Exemplo n.º 1
0
def post_crash_processing(corefile):
    try:
        # Name of the Crashed process
        # ToFix :: In case of python based daemon crash, this value just
        #          has the name "python", it doesn't provide information
        #          on which daemon crashed.  This needs to be improved.
        process = xattr.getxattr(corefile, 'user.coredump.comm')

        # Signal Number leading to crash
        signal = int(xattr.getxattr(corefile, 'user.coredump.signal'))
        if signal >= len(strsignal):
            signal = 0

        # Timestamp of the crash event
        timestamp = xattr.getxattr(corefile, 'user.coredump.timestamp')
        timestamp_human = datetime.datetime.fromtimestamp(
            int(timestamp)
        ).strftime('%Y-%m-%d %H:%M:%S')

        ops_eventlog.log_event('SUPPORTABILITY_DAEMON_CRASH',
                               ['process', process],
                               ['signal', strsignal[signal]],
                               ['timestamp', timestamp_human])
    except:
        vlog.dbg("Invalid core dump file found")
Exemplo n.º 2
0
def ops_ntpd_check_updates_with_ntp_keys(l_ntpk_db):
    '''
       This function checks if there are any updates in NTP keys
       and accordingly updates the global database with that info.
       It also provides what configuration change has to be sent
       to the NTPD daemon.
    '''
    global g_ntpk_db, ntpq_info
    add_template_string = " %s MD5 %s"
    trustedkey_template_string = ":config trustedkey "
    untrustedkey_template_string = ":config unconfig trustedkey "
    t_keys_str = "-"
    unt_keys_str = "-"
    trusted_keys = []
    untrusted_keys = []
    trusted_key_config = []
    untrusted_key_config = []
    keys_file_content = ops_ntpd_get_ntpd_default_keys_file_content()
    if len(l_ntpk_db) > 0 and len(g_ntpk_db) > 0:
        untrusted_keys = set(g_ntpk_db.keys()) - set(l_ntpk_db.keys())
        g_ntpk_db = copy.copy(l_ntpk_db)
        trusted_keys = g_ntpk_db.keys()
    elif len(g_ntpk_db) == 0:
        g_ntpk_db = copy.copy(l_ntpk_db)
        trusted_keys = g_ntpk_db.keys()
    elif len(l_ntpk_db) == 0:
        untrusted_keys = g_ntpk_db.keys()
        g_ntpk_db = {}
    keys_file_content += "\n".join(
        [add_template_string % (k, v[0]) for k, v in g_ntpk_db.iteritems()])
    if len(trusted_keys) > 0:
        trusted_key_config += [
            trustedkey_template_string +
            " ".join([str(x) for x in trusted_keys])
        ]
        t_keys_str = " ".join([str(x) for x in trusted_keys])
    if len(untrusted_keys) > 0:
        untrusted_key_config += [
            untrustedkey_template_string +
            " ".join([str(x) for x in untrusted_keys])
        ]
        unt_keys_str = " ".join([str(x) for x in untrusted_keys])
    if t_keys_str != "-" or unt_keys_str != "-":
        log_event("NTP_KEY", ["trusted_keys", t_keys_str],
                  ["untrusted_keys", unt_keys_str])
    key_config = untrusted_key_config + trusted_key_config
    keys_file_content += "\n"
    return key_config, keys_file_content
Exemplo n.º 3
0
def dnsmasq_start_process():

    global dnsmasq_process
    global dnsmasq_command

    dnsmasq_process = None

    vlog.info("dhcp_tftp_debug - dnsmasq_command(3) %s " % (dnsmasq_command))

    dnsmasq_process = subprocess.Popen(dnsmasq_command,
                                       stdout=subprocess.PIPE,
                                       stderr=subprocess.PIPE,
                                       shell=True)

    err = dnsmasq_process.stderr.read()
    print err
    if err != "":
        vlog.emer("%s" % (err))
        vlog.emer("Error with config, dnsmasq failed, command %s" %
                  (dnsmasq_command))
        log_event("DNSMASQ_FAILURE", ["dnsmasq_command", dnsmasq_command])
    else:
        vlog.info("dhcp_tftp_debug - dnsmasq started")
        log_event("DNSMASQ_SUCCESS", ["dnsmasq_command", dnsmasq_command])
Exemplo n.º 4
0
def modify_common_auth_access_file(server_list):
    '''
    modify common-auth-access file, based on RADIUS, TACACS+ and local
    values set in the DB
    '''
    global tacacs_source_interface
    global tacacs_source_ip
    global tacacs_dstn_ns

