.yang#L77-L84, but I have a feeling that you mean something else in this context.

[morrowc]

I think 'system role admin' is like 'admin group' or 'root access for user in this group', right?
I think the intent of this is to provide a way to set a passwd/ssh-key/etc for:
linuxadmin
root
admin
event-manager-user

etc.. accounts which the vendor provides on the device outside of any requirement of the operator of that device.

[LimeHat]

I think the intent of this is to provide a way to set a passwd/ssh-key/etc for:

is it? the proto change says it can only add or delete account. for credentials management we have existing credz service RPCs..

[morrowc]

Left 2 clarifying answers/pointers to the existing conversations.