Adding list leaf for SSH public keys#1498
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
There was a problem hiding this comment.
Code Review
This pull request introduces an authorized-ssh-keys list to the OpenConfig AAA model to allow users to have multiple SSH public keys. Feedback indicates that the current placement of the list within a grouping violates OpenConfig structural standards, where lists should be siblings to config and state containers rather than nested within them. Additionally, the max-elements 10 constraint is viewed as overly restrictive, and the description for the authorized-ssh-key leaf should be updated to specify supported key formats like RSA or DSA.
earies
left a comment
There was a problem hiding this comment.
Overall in support of this change as it aligns w/ most implementations tmk - Just a few comments surrounding how the key/data should be decomposed and indexed.
Change Scope
Platform Implementations
https://github.com/openconfig/gnsi/tree/main/credentialz#update-the-clients-authorized-key
The platform supports adding more than one public key per user
Tree View
module: openconfig-aaa +--rw aaa | +--rw config | +--ro state | +--rw authentication | | +--rw glome | | | +--ro state | | +--rw config | | | +--rw authentication-method* union | | +--ro state | | | +--ro authentication-method* union | | +--rw admin-user | | | +--rw config | | | | +--rw admin-password? string | | | | +--rw admin-password-hashed? oc-aaa-types:crypt-password-type | | | +--ro state | | | +--ro admin-password? string | | | +--ro admin-password-hashed? oc-aaa-types:crypt-password-type | | | +--ro admin-username? string | | +--rw users | | +--rw user* [username] | | +--rw username -> ../config/username | | +--rw config | | | +--rw username? string | | | +--rw password? string | | | +--rw password-hashed? oc-aaa-types:crypt-password-type | | | +--rw ssh-key? string | | | +--rw role union | | +--ro state | | +--ro username? string | | +--ro password? string | | +--ro password-hashed? oc-aaa-types:crypt-password-type | | +--ro ssh-key? string | | +--ro role union + | | +---- authorized-ssh-keys + | | +---- authorized-ssh-key* [key-name] + | | +---- key-name? -> ../config/key-name + | | +---- config + | | | +---- key-name? string + | | | +---- authorized-ssh-key? string + | | +--ro state + | | +--ro key-name? string + | | +--ro authorized-ssh-key? string