Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[baseimage] add ipintutil in sudoer file #6845

Merged
merged 2 commits into from
Feb 23, 2021

Conversation

arlakshm
Copy link
Contributor

Signed-off-by: Arvindsrinivasan Lakshmi Narasimhan arlakshm@microsoft.com

Why I did it

show ip interfaces is enhanced recently to support multi ASIC platforms in this PR . The ipintutil script as to run as sudo user, to get the ip interface from each namespace.
Add this script to the sudoer file so that show ip interface command is available for user with read-only permissions

How I did it

Add script ipintutil to the read-only allowed commands list.

How to verify it

- Before the change

user_ro@vlab-01:~$ id
uid=1002(user_ro) gid=1002(user_ro) groups=1002(user_ro)
user_ro@vlab-01:~$ show ip int

Make sure your account has RW permission to current device.
Otherwise sudo requests will be rejected.

[sudo] password for user_ro:

Aborted!
user_ro@vlab-01:~$

- After the change

user_ro@vlab-01:~$ id
uid=1002(user_ro) gid=1002(user_ro) groups=1002(user_ro)
user_ro@vlab-01:~$ show ip int
Interface    Master    IPv4 address/mask    Admin/Oper    BGP Neighbor    Neighbor IP
-----------  --------  -------------------  ------------  --------------  -------------
Ethernet0              10.0.0.0/31          up/up         ARISTA01T2      10.0.0.1
Ethernet4              10.0.0.2/31          up/up         ARISTA02T2      10.0.0.3
Ethernet8              10.0.0.4/31          up/up         ARISTA03T2      10.0.0.5
Ethernet12             10.0.0.6/31          up/up         ARISTA04T2      10.0.0.7
Ethernet16             10.0.0.8/31          up/up         ARISTA05T2      10.0.0.9
Ethernet20             10.0.0.10/31         up/up         ARISTA06T2      10.0.0.11
Ethernet24             10.0.0.12/31         up/up         ARISTA07T2      10.0.0.13
Ethernet28             10.0.0.14/31         up/up         ARISTA08T2      10.0.0.15
Ethernet32             10.0.0.16/31         up/up         ARISTA09T2      10.0.0.17
Ethernet36             10.0.0.18/31         up/up         ARISTA10T2      10.0.0.19
Ethernet40             10.0.0.20/31         up/up         ARISTA11T2      10.0.0.21
Ethernet44             10.0.0.22/31         up/up         ARISTA12T2      10.0.0.23
Ethernet48             10.0.0.24/31         up/up         ARISTA13T2      10.0.0.25
Ethernet52             10.0.0.26/31         up/up         ARISTA14T2      10.0.0.27
Ethernet56             10.0.0.28/31         up/up         ARISTA15T2      10.0.0.29
Ethernet60             10.0.0.30/31         up/up         ARISTA16T2      10.0.0.31
Ethernet64             10.0.0.32/31         up/up         ARISTA01T0      10.0.0.33
Ethernet68             10.0.0.34/31         up/up         ARISTA02T0      10.0.0.35
Ethernet72             10.0.0.36/31         up/up         ARISTA03T0      10.0.0.37
Ethernet76             10.0.0.38/31         up/up         ARISTA04T0      10.0.0.39
Ethernet80             10.0.0.40/31         up/up         ARISTA05T0      10.0.0.41
Ethernet84             10.0.0.42/31         up/up         ARISTA06T0      10.0.0.43
Ethernet88             10.0.0.44/31         up/up         ARISTA07T0      10.0.0.45
Ethernet92             10.0.0.46/31         up/up         ARISTA08T0      10.0.0.47
Ethernet96             10.0.0.48/31         up/up         ARISTA09T0      10.0.0.49
Ethernet100            10.0.0.50/31         up/up         ARISTA10T0      10.0.0.51
Ethernet104            10.0.0.52/31         up/up         ARISTA11T0      10.0.0.53
Ethernet108            10.0.0.54/31         up/up         ARISTA12T0      10.0.0.55
Ethernet112            10.0.0.56/31         up/up         ARISTA13T0      10.0.0.57
Ethernet116            10.0.0.58/31         up/up         ARISTA14T0      10.0.0.59
Ethernet120            10.0.0.60/31         up/up         ARISTA15T0      10.0.0.61
Ethernet124            10.0.0.62/31         up/up         ARISTA16T0      10.0.0.63
Loopback0              10.1.0.1/32          up/up         N/A             N/A
docker0                240.127.1.1/24       up/down       N/A             N/A
eth0                   10.250.0.101/24      up/up         N/A             N/A
lo                     127.0.0.1/16         up/up         N/A             N/A
user_ro@vlab-01:~$

The sonic-mgmt tests test_ro_user_allowed_command and test_ro_user_banned_command is enhanced to check show ip interfaces and other common SONiC CLI commands in this PR sonic-net/sonic-mgmt#3016

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • [ X] 202012

Description for the changelog

A picture of a cute animal (not mandatory but encouraged)

Signed-off-by: Arvindsrinivasan Lakshmi Narasimhan <arlakshm@microsoft.com>
files/image_config/sudoers/sudoers Outdated Show resolved Hide resolved
Signed-off-by: Arvindsrinivasan Lakshmi Narasimhan <arlakshm@microsoft.com>
@arlakshm arlakshm requested a review from jleveque February 22, 2021 22:53
@arlakshm arlakshm merged commit f77157f into sonic-net:master Feb 23, 2021
@arlakshm arlakshm deleted the show_ip_int_sudoer branch February 23, 2021 07:34
lguohan pushed a commit that referenced this pull request Feb 23, 2021
This PR is port of #6845 for 201911

show ip interfaces is enhanced recently to support multi ASIC platforms in this sonic-net/sonic-utilities#1437. The ipintutil script as to run as sudo user, to get the ip interface from each namespace.
Add this script to the sudoer file so that show ip interface command is available for user with read-only permissions

Signed-off-by: Arvindsrinivasan Lakshmi Narasimhan <arlakshm@microsoft.com>
lguohan pushed a commit that referenced this pull request Mar 14, 2021
show ip interfaces is enhanced recently to support multi ASIC platforms in this PR- sonic-net/sonic-utilities#1396 .
The ipintutil script as to run as sudo user, to get the ip interface from each namespace.
Add this script to the sudoer file so that show ip interface command is available for user with read-only permissions

Signed-off-by: Arvindsrinivasan Lakshmi Narasimhan <arlakshm@microsoft.com>
carl-nokia pushed a commit to carl-nokia/sonic-buildimage that referenced this pull request Aug 7, 2021
show ip interfaces is enhanced recently to support multi ASIC platforms in this PR- sonic-net/sonic-utilities#1396 .
The ipintutil script as to run as sudo user, to get the ip interface from each namespace.
Add this script to the sudoer file so that show ip interface command is available for user with read-only permissions

Signed-off-by: Arvindsrinivasan Lakshmi Narasimhan <arlakshm@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants