def post_crash_processing(corefile):
try:
# Name of the Crashed process
# ToFix :: In case of python based daemon crash, this value just
# has the name "python", it doesn't provide information
# on which daemon crashed. This needs to be improved.
process = xattr.getxattr(corefile, 'user.coredump.comm')
# Signal Number leading to crash
signal = int(xattr.getxattr(corefile, 'user.coredump.signal'))
if signal >= len(strsignal):
signal = 0
# Timestamp of the crash event
timestamp = xattr.getxattr(corefile, 'user.coredump.timestamp')
timestamp_human = datetime.datetime.fromtimestamp(
int(timestamp)
).strftime('%Y-%m-%d %H:%M:%S')
ops_eventlog.log_event('SUPPORTABILITY_DAEMON_CRASH',
['process', process],
['signal', strsignal[signal]],
['timestamp', timestamp_human])
except:
vlog.dbg("Invalid core dump file found")
def ops_ntpd_check_updates_with_ntp_keys(l_ntpk_db):
'''
This function checks if there are any updates in NTP keys
and accordingly updates the global database with that info.
It also provides what configuration change has to be sent
to the NTPD daemon.
'''
global g_ntpk_db, ntpq_info
add_template_string = " %s MD5 %s"
trustedkey_template_string = ":config trustedkey "
untrustedkey_template_string = ":config unconfig trustedkey "
t_keys_str = "-"
unt_keys_str = "-"
trusted_keys = []
untrusted_keys = []
trusted_key_config = []
untrusted_key_config = []
keys_file_content = ops_ntpd_get_ntpd_default_keys_file_content()
if len(l_ntpk_db) > 0 and len(g_ntpk_db) > 0:
untrusted_keys = set(g_ntpk_db.keys()) - set(l_ntpk_db.keys())
g_ntpk_db = copy.copy(l_ntpk_db)
trusted_keys = g_ntpk_db.keys()
elif len(g_ntpk_db) == 0:
g_ntpk_db = copy.copy(l_ntpk_db)
trusted_keys = g_ntpk_db.keys()
elif len(l_ntpk_db) == 0:
untrusted_keys = g_ntpk_db.keys()
g_ntpk_db = {}
keys_file_content += "\n".join(
[add_template_string % (k, v[0]) for k, v in g_ntpk_db.iteritems()])
if len(trusted_keys) > 0:
trusted_key_config += [
trustedkey_template_string +
" ".join([str(x) for x in trusted_keys])
]
t_keys_str = " ".join([str(x) for x in trusted_keys])
if len(untrusted_keys) > 0:
untrusted_key_config += [
untrustedkey_template_string +
" ".join([str(x) for x in untrusted_keys])
]
unt_keys_str = " ".join([str(x) for x in untrusted_keys])
if t_keys_str != "-" or unt_keys_str != "-":
log_event("NTP_KEY", ["trusted_keys", t_keys_str],
["untrusted_keys", unt_keys_str])
key_config = untrusted_key_config + trusted_key_config
keys_file_content += "\n"
return key_config, keys_file_content
def dnsmasq_start_process():
global dnsmasq_process
global dnsmasq_command
dnsmasq_process = None
vlog.info("dhcp_tftp_debug - dnsmasq_command(3) %s " % (dnsmasq_command))
dnsmasq_process = subprocess.Popen(dnsmasq_command,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
shell=True)
err = dnsmasq_process.stderr.read()
print err
if err != "":
vlog.emer("%s" % (err))
vlog.emer("Error with config, dnsmasq failed, command %s" %
(dnsmasq_command))
log_event("DNSMASQ_FAILURE", ["dnsmasq_command", dnsmasq_command])
else:
vlog.info("dhcp_tftp_debug - dnsmasq started")
log_event("DNSMASQ_SUCCESS", ["dnsmasq_command", dnsmasq_command])
def modify_common_auth_access_file(server_list):
'''
modify common-auth-access file, based on RADIUS, TACACS+ and local
values set in the DB
'''
global tacacs_source_interface
global tacacs_source_ip
global tacacs_dstn_ns
global radius_source_interface
global radius_source_ip