    global radius_source_interface
    global radius_source_ip
    global radius_dstn_ns

    tacacs_src_ip = None
    tacacs_dstn_ns_old = tacacs_dstn_ns

    radius_src_ip = None
    radius_dstn_ns_old = radius_dstn_ns

    tacacs_src_ip, tacacs_dstn_ns = \
        get_src_ip_dstn_ns(tacacs_source_ip, tacacs_source_interface)

    radius_src_ip, radius_dstn_ns = \
        get_src_ip_dstn_ns(radius_source_ip, radius_source_interface)

    if tacacs_dstn_ns != tacacs_dstn_ns_old:
        log_event("TACACS", ["type", "Destination Namespace"],
                  ["action", "update"], ["event", tacacs_dstn_ns])

    if radius_dstn_ns != radius_dstn_ns_old:
        log_event("RADIUS", ["type", "Destination Namespace"],
                  ["action", "update"], ["event", radius_dstn_ns])

    vlog.info("tacacs_src_interface = %s, radius_src_interface = %s," \
        " tacacs_src_ip = %s, tacacs_dstn_ns = %s, radius_src_ip = %s," \
        " radius_dstn_ns = %s" \
        % (str(tacacs_source_interface), str(radius_source_interface), \
        str(tacacs_src_ip), str(tacacs_dstn_ns), \
         str(radius_src_ip), str(radius_dstn_ns)))

    global global_tacacs_passkey, global_tacacs_timeout, global_tacacs_auth
    global global_radius_passkey, global_radius_timeout, global_radius_auth, global_radius_retries
    vlog.info("AAA: server_list = %s\n" % server_list)
    if not server_list:
        vlog.info("AAA: server_list is empty. Adding default local")

        server_list.append((0, AAA_LOCAL))

    file_header = "# THIS IS AN AUTO-GENERATED FILE\n" \
                  "#\n" \
                  "# /etc/pam.d/common-auth- authentication settings common to all services\n" \
                  "# This file is included from other service-specific PAM config files,\n" \
                  "# and should contain a list of the authentication modules that define\n" \
                  "# the central authentication scheme for use on the system\n" \
                  "# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the\n" \
                  "# traditional Unix authentication mechanisms.\n" \
                  "#\n" \
                  "# here are the per-package modules (the \"Primary\" block)\n"

    file_footer = "#\n" \
                  "# here's the fallback if no module succeeds\n" \
                  "auth    requisite                       pam_deny.so\n" \
                  "# prime the stack with a positive return value if there isn't one already;\n" \
                  "# this avoids us returning an error just because nothing sets a success code\n" \
                  "# since the modules above will each just jump around\n" \
                  "auth    required                        pam_permit.so\n" \
                  "# and here are more per-package modules (the \"Additional\" block)\n"

    file_body = ""

    common_auth_access_filename = PAM_ETC_CONFIG_DIR + "common-auth-access"

    pam_server_list_str = "server list -"

    with open(common_auth_access_filename, "w") as f:

        # Write the file header
        f.write(file_header)

        # Now write the server list to the config file
        PAM_CONTROL_VALUE = "[success=done new_authtok_reqd=done default=ignore auth_err=die]"
        if AAA_FAIL_THROUGH_ENABLED:
            # The following is exactly same as saying: PAM_CONTROL_VALUE = "sufficient"
            PAM_CONTROL_VALUE = "[success=done new_authtok_reqd=done default=ignore]"

        for server, server_type in server_list[:-1]:
            auth_line = ""
            if server_type == AAA_LOCAL:
                auth_line = "auth\t" + PAM_CONTROL_VALUE + "\t" + PAM_LOCAL_MODULE + " nullok\n"
                pam_server_list_str = pam_server_list_str + " local"
            elif server_type == AAA_TACACS_PLUS:
                ip_address = server.address
                tcp_port = server.tcp_port[0]
                if len(server.timeout) == 0:
                    timeout = global_tacacs_timeout
                else:
                    timeout = server.timeout[0]
                if len(server.auth_type) == 0:
                    auth_type = global_tacacs_auth
                else:
                    auth_type = server.auth_type[0]
                if len(server.passkey) == 0:
                    passkey = global_tacacs_passkey
                else:
                    passkey = server.passkey[0]

