Add TACACS server monitor design document.

[liuh-80]

Add TACACS server monitor design document.
The TACACS server monitor can change TACACS server priority based on syslog and can resolve following issue:
#1462

[ycoheNvidia]

Thanks for addressing the issue.
Even though this might work - in my opinion this is not a good solution for this issue and here is few reasons:

• user who configures authentication methods doesn't expect configuration to change without any notice or active action from his side.
• logs can be instable, we have experienced inconsistency of Debian logs in the past, I suspect it might cause bugs for this solution
• The main issue here is based on an issue with pam/tacplus_pam. In my opinion - it should be resolved there. Adding a monitor workaround solution might be hard to maintain and not be optimal for this issue.

[a-barboza]

cc: @shdasari

The idea of adjusting the priority based on the responsiveness of the server is good. As mentioned, it should alleviate issue #1462.

However, I feel adjusting the configuration based on a temporary network event might not be the best approach. How about adding some state information to the STATE_DB (COUNTER_DB, or appropriate DB)? Adjust the tacplus pam configuration to account for temporarily unreachable server. Once the network event is detected to be resolved, then the temporary adjustment could be backed out, with suitable logs to advise the admin of the actions taken.

[liuh-80]

cc: @shdasari

The idea of adjusting the priority based on the responsiveness of the server is good. As mentioned, it should alleviate issue #1462.

However, I feel adjusting the configuration based on a temporary network event might not be the best approach. How about adding some state information to the STATE_DB (COUNTER_DB, or appropriate DB)? Adjust the tacplus pam configuration to account for temporarily unreachable server. Once the network event is detected to be resolved, then the temporary adjustment could be backed out, with suitable logs to advise the admin of the actions taken.

@a-barboza , currently if SONiC TACACS can connect to first server, it will not try connecting other low priority servers, which means can't detect low priority server network status. and if we want get connection status of low priority server, we need create a new daemon running in background to periodically check server.

Also in this design, the monitor change server priority based on a time window and event count threshold, for example more than 50% connection failed within 5 minutes. this is a simple solution can handle almost every scenario.

So, how about I update the design doc to:

1. First stage, implement monitor to change priority based on sys event, this will be high priority.
2. Second stage, update TACACS code to update COUNTER_DB data. create daemon to check TACACS server status. then we can update monitor to change priority based on COUNTER_DB and server reachability?

[qiluo-msft]

@ycoheNvidia @a-barboza Would you like to review again? Do you have more comments?

[liuh-80]

@a-barboza , I update design doc according to your suggestion, please give your comments.

[a-barboza]

How can TACPLUS_MONITOR be disabled? For example, if the table is not defined, does it mean that TACPLUS Monitor is disabled, i.e. no monitoring, and effective priorities are same as configured priorities?

[liuh-80]

Added 'enable' flag for disable this feature. when feature disabled, configured priorities will same as configured priorities.

[Yarden-Z]

How does a user get notified that the order has been changed?
Should there be some warning here?
Also - what is the overhead for this item? If we have 8 tacacs servers, defined with an 8 second timeout, and monit is running every minute - we might get to starvation. (might also occur if we have less, but timeout is bugger).
This seems like an odd solution towards solving another issue where the current timeout for tacacs is not being applied well.

[liuh-80]

How does a user get notified that the order has been changed? Should there be some warning here? Also - what is the overhead for this item? If we have 8 tacacs servers, defined with an 8 second timeout, and monit is running every minute - we might get to starvation. (might also occur if we have less, but timeout is bugger). This seems like an odd solution towards solving another issue where the current timeout for tacacs is not being applied well.

When Monitor found latency or unreachable issue, warning message will write to syslog. in prod environment there need some other service check SONiC device health by syslog and send alert to user, which is not part of SONiC.

For timeout issue, if all 8 servers not reachable, Monit will handle it by send alert event for the timeout.

[liuh-80]

@lguohan , could you review and signoff this PR?

[lguohan]

if un-reachable server is excluded, later if the server becomes reachable, how can we include it back?

[liuh-80]

Fixed, hostcfgd will add server back when found an unreachable server become reachable.

[lguohan]

missing yang mode design.

[liuh-80]

Fixed, yang model added.

[lguohan]

which component write to the counter_db, it is not clear from the design doc

[liuh-80]

Monit service will write COUNTER_DB, add detail to design doc.

[lguohan]

we need an option to maintain backward compatibility

[liuh-80]

Fixed, add 'enable' flag, this feature can be disable by this flag.

[lguohan]

what is the threshold to determine high latency v.s. not. how do we choose the threshold.

[liuh-80]

The threshold is 20ms. which is based on experience when handle TACACS server latency/unreachable issue, I can share more detail in review meeting, but may not necessarily to write that in public doc.

[lguohan]

commented.

[qiluo-msft]

enable

There is a FEATURE table to control many optional features. And suggest we separate the TACACS monitor feature and TACACS auto downgrade feature, and control them with finer granularity.