global radius_dstn_ns
tacacs_src_ip = None
tacacs_dstn_ns_old = tacacs_dstn_ns
radius_src_ip = None
radius_dstn_ns_old = radius_dstn_ns
tacacs_src_ip, tacacs_dstn_ns = \
get_src_ip_dstn_ns(tacacs_source_ip, tacacs_source_interface)
radius_src_ip, radius_dstn_ns = \
get_src_ip_dstn_ns(radius_source_ip, radius_source_interface)
if tacacs_dstn_ns != tacacs_dstn_ns_old:
log_event("TACACS", ["type", "Destination Namespace"],
["action", "update"], ["event", tacacs_dstn_ns])
if radius_dstn_ns != radius_dstn_ns_old:
log_event("RADIUS", ["type", "Destination Namespace"],
["action", "update"], ["event", radius_dstn_ns])
vlog.info("tacacs_src_interface = %s, radius_src_interface = %s," \
" tacacs_src_ip = %s, tacacs_dstn_ns = %s, radius_src_ip = %s," \
" radius_dstn_ns = %s" \
% (str(tacacs_source_interface), str(radius_source_interface), \
str(tacacs_src_ip), str(tacacs_dstn_ns), \
str(radius_src_ip), str(radius_dstn_ns)))
global global_tacacs_passkey, global_tacacs_timeout, global_tacacs_auth
global global_radius_passkey, global_radius_timeout, global_radius_auth, global_radius_retries
vlog.info("AAA: server_list = %s\n" % server_list)
if not server_list:
vlog.info("AAA: server_list is empty. Adding default local")
server_list.append((0, AAA_LOCAL))
file_header = "# THIS IS AN AUTO-GENERATED FILE\n" \
"#\n" \
"# /etc/pam.d/common-auth- authentication settings common to all services\n" \
"# This file is included from other service-specific PAM config files,\n" \
"# and should contain a list of the authentication modules that define\n" \
"# the central authentication scheme for use on the system\n" \
"# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the\n" \
"# traditional Unix authentication mechanisms.\n" \
"#\n" \
"# here are the per-package modules (the \"Primary\" block)\n"
file_footer = "#\n" \
"# here's the fallback if no module succeeds\n" \
"auth requisite pam_deny.so\n" \
"# prime the stack with a positive return value if there isn't one already;\n" \
"# this avoids us returning an error just because nothing sets a success code\n" \
"# since the modules above will each just jump around\n" \
"auth required pam_permit.so\n" \
"# and here are more per-package modules (the \"Additional\" block)\n"
file_body = ""
common_auth_access_filename = PAM_ETC_CONFIG_DIR + "common-auth-access"
pam_server_list_str = "server list -"
with open(common_auth_access_filename, "w") as f:
# Write the file header
f.write(file_header)
# Now write the server list to the config file
PAM_CONTROL_VALUE = "[success=done new_authtok_reqd=done default=ignore auth_err=die]"
if AAA_FAIL_THROUGH_ENABLED:
# The following is exactly same as saying: PAM_CONTROL_VALUE = "sufficient"
PAM_CONTROL_VALUE = "[success=done new_authtok_reqd=done default=ignore]"
for server, server_type in server_list[:-1]:
auth_line = ""
if server_type == AAA_LOCAL:
auth_line = "auth\t" + PAM_CONTROL_VALUE + "\t" + PAM_LOCAL_MODULE + " nullok\n"
pam_server_list_str = pam_server_list_str + " local"
elif server_type == AAA_TACACS_PLUS:
ip_address = server.address
tcp_port = server.tcp_port[0]
if len(server.timeout) == 0:
timeout = global_tacacs_timeout
else:
timeout = server.timeout[0]
if len(server.auth_type) == 0:
auth_type = global_tacacs_auth
else:
auth_type = server.auth_type[0]
if len(server.passkey) == 0:
passkey = global_tacacs_passkey
else:
passkey = server.passkey[0]
if tacacs_dstn_ns is not None:
auth_line = "auth\t" + PAM_CONTROL_VALUE + "\t" + PAM_TACACS_MODULE + "\tdebug server=" + ip_address + \
":" + str(tcp_port) + " secret=" + str(passkey) + " login="******" timeout=" + str(timeout) + \
" dstn_namespace=" + tacacs_dstn_ns + " source_ip=" + str(tacacs_src_ip) + " \n"
else:
auth_line = "auth\t" + PAM_CONTROL_VALUE + "\t" + PAM_TACACS_MODULE + "\tdebug server=" + ip_address + \
":" + str(tcp_port) + " secret=" + str(passkey) + " login="******" timeout=" + str(timeout) + "\n"
pam_server_list_str = pam_server_list_str + " " + ip_address
elif server_type == AAA_RADIUS:
ip_address = server.address
udp_port = server.udp_port[0]
if len(server.timeout) == 0:
timeout = global_radius_timeout
else:
timeout = server.timeout[0]
if len(server.auth_type) == 0:
auth_type = global_radius_auth
else:
auth_type = server.auth_type[0]
if len(server.passkey) == 0:
passkey = global_radius_passkey
else:
passkey = server.passkey[0]
if len(server.retries) == 0:
retries = global_radius_retries
else:
retries = server.retries[0]
if radius_dstn_ns is not None:
auth_line = "auth\t" + PAM_CONTROL_VALUE + "\t" + PAM_RADIUS_MODULE + "\tdebug server=" + ip_address + ":" + \
str(udp_port) + " secret=" + str(passkey) + " login="******" retry=" + str(retries) + \
" timeout=" + str(timeout) + " dstn_namespace=" + radius_dstn_ns + " source_ip=" + str(radius_src_ip) + "\n"
else:
auth_line = "auth\t" + PAM_CONTROL_VALUE + "\t" + PAM_RADIUS_MODULE + "\tdebug server=" + ip_address + ":" + \
str(udp_port) + " secret=" + str(passkey) + " login="******" retry=" + str(retries) + \
" timeout=" + str(timeout) + "\n"
file_body += auth_line
# Print the last element
server = server_list[-1][0]
server_type = server_list[-1][1]
auth_line = ""
if server_type == AAA_LOCAL:
auth_line = "auth\t[success=1 default=ignore]\t" + PAM_LOCAL_MODULE + " nullok\n"
pam_server_list_str = pam_server_list_str + " local"
elif server_type == AAA_TACACS_PLUS:
ip_address = server.address
tcp_port = server.tcp_port[0]
if len(server.timeout) == 0:
timeout = global_tacacs_timeout
else:
timeout = server.timeout[0]
if len(server.auth_type) == 0:
auth_type = global_tacacs_auth
else:
auth_type = server.auth_type[0]
if len(server.passkey) == 0:
passkey = global_tacacs_passkey
else:
passkey = server.passkey[0]
if tacacs_dstn_ns is not None:
auth_line = "auth\t[success=1 default=ignore]\t" + PAM_TACACS_MODULE + "\tdebug server=" + ip_address + \
" secret=" + str(passkey) + " login="******" timeout=" + str(timeout) + \
" dstn_namespace=" + tacacs_dstn_ns + " source_ip=" + str(tacacs_src_ip) + " \n"
else:
auth_line = "auth\t[success=1 default=ignore]\t" + PAM_TACACS_MODULE + "\tdebug server=" + ip_address + \
" secret=" + str(passkey) + " login="******" timeout=" + str(timeout) + " \n"
pam_server_list_str = pam_server_list_str + " " + ip_address
elif server_type == AAA_RADIUS:
ip_address = server.address
udp_port = server.udp_port[0]
if len(server.timeout) == 0:
timeout = global_radius_timeout
else:
timeout = server.timeout[0]
if len(server.auth_type) == 0:
auth_type = global_radius_auth
else:
auth_type = server.auth_type[0]
if len(server.passkey) == 0:
passkey = global_radius_passkey
else:
passkey = server.passkey[0]
if len(server.retries) == 0:
retries = global_radius_retries
else:
retries = server.retries[0]
if radius_dstn_ns is not None:
auth_line = "auth\t[success=1 default=ignore]\t" + PAM_RADIUS_MODULE + "\tdebug server=" + ip_address + \