                if tacacs_dstn_ns is not None:
                    auth_line = "auth\t" + PAM_CONTROL_VALUE + "\t" + PAM_TACACS_MODULE + "\tdebug server=" + ip_address + \
                        ":" + str(tcp_port) + " secret=" + str(passkey) + " login="******" timeout=" + str(timeout) + \
                        " dstn_namespace=" + tacacs_dstn_ns +  " source_ip=" + str(tacacs_src_ip) + " \n"
                else:
                    auth_line = "auth\t" + PAM_CONTROL_VALUE + "\t" + PAM_TACACS_MODULE + "\tdebug server=" + ip_address + \
                        ":" + str(tcp_port) + " secret=" + str(passkey) + " login="******" timeout=" + str(timeout) + "\n"
                pam_server_list_str = pam_server_list_str + " " + ip_address

            elif server_type == AAA_RADIUS:
                ip_address = server.address
                udp_port = server.udp_port[0]
                if len(server.timeout) == 0:
                    timeout = global_radius_timeout
                else:
                    timeout = server.timeout[0]
                if len(server.auth_type) == 0:
                    auth_type = global_radius_auth
                else:
                    auth_type = server.auth_type[0]
                if len(server.passkey) == 0:
                    passkey = global_radius_passkey
                else:
                    passkey = server.passkey[0]
                if len(server.retries) == 0:
                    retries = global_radius_retries
                else:
                    retries = server.retries[0]
                if radius_dstn_ns is not None:
                    auth_line = "auth\t" + PAM_CONTROL_VALUE + "\t" + PAM_RADIUS_MODULE + "\tdebug server=" + ip_address + ":" + \
                        str(udp_port) + " secret=" + str(passkey) + " login="******" retry=" + str(retries) + \
                        " timeout=" + str(timeout) + " dstn_namespace=" + radius_dstn_ns +  " source_ip=" + str(radius_src_ip) + "\n"
                else:
                    auth_line = "auth\t" + PAM_CONTROL_VALUE + "\t" + PAM_RADIUS_MODULE + "\tdebug server=" + ip_address + ":" + \
                        str(udp_port) + " secret=" + str(passkey) + " login="******" retry=" + str(retries) + \
                        " timeout=" + str(timeout) + "\n"

            file_body += auth_line

        # Print the last element
        server = server_list[-1][0]
        server_type = server_list[-1][1]
        auth_line = ""
        if server_type == AAA_LOCAL:
            auth_line = "auth\t[success=1 default=ignore]\t" + PAM_LOCAL_MODULE + " nullok\n"
            pam_server_list_str = pam_server_list_str + " local"
        elif server_type == AAA_TACACS_PLUS:
            ip_address = server.address
            tcp_port = server.tcp_port[0]
            if len(server.timeout) == 0:
                timeout = global_tacacs_timeout
            else:
                timeout = server.timeout[0]
            if len(server.auth_type) == 0:
                auth_type = global_tacacs_auth
            else:
                auth_type = server.auth_type[0]
            if len(server.passkey) == 0:
                passkey = global_tacacs_passkey
            else:
                passkey = server.passkey[0]

            if tacacs_dstn_ns is not None:
                auth_line = "auth\t[success=1 default=ignore]\t" + PAM_TACACS_MODULE + "\tdebug server=" + ip_address + \
                    " secret=" + str(passkey) + " login="******" timeout=" + str(timeout) + \
                    " dstn_namespace=" + tacacs_dstn_ns +  " source_ip=" + str(tacacs_src_ip) + " \n"
            else:
                auth_line = "auth\t[success=1 default=ignore]\t" + PAM_TACACS_MODULE + "\tdebug server=" + ip_address + \
                    " secret=" + str(passkey) + " login="******" timeout=" + str(timeout) + " \n"

            pam_server_list_str = pam_server_list_str + " " + ip_address

        elif server_type == AAA_RADIUS:
            ip_address = server.address
            udp_port = server.udp_port[0]
            if len(server.timeout) == 0:
                timeout = global_radius_timeout
            else:
                timeout = server.timeout[0]
            if len(server.auth_type) == 0:
                auth_type = global_radius_auth
            else:
                auth_type = server.auth_type[0]
            if len(server.passkey) == 0:
                passkey = global_radius_passkey
            else:
                passkey = server.passkey[0]
            if len(server.retries) == 0:
                retries = global_radius_retries
            else:
                retries = server.retries[0]

