show commands not working for user with Read-only privilages #1389

arlakshm · 2021-01-29T03:46:33Z

Description

In the latest master images, all the show commands need user to have root privileges.
For a user with read-only privileges, the show CLI commands doesnt work.

Steps to reproduce the issue

Load the latest master image
create a new user without sudo privileges
Execute any sonic show CLI command

Describe the results you received
The show CLI command don't work.
Example:

user_ro@vlab-01:~$ id
uid=1001(user_ro) gid=1002(user_ro) groups=1002(user_ro)
user_ro@vlab-01:~$ show vers
[sudo] password for user_ro:
Traceback (most recent call last):
  File "/usr/local/bin/show", line 5, in <module>
    from show.main import cli
  File "/usr/local/lib/python3.7/dist-packages/show/main.py", line 71, in <module>
    routing_stack = get_routing_stack()
  File "/usr/local/lib/python3.7/dist-packages/show/main.py", line 60, in get_routing_stack
    stdout = proc.communicate()[0]
  File "/usr/lib/python3.7/subprocess.py", line 926, in communicate
    stdout = self.stdout.read()
KeyboardInterrupt
user_ro@vlab-01:~$ show ip bgp summary
[sudo] password for user_ro:
^CTraceback (most recent call last):
  File "/usr/local/bin/show", line 5, in <module>
    from show.main import cli
  File "/usr/local/lib/python3.7/dist-packages/show/main.py", line 71, in <module>
    routing_stack = get_routing_stack()
  File "/usr/local/lib/python3.7/dist-packages/show/main.py", line 60, in get_routing_stack
    stdout = proc.communicate()[0]
  File "/usr/lib/python3.7/subprocess.py", line 926, in communicate
    stdout = self.stdout.read()
KeyboardInterrupt
user_ro@vlab-01:~$

Describe the results you expected
The show cli commands to work for read-only users also.

Additional information you deem important (e.g. issue happens only occasionally)

Output of show version

admin@vlab-01:~$ show vers

SONiC Software Version: SONiC.master.629-10436783
Distribution: Debian 10.7
Kernel: 4.19.0-9-2-amd64
Build commit: 10436783
Build date: Sat Jan 23 07:09:55 UTC 2021
Built by: johnar@jenkins-worker-23

Platform: x86_64-kvm_x86_64-r0
HwSKU: Force10-S6000
ASIC: vs
ASIC Count: 1
Serial Number: 000000
Uptime: 03:44:45 up  1:11,  2 users,  load average: 1.83, 1.09, 1.17

Docker images:
REPOSITORY                    TAG                   IMAGE ID            SIZE
docker-gbsyncd-vs             latest                82e2c12260e6        400MB
docker-gbsyncd-vs             master.629-10436783   82e2c12260e6        400MB
docker-syncd-vs               latest                71207f314ec7        400MB
docker-syncd-vs               master.629-10436783   71207f314ec7        400MB
docker-snmp                   latest                026ea286e9bb        435MB
docker-snmp                   master.629-10436783   026ea286e9bb        435MB
docker-dhcp-relay             latest                84fd5de725f2        401MB
docker-dhcp-relay             master.629-10436783   84fd5de725f2        401MB
docker-orchagent              latest                30e4634953cd        422MB
docker-orchagent              master.629-10436783   30e4634953cd        422MB
docker-teamd                  latest                51d9449a8169        404MB
docker-teamd                  master.629-10436783   51d9449a8169        404MB
docker-nat                    latest                7a6401c73949        407MB
docker-nat                    master.629-10436783   7a6401c73949        407MB
docker-router-advertiser      latest                1fbf3ed29cf4        394MB
docker-router-advertiser      master.629-10436783   1fbf3ed29cf4        394MB
docker-platform-monitor       latest                2aa1e5dd81d9        601MB
docker-platform-monitor       master.629-10436783   2aa1e5dd81d9        601MB
docker-lldp                   latest                384345f22ca3        434MB
docker-lldp                   master.629-10436783   384345f22ca3        434MB
docker-database               latest                2c0056ae1cff        394MB
docker-database               master.629-10436783   2c0056ae1cff        394MB
docker-sonic-telemetry        latest                7489e592890c        468MB
docker-sonic-telemetry        master.629-10436783   7489e592890c        468MB
docker-sonic-mgmt-framework   latest                6b7426569730        610MB
docker-sonic-mgmt-framework   master.629-10436783   6b7426569730        610MB
docker-fpm-frr                latest                44c434320bb0        422MB
docker-fpm-frr                master.629-10436783   44c434320bb0        422MB
docker-macsec                 latest                a1add9c8b374        407MB
docker-macsec                 master.629-10436783   a1add9c8b374        407MB
docker-sflow                  latest                bac784546389        405MB
docker-sflow                  master.629-10436783   bac784546389        405MB

admin@vlab-01:~$

The text was updated successfully, but these errors were encountered:

fixes sonic-net/sonic-utilities#1389 With the recent changes in sudoer files. The show commands fails for the read-only users. The problem here is the 'docker ps' is failing in the function [get_routing_stack()](https://github.com/Azure/sonic-utilities/blob/8a1109ed30576f0287fcd98a4349617f7fb55700/show/main.py#L54) therefore all the CLI commands are failing. Signed-off-by: Arvindsrinivasan Lakshmi Narasimhan <arlakshm@microsoft.com>

lguohan mentioned this issue Jan 29, 2021

[baseimage]: add docker ps to the sudoer file sonic-net/sonic-buildimage#6604

Merged

4 tasks

lguohan closed this as completed in sonic-net/sonic-buildimage#6604 Jan 29, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

show commands not working for user with Read-only privilages #1389

show commands not working for user with Read-only privilages #1389

arlakshm commented Jan 29, 2021

show commands not working for user with Read-only privilages #1389

show commands not working for user with Read-only privilages #1389

Comments

arlakshm commented Jan 29, 2021