":" + str(udp_port) + " secret=" + str(passkey) + " login="******" retry=" + str(retries) + \
" timeout=" + str(timeout) + " dstn_namespace=" + radius_dstn_ns + " source_ip=" + str(radius_src_ip) + "\n"
else:
auth_line = "auth\t[success=1 default=ignore]\t" + PAM_RADIUS_MODULE + "\tdebug server=" + ip_address + \
":" + str(udp_port) + " secret=" + str(passkey) + " login="******" retry=" + str(retries) + \
" timeout=" + str(timeout) + "\n"
file_body += auth_line
# Write the PAM configurations for authentication
f.write(file_body)
# Write the file footer
f.write(file_footer)
log_event("AAA_CONFIG", ["type", "Authentication PAM configuration file"],
["event", pam_server_list_str])
def get_server_list(session_type):
server_list = []
global global_tacacs_passkey, global_tacacs_timeout, global_tacacs_auth
global global_radius_passkey, global_radius_timeout, global_radius_auth, global_radius_retries
global local_group, authentication_group_list, authorization_group_list, none_group
group_list = ""
group_list_authorization = ""
if local_group is None or none_group is None:
for group_rec in idl.tables[AAA_SERVER_GROUP_TABLE].rows.itervalues():
if group_rec.group_name == AAA_LOCAL:
local_group = group_rec
elif group_rec.group_name == AAA_NONE:
none_group = group_rec
for ovs_rec in idl.tables[SYSTEM_TABLE].rows.itervalues():
if ovs_rec.aaa and ovs_rec.aaa is not None:
for key, value in ovs_rec.aaa.iteritems():
if key == GBL_TACACS_SERVER_TIMEOUT:
if (global_tacacs_timeout != value):
type_str = "global default " + key
event = global_tacacs_timeout + " => " + value
log_event("TACACS", ["type", type_str],
["action", "update"], ["event", event])
global_tacacs_timeout = value
if key == GBL_TACACS_SERVER_AUTH_TYPE:
if (global_tacacs_auth != value):
type_str = "global default " + key
event = global_tacacs_auth + " => " + value
log_event("TACACS", ["type", type_str],
["action", "update"], ["event", event])
global_tacacs_auth = value
if key == GBL_TACACS_SERVER_PASSKEY:
if (global_tacacs_passkey != value):
type_str = "global default " + key
event = global_tacacs_passkey + " => " + value
log_event("TACACS", ["type", type_str],
["action", "update"], ["event", event])
global_tacacs_passkey = value
if key == GBL_RADIUS_SERVER_TIMEOUT:
if (global_radius_timeout != value):
type_str = "global default " + key
event = global_radius_timeout + " => " + value
log_event("RADIUS", ["type", type_str],
["action", "update"], ["event", event])
global_radius_timeout = value
if key == GBL_RADIUS_SERVER_AUTH_TYPE:
if (global_radius_auth != value):
type_str = "global default " + key
event = global_radius_auth + " => " + value
log_event("RADIUS", ["type", type_str],
["action", "update"], ["event", event])
global_radius_auth = value
if key == GBL_RADIUS_SERVER_PASSKEY:
if (global_radius_passkey != value):
type_str = "global default " + key
event = global_radius_passkey + " => " + value
log_event("RADIUS", ["type", type_str],
["action", "update"], ["event", event])
global_radius_passkey = value
if key == GBL_RADIUS_SERVER_RETRIES:
if (global_radius_retries != value):
type_str = "global default " + key
event = global_radius_retries + " => " + value
log_event("RADIUS", ["type", type_str],
["action", "update"], ["event", event])
global_radius_retries = value
if key == AAA_FAIL_THROUGH:
global AAA_FAIL_THROUGH_ENABLED
old = "disabled"
new = "disabled"
if value == AAA_TRUE_FLAG:
if AAA_FAIL_THROUGH_ENABLED == False:
new = "enabled"