            if radius_dstn_ns is not None:
                auth_line = "auth\t[success=1 default=ignore]\t"  + PAM_RADIUS_MODULE + "\tdebug server=" + ip_address + \
                    ":" +  str(udp_port) + " secret=" + str(passkey) + " login="******" retry=" + str(retries) + \
                    " timeout=" + str(timeout) + " dstn_namespace=" + radius_dstn_ns +  " source_ip=" + str(radius_src_ip) + "\n"
            else:
                auth_line = "auth\t[success=1 default=ignore]\t"  + PAM_RADIUS_MODULE + "\tdebug server=" + ip_address + \
                    ":" +  str(udp_port) + " secret=" + str(passkey) + " login="******" retry=" + str(retries) + \
                    " timeout=" + str(timeout) + "\n"

        file_body += auth_line

        # Write the PAM configurations for authentication
        f.write(file_body)

        # Write the file footer
        f.write(file_footer)
    log_event("AAA_CONFIG", ["type", "Authentication PAM configuration file"],
              ["event", pam_server_list_str])
Exemplo n.º 5
0
def get_server_list(session_type):

    server_list = []
    global global_tacacs_passkey, global_tacacs_timeout, global_tacacs_auth

    global global_radius_passkey, global_radius_timeout, global_radius_auth, global_radius_retries

    global local_group, authentication_group_list, authorization_group_list, none_group

    group_list = ""
    group_list_authorization = ""

    if local_group is None or none_group is None:
        for group_rec in idl.tables[AAA_SERVER_GROUP_TABLE].rows.itervalues():
            if group_rec.group_name == AAA_LOCAL:
                local_group = group_rec
            elif group_rec.group_name == AAA_NONE:
                none_group = group_rec

    for ovs_rec in idl.tables[SYSTEM_TABLE].rows.itervalues():
        if ovs_rec.aaa and ovs_rec.aaa is not None:
            for key, value in ovs_rec.aaa.iteritems():
                if key == GBL_TACACS_SERVER_TIMEOUT:
                    if (global_tacacs_timeout != value):
                        type_str = "global default " + key
                        event = global_tacacs_timeout + " => " + value
                        log_event("TACACS", ["type", type_str],
                                  ["action", "update"], ["event", event])
                        global_tacacs_timeout = value
                if key == GBL_TACACS_SERVER_AUTH_TYPE:
                    if (global_tacacs_auth != value):
                        type_str = "global default " + key
                        event = global_tacacs_auth + " => " + value
                        log_event("TACACS", ["type", type_str],
                                  ["action", "update"], ["event", event])
                        global_tacacs_auth = value
                if key == GBL_TACACS_SERVER_PASSKEY:
                    if (global_tacacs_passkey != value):
                        type_str = "global default " + key
                        event = global_tacacs_passkey + " => " + value
                        log_event("TACACS", ["type", type_str],
                                  ["action", "update"], ["event", event])
                        global_tacacs_passkey = value
                if key == GBL_RADIUS_SERVER_TIMEOUT:
                    if (global_radius_timeout != value):
                        type_str = "global default " + key
                        event = global_radius_timeout + " => " + value
                        log_event("RADIUS", ["type", type_str],
                                  ["action", "update"], ["event", event])
                        global_radius_timeout = value
                if key == GBL_RADIUS_SERVER_AUTH_TYPE:
                    if (global_radius_auth != value):
                        type_str = "global default " + key
                        event = global_radius_auth + " => " + value
                        log_event("RADIUS", ["type", type_str],
                                  ["action", "update"], ["event", event])
                        global_radius_auth = value
                if key == GBL_RADIUS_SERVER_PASSKEY:
                    if (global_radius_passkey != value):
                        type_str = "global default " + key
                        event = global_radius_passkey + " => " + value
                        log_event("RADIUS", ["type", type_str],
                                  ["action", "update"], ["event", event])
                        global_radius_passkey = value
                if key == GBL_RADIUS_SERVER_RETRIES:
                    if (global_radius_retries != value):
                        type_str = "global default " + key
                        event = global_radius_retries + " => " + value
                        log_event("RADIUS", ["type", type_str],
                                  ["action", "update"], ["event", event])
                        global_radius_retries = value
                if key == AAA_FAIL_THROUGH:
                    global AAA_FAIL_THROUGH_ENABLED
                    old = "disabled"
                    new = "disabled"

                    if value == AAA_TRUE_FLAG:
                        if AAA_FAIL_THROUGH_ENABLED == False:
                            new = "enabled"
                            AAA_FAIL_THROUGH_ENABLED = True
                    else:
                        if AAA_FAIL_THROUGH_ENABLED == True:
                            old = "enabled"
                            AAA_FAIL_THROUGH_ENABLED = False
                    if old != new:
                        log_event("AAA_CONFIG", ["type", "Fail-through"],
                                  ["event", new])

