[yang] Restrict AAA authorization with TACPLUS passkey (#18155)

### Why I did it Command cannot be executed when tacacs+ in AAA authorization is set and passkey in TACPLUs is not set. There should be such restriction in YANG model definition. ##### Work item tracking - Microsoft ADO **(number only)**: 26898399 #### How I did it Add restirction #### How to verify it unit test
2025-10-31 01:57:48 +00:00 · 2024-02-27 09:34:32 +08:00
parent 4783a6cafc
commit 6224d672ba
3 changed files with 31 additions and 0 deletions
--- a/src/sonic-yang-models/tests/yang_model_tests/tests/aaa.json
+++ b/src/sonic-yang-models/tests/yang_model_tests/tests/aaa.json
@@ -18,6 +18,10 @@
    "AAA_AUTHORIZATION_TEST": {
        "desc": "Configure an authorization type in AAA table."
    },
+    "AAA_AUTHORIZATION_TEST_TACACS_WITHOUT_TACPLUS": {
+        "desc": "Configure tacacs in authorization type in AAA table without TACPLUS table.",
+        "eStr": ["Authorization with 'tacacs+' is not allowed when passkey not exists."]
+    },
    "AAA_ACCOUNTING_TEST": {
        "desc": "Configure an accounting type in AAA table."
    }
--- a/src/sonic-yang-models/tests/yang_model_tests/tests_config/aaa.json
+++ b/src/sonic-yang-models/tests/yang_model_tests/tests_config/aaa.json
@@ -46,6 +46,25 @@
    },

    "AAA_AUTHORIZATION_TEST": {
+        "sonic-system-aaa:sonic-system-aaa": {
+            "sonic-system-aaa:AAA": {
+                "AAA_LIST": [{
+                        "type": "authorization",
+                        "login": "tacacs+"
+                }]
+            }
+        },
+        "sonic-system-tacacs:sonic-system-tacacs": {
+            "sonic-system-tacacs:TACPLUS": {
+                "global": {
+                        "timeout": 5,
+                        "passkey": "aabb"
+                }
+            }
+        }
+    },
+
+    "AAA_AUTHORIZATION_TEST_TACACS_WITHOUT_TACPLUS": {
        "sonic-system-aaa:sonic-system-aaa": {
            "sonic-system-aaa:AAA": {
                "AAA_LIST": [{
--- a/src/sonic-yang-models/yang-models/sonic-system-aaa.yang
+++ b/src/sonic-yang-models/yang-models/sonic-system-aaa.yang
@@ -7,6 +7,10 @@ module sonic-system-aaa {
        prefix stypes;
    }

+    import sonic-system-tacacs{
+        prefix tacacs;
+    }
+
    revision 2021-10-12 {
        description "Add AAA authorization/accounting support.";
    }
@@ -39,6 +43,10 @@ module sonic-system-aaa {
                    default "local";
                }

+                must 'not(./type = "authorization" and contains(./login, "tacacs+") and not(/tacacs:sonic-system-tacacs/tacacs:TACPLUS/tacacs:global/tacacs:passkey))' {
+                    error-message "Authorization with 'tacacs+' is not allowed when passkey not exists.";
+                }
+
                leaf failthrough {
                    type stypes:boolean_type;
                    description "When set to true, authentication is attempted on next configured server/local in the list upon failure.";