AAA_FAIL_THROUGH_ENABLED = True
else:
if AAA_FAIL_THROUGH_ENABLED == True:
old = "enabled"
AAA_FAIL_THROUGH_ENABLED = False
if old != new:
log_event("AAA_CONFIG", ["type", "Fail-through"],
["event", new])
for ovs_rec in idl.tables[AAA_SERVER_GROUP_PRIO_TABLE].rows.itervalues():
if ovs_rec.session_type != session_type:
continue
size = len(ovs_rec.authentication_group_prios)
if size == 1 and ovs_rec.authentication_group_prios.keys(
)[0] == local_group:
vlog.info("AAA: Default local authentication configured\n")
else:
for prio, group in sorted(
ovs_rec.authentication_group_prios.iteritems()):
if group is None:
continue
group_list = group_list + group.group_name + " "
vlog.info(
"AAA Authentication: group_name = %s, group_type = %s\n" %
(group.group_name, group.group_type))
server_table = ""
if group.group_type == AAA_TACACS_PLUS:
server_table = TACACS_SERVER_TABLE
elif group.group_type == AAA_RADIUS:
server_table = RADIUS_SERVER_TABLE
elif group.group_type == AAA_LOCAL:
server_list.append((0, group.group_type))
if server_table == RADIUS_SERVER_TABLE or server_table == TACACS_SERVER_TABLE:
group_server_dict = {}
if group.group_name == AAA_RADIUS or group.group_name == AAA_TACACS_PLUS:
for server in idl.tables[server_table].rows.itervalues(
):
vlog.info(
"AAA: Server %s length = %s group = %s group_prio = %s default_prio = %s\n"
% (server.address, len(
server.group), server.group[0].group_name,
server.user_group_priority[0],
server.default_group_priority))
group_server_dict[
server.default_group_priority] = server
else:
for server in idl.tables[server_table].rows.itervalues(
):
vlog.info(
"AAA: Server %s length = %s group = %s group_prio = %s default_prio = %s\n"
% (server.address, len(
server.group), server.group[0].group_name,
server.user_group_priority[0],
server.default_group_priority))
if server.group[0] == group or server.group[
1] == group:
group_server_dict[
server.user_group_priority[0]] = server
vlog.info("AAA: group_server_dict = %s\n" %
(group_server_dict))
for server_prio, server in sorted(
group_server_dict.iteritems()):
server_list.append((server, group.group_type))
size_author = len(ovs_rec.authorization_group_prios)
if size_author == 1 and ovs_rec.authorization_group_prios.keys(
)[0] == none_group:
vlog.info("AAA: Default none authorization configured\n")
else:
for prio, group in sorted(
ovs_rec.authorization_group_prios.iteritems()):
if group is None:
continue
group_list_authorization = group_list_authorization + group.group_name + " "
vlog.info(
"AAA Authorization: group_name = %s, group_type = %s\n" %
(group.group_name, group.group_type))
group_list = group_list.strip()
if group_list != authentication_group_list:
event = authentication_group_list + " => " + group_list
log_event("AAA_CONFIG",
["type", "Authentication server group priority list"],
["event", event])
authentication_group_list = group_list
group_list_authorization = group_list_authorization.strip()
if group_list_authorization != authorization_group_list:
event = authorization_group_list + " => " + group_list_authorization
log_event("AAA_CONFIG",
["type", "Authorization server group priority list"],
["event", event])
authorization_group_list = group_list_authorization
return server_list
def get_source_interface(protocol):
'''
Get tacacs/radius source interface configuration
'''
global radius_source_ip
global radius_source_interface
old_radius_source_ip = radius_source_ip