    for ovs_rec in idl.tables[AAA_SERVER_GROUP_PRIO_TABLE].rows.itervalues():
        if ovs_rec.session_type != session_type:
            continue

        size = len(ovs_rec.authentication_group_prios)
        if size == 1 and ovs_rec.authentication_group_prios.keys(
        )[0] == local_group:
            vlog.info("AAA: Default local authentication configured\n")
        else:
            for prio, group in sorted(
                    ovs_rec.authentication_group_prios.iteritems()):
                if group is None:
                    continue

                group_list = group_list + group.group_name + " "
                vlog.info(
                    "AAA Authentication: group_name = %s, group_type = %s\n" %
                    (group.group_name, group.group_type))

                server_table = ""
                if group.group_type == AAA_TACACS_PLUS:
                    server_table = TACACS_SERVER_TABLE
                elif group.group_type == AAA_RADIUS:
                    server_table = RADIUS_SERVER_TABLE
                elif group.group_type == AAA_LOCAL:
                    server_list.append((0, group.group_type))

                if server_table == RADIUS_SERVER_TABLE or server_table == TACACS_SERVER_TABLE:
                    group_server_dict = {}

                    if group.group_name == AAA_RADIUS or group.group_name == AAA_TACACS_PLUS:
                        for server in idl.tables[server_table].rows.itervalues(
                        ):
                            vlog.info(
                                "AAA: Server %s length = %s group = %s group_prio = %s default_prio = %s\n"
                                % (server.address, len(
                                    server.group), server.group[0].group_name,
                                   server.user_group_priority[0],
                                   server.default_group_priority))
                            group_server_dict[
                                server.default_group_priority] = server
                    else:
                        for server in idl.tables[server_table].rows.itervalues(
                        ):
                            vlog.info(
                                "AAA: Server %s length = %s group = %s group_prio = %s default_prio = %s\n"
                                % (server.address, len(
                                    server.group), server.group[0].group_name,
                                   server.user_group_priority[0],
                                   server.default_group_priority))
                            if server.group[0] == group or server.group[
                                    1] == group:
                                group_server_dict[
                                    server.user_group_priority[0]] = server

                    vlog.info("AAA: group_server_dict = %s\n" %
                              (group_server_dict))

                    for server_prio, server in sorted(
                            group_server_dict.iteritems()):
                        server_list.append((server, group.group_type))

        size_author = len(ovs_rec.authorization_group_prios)
        if size_author == 1 and ovs_rec.authorization_group_prios.keys(
        )[0] == none_group:
            vlog.info("AAA: Default none authorization configured\n")
        else:
            for prio, group in sorted(
                    ovs_rec.authorization_group_prios.iteritems()):
                if group is None:
                    continue

                group_list_authorization = group_list_authorization + group.group_name + " "
                vlog.info(
                    "AAA Authorization: group_name = %s, group_type = %s\n" %
                    (group.group_name, group.group_type))

    group_list = group_list.strip()
    if group_list != authentication_group_list:
        event = authentication_group_list + " => " + group_list
        log_event("AAA_CONFIG",
                  ["type", "Authentication server group priority list"],
                  ["event", event])
        authentication_group_list = group_list

    group_list_authorization = group_list_authorization.strip()
    if group_list_authorization != authorization_group_list:
        event = authorization_group_list + " => " + group_list_authorization
        log_event("AAA_CONFIG",
                  ["type", "Authorization server group priority list"],
                  ["event", event])
        authorization_group_list = group_list_authorization

    return server_list
Exemplo n.º 6
0
def get_source_interface(protocol):
    '''
    Get tacacs/radius source interface configuration
    '''
    global radius_source_ip
    global radius_source_interface
    old_radius_source_ip = radius_source_ip
    old_radius_source_interface = radius_source_interface

    global tacacs_source_ip
    global tacacs_source_interface
    old_tacacs_source_ip = tacacs_source_ip
    old_tacacs_source_interface = tacacs_source_interface