old_radius_source_interface = radius_source_interface
global tacacs_source_ip
global tacacs_source_interface
old_tacacs_source_ip = tacacs_source_ip
old_tacacs_source_interface = tacacs_source_interface
if protocol == AAA_RADIUS:
radius_source_ip, radius_source_interface = \
source_interface_utils.get_protocol_source(idl, protocol, \
vrf_utils.DEFAULT_VRF_NAME)
if old_radius_source_ip != radius_source_ip:
action = "update"
if old_radius_source_ip == None:
event = radius_source_ip
action = "add"
elif radius_source_ip == None:
event = old_radius_source_ip
action = "remove"
else:
event = old_radius_source_ip + " => " + radius_source_ip
log_event("RADIUS", ["type", "Source IP"], ["action", action],
["event", event])
elif old_radius_source_interface != radius_source_interface:
action = "update"
if old_radius_source_interface == None:
event = radius_source_interface
action = "add"
elif radius_source_ip == None:
event = old_radius_source_interface
action = "remove"
else:
event = old_radius_source_interface + " => " + radius_source_interface
log_event("RADIUS", ["type", "Source Interface"],
["action", action], ["event", event])
if protocol == AAA_TACACS:
tacacs_source_ip, tacacs_source_interface = \
source_interface_utils.get_protocol_source(idl, protocol, \
vrf_utils.DEFAULT_VRF_NAME)
if old_tacacs_source_ip != tacacs_source_ip:
action = "update"
if old_tacacs_source_ip == None:
event = tacacs_source_ip
action = "add"
elif tacacs_source_ip == None:
event = old_tacacs_source_ip
action = "remove"
else:
event = old_tacacs_source_ip + " => " + tacacs_source_ip
log_event("TACACS", ["type", "Source IP"], ["action", action],
["event", event])
elif old_tacacs_source_interface != tacacs_source_interface:
action = "update"
if old_tacacs_source_interface == None:
event = tacacs_source_interface
action = "add"
elif tacacs_source_interface == None:
event = old_tacacs_source_interface
action = "remove"
else:
event = old_tacacs_source_interface + " => " + tacacs_source_interface
log_event("TACACS", ["type", "Source Interface"],
["action", action], ["event", event])
def add_default_row():
'''
System Table:
Add default values to the radius and fallback columns
by default radius is false and fallback is true
Add default global config value for tacacs column
AAA_Server_Group Table:
Add default group local, tacacs+ and radius
'''
global idl
global default_row_initialized
data = {}
prio_list_authentication = {}
prio_list_authorization = {}
auto_provisioning_data = {}
# Default values for aaa column
data[AAA_FAIL_THROUGH] = AAA_FALSE_FLAG
data[SSH_PASSKEY_AUTHENTICATION_ENABLE] = AUTH_KEY_ENABLE
data[SSH_PUBLICKEY_AUTHENTICATION_ENABLE] = AUTH_KEY_ENABLE
# Default values for tacacs
data[GBL_TACACS_SERVER_PASSKEY] = TACACS_SERVER_PASSKEY_DEFAULT
data[GBL_TACACS_SERVER_TIMEOUT] = TACACS_SERVER_TIMEOUT_DEFAULT
data[GBL_TACACS_SERVER_AUTH_TYPE] = TACACS_PAP
# Default values for radius
data[GBL_RADIUS_SERVER_PASSKEY] = RADIUS_SERVER_PASSKEY_DEFAULT
data[GBL_RADIUS_SERVER_TIMEOUT] = RADIUS_SERVER_TIMEOUT_DEFAULT
data[GBL_RADIUS_SERVER_AUTH_TYPE] = RADIUS_PAP
data[GBL_RADIUS_SERVER_RETRIES] = RADIUS_SERVER_RETRIES_DEFAULT
# Default values for auto provisioning status column
auto_provisioning_data[PERFORMED] = "False"
auto_provisioning_data[URL] = ""
# create the transaction
txn = ovs.db.idl.Transaction(idl)
for ovs_rec in idl.tables[SYSTEM_TABLE].rows.itervalues():
break
setattr(ovs_rec, SYSTEM_AAA_COLUMN, data)
setattr(ovs_rec, SYSTEM_AUTO_PROVISIONING_STATUS_COLUMN,
auto_provisioning_data)
# create default server groups: local, tacacs+ and radius
none_row = txn.insert(idl.tables[AAA_SERVER_GROUP_TABLE], new_uuid=None)
setattr(none_row, AAA_SERVER_GROUP_IS_STATIC, AAA_DEFAULT_GROUP_STATIC)
setattr(none_row, AAA_SERVER_GROUP_NAME, AAA_NONE)
setattr(none_row, AAA_SERVER_GROUP_TYPE, AAA_NONE)
local_row = txn.insert(idl.tables[AAA_SERVER_GROUP_TABLE], new_uuid=None)
setattr(local_row, AAA_SERVER_GROUP_IS_STATIC, AAA_DEFAULT_GROUP_STATIC)
setattr(local_row, AAA_SERVER_GROUP_NAME, AAA_LOCAL)
setattr(local_row, AAA_SERVER_GROUP_TYPE, AAA_LOCAL)
tacacs_row = txn.insert(idl.tables[AAA_SERVER_GROUP_TABLE], new_uuid=None)
setattr(tacacs_row, AAA_SERVER_GROUP_IS_STATIC, AAA_DEFAULT_GROUP_STATIC)
setattr(tacacs_row, AAA_SERVER_GROUP_NAME, AAA_TACACS_PLUS)
setattr(tacacs_row, AAA_SERVER_GROUP_TYPE, AAA_TACACS_PLUS)
radius_row = txn.insert(idl.tables[AAA_SERVER_GROUP_TABLE], new_uuid=None)
setattr(radius_row, AAA_SERVER_GROUP_IS_STATIC, AAA_DEFAULT_GROUP_STATIC)
setattr(radius_row, AAA_SERVER_GROUP_NAME, AAA_RADIUS)
setattr(radius_row, AAA_SERVER_GROUP_TYPE, AAA_RADIUS)
log_event("TACACS", ["type", "Server Group"], ["action", "add"],
["event", "tacacs_plus (default)"])
log_event("RADIUS", ["type", "Server Group"], ["action", "add"],
["event", "radius (default)"])
# create default AAA_Server_Group_Prio table session
default_row = txn.insert(idl.tables[AAA_SERVER_GROUP_PRIO_TABLE],
new_uuid=None)
setattr(default_row, AAA_SERVER_GROUP_PRIO_SESSION_TYPE,
AAA_SERVER_GROUP_PRIO_SESSION_TYPE_DEFAULT)
prio_list_authorization[PRIO_ONE] = none_row
setattr(default_row, AAA_AUTHORIZATION_GROUP_PRIOS,
prio_list_authorization)
prio_list_authentication[PRIO_ONE] = local_row
setattr(default_row, AAA_AUTHENTICATION_GROUP_PRIOS,
prio_list_authentication)
txn.commit_block()
default_sshd_config()
default_row_initialized = 1
return True
def ops_ntpd_check_updates_from_ovsdb():
'''
This function checks if there are any updates in the NTP
associations and accordingly reconfigures the NTP daemon to
pick up the configuration changes.
'''
global idl
global ntpd_command
global ntpq_process
global cmdline_str
global g_ntpk_db
global auth_state
ovs_rec = None
associd = 0
vlog.dbg("ops_ntpd_check_updates_from_ovsdb")
authentication_enable = "false"
trigger_reconfig = False
update_map = {}
# Check if ntp authentication is enabled
for ovs_rec in idl.tables[SYSTEM_TABLE].rows.itervalues():
if ovs_rec.ntp_config and ovs_rec.ntp_config is not None:
for key, value in ovs_rec.ntp_config.iteritems():
if key == 'authentication_enable':
authentication_enable = value
vlog.dbg("Authentication is %s " % (authentication_enable))
if (auth_state != authentication_enable):
trigger_reconfig = True
log_event("NTP_GLOBAL", ["old", auth_state],
["new", authentication_enable])
auth_state = authentication_enable
update_map = {}
# Get the NTP key changes
for ovs_rec in idl.tables[NTP_KEY_TABLE].rows.itervalues():
trust_enable = DEFAULT_NTP_TRUST_ENABLE
if ovs_rec.key_id and ovs_rec.key_id is not None:
key_id = ovs_rec.key_id
if ovs_rec.key_password and ovs_rec.key_password is not None:
key_password = ovs_rec.key_password
if ovs_rec.trust_enable and ovs_rec.trust_enable is not None:
trust_enable = ovs_rec.trust_enable
vlog.dbg("trust_enable is %s and auth is %s" %
(trust_enable, authentication_enable))