    if protocol == AAA_RADIUS:
        radius_source_ip, radius_source_interface = \
            source_interface_utils.get_protocol_source(idl, protocol, \
                vrf_utils.DEFAULT_VRF_NAME)
        if old_radius_source_ip != radius_source_ip:
            action = "update"
            if old_radius_source_ip == None:
                event = radius_source_ip
                action = "add"
            elif radius_source_ip == None:
                event = old_radius_source_ip
                action = "remove"
            else:
                event = old_radius_source_ip + " => " + radius_source_ip
            log_event("RADIUS", ["type", "Source IP"], ["action", action],
                      ["event", event])
        elif old_radius_source_interface != radius_source_interface:
            action = "update"
            if old_radius_source_interface == None:
                event = radius_source_interface
                action = "add"
            elif radius_source_ip == None:
                event = old_radius_source_interface
                action = "remove"
            else:
                event = old_radius_source_interface + " => " + radius_source_interface
            log_event("RADIUS", ["type", "Source Interface"],
                      ["action", action], ["event", event])

    if protocol == AAA_TACACS:
        tacacs_source_ip, tacacs_source_interface = \
            source_interface_utils.get_protocol_source(idl, protocol, \
                vrf_utils.DEFAULT_VRF_NAME)
        if old_tacacs_source_ip != tacacs_source_ip:
            action = "update"
            if old_tacacs_source_ip == None:
                event = tacacs_source_ip
                action = "add"
            elif tacacs_source_ip == None:
                event = old_tacacs_source_ip
                action = "remove"
            else:
                event = old_tacacs_source_ip + " => " + tacacs_source_ip
            log_event("TACACS", ["type", "Source IP"], ["action", action],
                      ["event", event])
        elif old_tacacs_source_interface != tacacs_source_interface:
            action = "update"
            if old_tacacs_source_interface == None:
                event = tacacs_source_interface
                action = "add"
            elif tacacs_source_interface == None:
                event = old_tacacs_source_interface
                action = "remove"
            else:
                event = old_tacacs_source_interface + " => " + tacacs_source_interface
            log_event("TACACS", ["type", "Source Interface"],
                      ["action", action], ["event", event])
Exemplo n.º 7
0
def add_default_row():
    '''
    System Table:
       Add default values to the radius and fallback columns
       by default radius is false and fallback is true
       Add default global config value for tacacs column
    AAA_Server_Group Table:
       Add default group local, tacacs+ and radius
    '''
    global idl
    global default_row_initialized

    data = {}
    prio_list_authentication = {}
    prio_list_authorization = {}
    auto_provisioning_data = {}

    # Default values for aaa column
    data[AAA_FAIL_THROUGH] = AAA_FALSE_FLAG
    data[SSH_PASSKEY_AUTHENTICATION_ENABLE] = AUTH_KEY_ENABLE
    data[SSH_PUBLICKEY_AUTHENTICATION_ENABLE] = AUTH_KEY_ENABLE
    # Default values for tacacs
    data[GBL_TACACS_SERVER_PASSKEY] = TACACS_SERVER_PASSKEY_DEFAULT
    data[GBL_TACACS_SERVER_TIMEOUT] = TACACS_SERVER_TIMEOUT_DEFAULT
    data[GBL_TACACS_SERVER_AUTH_TYPE] = TACACS_PAP
    # Default values for radius
    data[GBL_RADIUS_SERVER_PASSKEY] = RADIUS_SERVER_PASSKEY_DEFAULT
    data[GBL_RADIUS_SERVER_TIMEOUT] = RADIUS_SERVER_TIMEOUT_DEFAULT
    data[GBL_RADIUS_SERVER_AUTH_TYPE] = RADIUS_PAP
    data[GBL_RADIUS_SERVER_RETRIES] = RADIUS_SERVER_RETRIES_DEFAULT

    # Default values for auto provisioning status column
    auto_provisioning_data[PERFORMED] = "False"
    auto_provisioning_data[URL] = ""

    # create the transaction
    txn = ovs.db.idl.Transaction(idl)
    for ovs_rec in idl.tables[SYSTEM_TABLE].rows.itervalues():
        break

    setattr(ovs_rec, SYSTEM_AAA_COLUMN, data)
    setattr(ovs_rec, SYSTEM_AUTO_PROVISIONING_STATUS_COLUMN,
            auto_provisioning_data)