if trust_enable is True and authentication_enable == "true":
ops_ntpd_setup_ntp_key_map(update_map, key_id, key_password,
trust_enable)
key_configs, keys_file_content = \
ops_ntpd_check_updates_with_ntp_keys(update_map)
vlog.dbg("Key config changes %s " % (pprint.pformat(key_configs)))
update_map = {}
# Get the NTP association configuration changes
for ovs_rec in idl.tables[NTP_ASSOCIATION_TABLE].rows.itervalues():
key_id = DEFAULT_NTP_KEY_ID
prefer = DEFAULT_NTP_PREF
ntp_version = DEFAULT_NTP_VERSION
ref_clock_id = DEFAULT_NTP_REF_CLOCK_ID
vrf = ovs_rec._data['vrf'].to_json()[1]
if ovs_rec.address and ovs_rec.address is not None:
ip_address = ovs_rec.address
if ovs_rec.key_id and len(ovs_rec.key_id) > 0:
key_id = str(ovs_rec.key_id[0].key_id)
if ovs_rec.association_attributes and \
ovs_rec.association_attributes is not None:
for key, value in \
ovs_rec.association_attributes.iteritems():
if key == 'ref_clock_id':
ref_clock_id = value
if key == 'prefer':
prefer = value
if key == 'version':
ntp_version = value
ops_ntpd_setup_ntp_config_map(update_map, vrf, ip_address, associd,
key_id, ref_clock_id, prefer,
ntp_version)
server_configs = \
ops_ntpd_check_updates_with_ntp_associations(update_map,
trigger_reconfig)
vlog.dbg("Server config changes %s " % (pprint.pformat(server_configs)))
ops_ntpd_sync_updates_to_ntpd(server_configs, key_configs,
keys_file_content)
def ops_ntpd_check_updates_with_ntp_associations(l_ntpa_map, trigger_reconfig):
'''
This function checks if there are any updates in the NTP
associations and accordingly updates the global database
with that info.
It also provides what configuration change has to be sent
to the NTPD daemon.
'''
global g_ntpa_map
add = []
delete = []
add_configs = []
revise_configs = []
add_template_string = ":config server "
delete_template_string = ":config unconfig "
for k in list(set(l_ntpa_map.keys() + g_ntpa_map.keys())):
if k in l_ntpa_map.keys():
v = l_ntpa_map[k]
event = ""
if v[2] != 0:
server_info = "prefer %s, ver %s, key %s" %\
(str(v[4]), str(v[5]), str(v[2]))
else:
server_info = "prefer %s, ver %s" %\
(str(v[4]), str(v[5]))
if k not in g_ntpa_map.keys():
add.append(k)
g_ntpa_map[k] = v
event = "Add"
elif v != g_ntpa_map[k]:
delete.append(k)
add.append(k)
g_ntpa_map[k] = v
event = "Change"
if event != "":
log_event("NTP_ASSOC", ["event", event], ["server", v[0]],
["server_info", server_info])
else:
delete.append(k)
v = g_ntpa_map[k]
log_event("NTP_ASSOC", ["event", "Delete"], ["server", v[0]],
["server_info", ""])
del g_ntpa_map[k]
delete_configs = [delete_template_string + x[1] for x in delete]
for x in add:
(addr, vrf, key_id, ref_clk, pref, ver) = g_ntpa_map[x]
add_config = add_template_string + addr
add_config += " version " + ver
if key_id != DEFAULT_NTP_KEY_ID:
add_config += " key " + key_id
if pref != DEFAULT_NTP_PREF:
add_config += " prefer"
add_configs += [add_config]
if trigger_reconfig is True:
for x in list(g_ntpa_map.keys()):
(addr, vrf, key_id, ref_clk, pref, ver) = g_ntpa_map[x]
if key_id != DEFAULT_NTP_KEY_ID:
revise_configs += [delete_template_string + addr]
if pref != DEFAULT_NTP_PREF:
revise_configs += [
add_template_string + addr +
" version %s key %s prefer" % (ver, key_id)
]
else:
revise_configs += [
add_template_string + addr + " version %s key %s" %
(ver, key_id)
]
server_configs = revise_configs + delete_configs + add_configs
vlog.dbg("server configs %s" % (pprint.pformat(server_configs)))
return server_configs