    # create default server groups: local, tacacs+ and radius
    none_row = txn.insert(idl.tables[AAA_SERVER_GROUP_TABLE], new_uuid=None)
    setattr(none_row, AAA_SERVER_GROUP_IS_STATIC, AAA_DEFAULT_GROUP_STATIC)
    setattr(none_row, AAA_SERVER_GROUP_NAME, AAA_NONE)
    setattr(none_row, AAA_SERVER_GROUP_TYPE, AAA_NONE)

    local_row = txn.insert(idl.tables[AAA_SERVER_GROUP_TABLE], new_uuid=None)
    setattr(local_row, AAA_SERVER_GROUP_IS_STATIC, AAA_DEFAULT_GROUP_STATIC)
    setattr(local_row, AAA_SERVER_GROUP_NAME, AAA_LOCAL)
    setattr(local_row, AAA_SERVER_GROUP_TYPE, AAA_LOCAL)

    tacacs_row = txn.insert(idl.tables[AAA_SERVER_GROUP_TABLE], new_uuid=None)
    setattr(tacacs_row, AAA_SERVER_GROUP_IS_STATIC, AAA_DEFAULT_GROUP_STATIC)
    setattr(tacacs_row, AAA_SERVER_GROUP_NAME, AAA_TACACS_PLUS)
    setattr(tacacs_row, AAA_SERVER_GROUP_TYPE, AAA_TACACS_PLUS)

    radius_row = txn.insert(idl.tables[AAA_SERVER_GROUP_TABLE], new_uuid=None)
    setattr(radius_row, AAA_SERVER_GROUP_IS_STATIC, AAA_DEFAULT_GROUP_STATIC)
    setattr(radius_row, AAA_SERVER_GROUP_NAME, AAA_RADIUS)
    setattr(radius_row, AAA_SERVER_GROUP_TYPE, AAA_RADIUS)

    log_event("TACACS", ["type", "Server Group"], ["action", "add"],
              ["event", "tacacs_plus (default)"])

    log_event("RADIUS", ["type", "Server Group"], ["action", "add"],
              ["event", "radius (default)"])

    # create default AAA_Server_Group_Prio table session
    default_row = txn.insert(idl.tables[AAA_SERVER_GROUP_PRIO_TABLE],
                             new_uuid=None)
    setattr(default_row, AAA_SERVER_GROUP_PRIO_SESSION_TYPE,
            AAA_SERVER_GROUP_PRIO_SESSION_TYPE_DEFAULT)
    prio_list_authorization[PRIO_ONE] = none_row
    setattr(default_row, AAA_AUTHORIZATION_GROUP_PRIOS,
            prio_list_authorization)
    prio_list_authentication[PRIO_ONE] = local_row
    setattr(default_row, AAA_AUTHENTICATION_GROUP_PRIOS,
            prio_list_authentication)

    txn.commit_block()

    default_sshd_config()

    default_row_initialized = 1
    return True
Exemplo n.º 8
0
def ops_ntpd_check_updates_from_ovsdb():
    '''
        This function checks if there are any updates in the NTP
        associations and accordingly reconfigures the NTP daemon to
        pick up the configuration changes.
    '''
    global idl
    global ntpd_command
    global ntpq_process
    global cmdline_str
    global g_ntpk_db
    global auth_state
    ovs_rec = None
    associd = 0
    vlog.dbg("ops_ntpd_check_updates_from_ovsdb")
    authentication_enable = "false"
    trigger_reconfig = False

    update_map = {}
    # Check if ntp authentication is enabled
    for ovs_rec in idl.tables[SYSTEM_TABLE].rows.itervalues():
        if ovs_rec.ntp_config and ovs_rec.ntp_config is not None:
            for key, value in ovs_rec.ntp_config.iteritems():
                if key == 'authentication_enable':
                    authentication_enable = value
    vlog.dbg("Authentication is %s " % (authentication_enable))

    if (auth_state != authentication_enable):
        trigger_reconfig = True
        log_event("NTP_GLOBAL", ["old", auth_state],
                  ["new", authentication_enable])
        auth_state = authentication_enable

    update_map = {}
    # Get the NTP key changes
    for ovs_rec in idl.tables[NTP_KEY_TABLE].rows.itervalues():
        trust_enable = DEFAULT_NTP_TRUST_ENABLE
        if ovs_rec.key_id and ovs_rec.key_id is not None:
            key_id = ovs_rec.key_id
        if ovs_rec.key_password and ovs_rec.key_password is not None:
            key_password = ovs_rec.key_password
        if ovs_rec.trust_enable and ovs_rec.trust_enable is not None:
            trust_enable = ovs_rec.trust_enable
        vlog.dbg("trust_enable is %s and auth is %s" %
                 (trust_enable, authentication_enable))
        if trust_enable is True and authentication_enable == "true":
            ops_ntpd_setup_ntp_key_map(update_map, key_id, key_password,
                                       trust_enable)

    key_configs, keys_file_content = \
        ops_ntpd_check_updates_with_ntp_keys(update_map)
    vlog.dbg("Key config changes %s " % (pprint.pformat(key_configs)))

    update_map = {}
    # Get the NTP association configuration changes
    for ovs_rec in idl.tables[NTP_ASSOCIATION_TABLE].rows.itervalues():
        key_id = DEFAULT_NTP_KEY_ID
        prefer = DEFAULT_NTP_PREF
        ntp_version = DEFAULT_NTP_VERSION
        ref_clock_id = DEFAULT_NTP_REF_CLOCK_ID
        vrf = ovs_rec._data['vrf'].to_json()[1]
        if ovs_rec.address and ovs_rec.address is not None:
            ip_address = ovs_rec.address
        if ovs_rec.key_id and len(ovs_rec.key_id) > 0:
            key_id = str(ovs_rec.key_id[0].key_id)
        if ovs_rec.association_attributes and \
                ovs_rec.association_attributes is not None:
            for key, value in \
                    ovs_rec.association_attributes.iteritems():
                if key == 'ref_clock_id':
                    ref_clock_id = value
                if key == 'prefer':
                    prefer = value
                if key == 'version':
                    ntp_version = value
        ops_ntpd_setup_ntp_config_map(update_map, vrf, ip_address, associd,
                                      key_id, ref_clock_id, prefer,
                                      ntp_version)

    server_configs = \
        ops_ntpd_check_updates_with_ntp_associations(update_map,
                                                     trigger_reconfig)
    vlog.dbg("Server config changes %s " % (pprint.pformat(server_configs)))

    ops_ntpd_sync_updates_to_ntpd(server_configs, key_configs,
                                  keys_file_content)
Exemplo n.º 9
0
def ops_ntpd_check_updates_with_ntp_associations(l_ntpa_map, trigger_reconfig):
    '''
        This function checks if there are any updates in the NTP
        associations and accordingly updates the global database
        with that info.
        It also provides what configuration change has to be sent
        to the NTPD daemon.
    '''
    global g_ntpa_map
    add = []
    delete = []
    add_configs = []
    revise_configs = []
    add_template_string = ":config server "
    delete_template_string = ":config unconfig "
    for k in list(set(l_ntpa_map.keys() + g_ntpa_map.keys())):
        if k in l_ntpa_map.keys():
            v = l_ntpa_map[k]
            event = ""
            if v[2] != 0:
                server_info = "prefer %s, ver %s, key %s" %\
                            (str(v[4]), str(v[5]), str(v[2]))
            else:
                server_info = "prefer %s, ver %s" %\
                            (str(v[4]), str(v[5]))
            if k not in g_ntpa_map.keys():
                add.append(k)
                g_ntpa_map[k] = v
                event = "Add"
            elif v != g_ntpa_map[k]:
                delete.append(k)
                add.append(k)
                g_ntpa_map[k] = v
                event = "Change"
            if event != "":
                log_event("NTP_ASSOC", ["event", event], ["server", v[0]],
                          ["server_info", server_info])
        else:
            delete.append(k)
            v = g_ntpa_map[k]
            log_event("NTP_ASSOC", ["event", "Delete"], ["server", v[0]],
                      ["server_info", ""])
            del g_ntpa_map[k]
    delete_configs = [delete_template_string + x[1] for x in delete]
    for x in add:
        (addr, vrf, key_id, ref_clk, pref, ver) = g_ntpa_map[x]
        add_config = add_template_string + addr
        add_config += " version " + ver
        if key_id != DEFAULT_NTP_KEY_ID:
            add_config += " key " + key_id
        if pref != DEFAULT_NTP_PREF:
            add_config += " prefer"
        add_configs += [add_config]
    if trigger_reconfig is True:
        for x in list(g_ntpa_map.keys()):
            (addr, vrf, key_id, ref_clk, pref, ver) = g_ntpa_map[x]
            if key_id != DEFAULT_NTP_KEY_ID:
                revise_configs += [delete_template_string + addr]
                if pref != DEFAULT_NTP_PREF:
                    revise_configs += [
                        add_template_string + addr +
                        " version %s key %s prefer" % (ver, key_id)
                    ]
                else:
                    revise_configs += [
                        add_template_string + addr + " version %s key %s" %
                        (ver, key_id)
                    ]
    server_configs = revise_configs + delete_configs + add_configs
    vlog.dbg("server configs %s" % (pprint.pformat(server_configs)))
    return server_configs