Adding the HLD for SONiC reset local users' passwords #1577
Conversation
azmy98
force-pushed
the
dev-long-reset-button-hld
branch
15 times, most recently
from
a166dfa
to
d98771f
Compare
| LongRebootPress().start() | ||
| ``` | ||
|
|
||
| The feature is added to the init flow as long as the we set the ```ENABLE_LONG_RESET_BUTTON_PRESS``` in ```rules/config``` |
There was a problem hiding this comment.
If we set ENABLE_LONG_RESET_BUTTON_PRESS = n during compilation, will it avoid adding the long-boot service to SONiC?
There was a problem hiding this comment.
yes, same as we do for:
CHANGE_DEFAULT_PASSWORD ?= y
|
|
||
| # Warmboot and Fastboot Design Impact | ||
|
|
||
| The feature will not have any impact on fast reboot or warmboot. |
There was a problem hiding this comment.
There needs to be explicit check in the script not to start on warmboot/fastboot. Please refer to https://github.com/sonic-net/sonic-host-services/blob/722b7962f95e8d602a9a60e77356826e9f68891c/scripts/hostcfgd#L1506
There was a problem hiding this comment.
This is interesting. The system should be able to determine if this reboot is either a physical press on the switch or a warm/fast reboot by calling the get_reboot_cause function that we are use in the script. So, I don't think we need it. @dgsudharsan, can you confirm?
There was a problem hiding this comment.
As part of the meeting discussion, I added the changes to support warmboot/fastboot.
azmy98
force-pushed
the
dev-long-reset-button-hld
branch
10 times, most recently
from
44d3aac
to
caa4ddb
Compare
|
community review recording https://zoom.us/rec/share/Mmpq0viHcC2J7QQnHzszlZX4iPR7VqYnXj4u3r7Rzavs4nPG1SImgBb2FK-fL--K.12p00bKsBDn_RCO9 |
|
|
||
| description "LONG_RESET_BUTTON part of config_db.json"; | ||
|
|
||
| container STATE { |
There was a problem hiding this comment.
Suggest to avoid STATE name for the CONFIG_DB data as it looks like a read-only data, please use STATUS.
There was a problem hiding this comment.
@venkatmahalingam , just to be aligned, do we need to change the leaf as well? or just the container name?
because I see in other places 'state' as a command.
|
|
||
| The long reset button press feature implementation shall support the following: | ||
|
|
||
| 1. On long reboot press, the OS will restore the local users' configurations, by deleting non-default users and restoring default passwords for default users and expiring these passwords due to security conecerns. |
There was a problem hiding this comment.
Is the use-case mainly to reset the password of the default user? if no, why cant we login to the switch with the default user to delete the non-default users explicitly?
There was a problem hiding this comment.
yes, I changed the feature name accordingly. the fearture will be reset local users for the default users and in the default implementation this will be triggered by a long reset button
| 4. On short reset button press, the current init flow should not be affected and should boot normally. | ||
| 5. Feature should be enabled or diabled by setting compliation flag to true or false. | ||
| 6. Feature can be disabled and enabled using CLI command. | ||
| 7. The feature is enabled by default. |
There was a problem hiding this comment.
Not sure above statement is true, I think, it's disabled by default, please clarify.
There was a problem hiding this comment.
changed to disabled :)
azmy98
changed the title
azmy98
force-pushed
the
dev-long-reset-button-hld
branch
from
5ae9a60
to
939c65e
Compare
|
|
||
| This feature will be a built-in SONiC feature. There will be three main files to consider in this feature: | ||
|
|
||
| 1. ```src/sonic-platform-common/sonic_platform_base/reset_local_users_passwords_base.py``` - The default behavior implementation will reside in this file, including when to trigger the feature and how to reset the local users' configurations. |
There was a problem hiding this comment.
Why do we want to name the plugin reset_local_users_passwords? If the trigger of this flow is going to be only long press, I recommend renaming it reset_button.py or something similar.
| This feature will be a built-in SONiC feature. There will be three main files to consider in this feature: | ||
|
|
||
| 1. ```src/sonic-platform-common/sonic_platform_base/reset_local_users_passwords_base.py``` - The default behavior implementation will reside in this file, including when to trigger the feature and how to reset the local users' configurations. | ||
| 2. ```platform/<vendor-path>/sonic_platform/reset_local_users_passwords.py``` - The vendor specifc implementation of the feature, each vendor can decide what is the trigger cause to start the functionality and how it is implemented. |
There was a problem hiding this comment.
Same here. If the trigger is going to pressing reset button alone, lets rename it accordingly.
| 2. ```platform/<vendor-path>/sonic_platform/reset_local_users_passwords.py``` - The vendor specifc implementation of the feature, each vendor can decide what is the trigger cause to start the functionality and how it is implemented. | ||
| 3. ```src/sonic-host-services/scripts/reset-local-users-passwords``` - The python file that will be called on service start during init that imports the vendor's specific implementation. | ||
|
|
||
| The default behavior will delete non-default users and restore the original passwords of the default users and expire them based on the content of the file of ```/etc/sonic/default_users.json``` on long reboot press. |
There was a problem hiding this comment.
Do we address the security concern raised in the sonic community meeting? This behavior will reset the passwords alone and not data or configuration and thus its a security concern if someone resets and logs in with default password and obtains all the data. Should we consider resetting configuration and other important files?
There was a problem hiding this comment.
This is a recovery mechanism, if users would like to use this in order to recover their own passwords (which they forgot), without deleting the data on top of the switch - this is the way to do so.
Customers that are using AAA methods will not be affected by this - so let's reduce this to local users only.
In case of a local user, if we have a PW reset, then the default users will be available and might pose a security risk. This is why customers that do not want a recovery mechanism should disable this functionality.
There is indeed a tradeoff between functionality and user experience to security in this feature, but it is manageable.
Also, in order to execute this attack and attack will have to have physical access to the switch, and only after a reboot (which can be tracked since the system will experience downtime)
There was a problem hiding this comment.
|
|
||
| # Warmboot and Fastboot Design Impact | ||
|
|
||
| The feature will not have any impact on fast reboot or warmboot. |
There was a problem hiding this comment.
This daemon itself shouldn't run when the boot type is warmboot or fastboot as the reset button press results only in cold boot. Warmboot and fastboot have strict timing requirements and since this flow will not happen during warm or fastreboot, lets make sure not to run the daemon.
Please update the same in HLD as well
There was a problem hiding this comment.
I will update it also in the requirements
|
|
||
|
|
||
| ``` | ||
| class LocalUsersConfigurationReset: |
There was a problem hiding this comment.
I would recommend not to add code into the HLD. the HLD should contain design and flow diagrams. The code is subject to change and will lead to confusion in the future.
| ### Show command | ||
| **The following command display long-reset-button-press configuration:** | ||
| ```bash | ||
| root@sonic:/home/admin# show local-users-passwords-reset |
There was a problem hiding this comment.
I would prefer the show command to show the last reboot reset button state, rather than just showing the configuration. Can you please publish the last reboot reset button state to state_db and use it to display in show, so that user will be aware if a long press is detected after the current boot?
There was a problem hiding this comment.
I think the user can know that from the reboot-cause, why do we need to have double commands for it.
There was a problem hiding this comment.
If show reboot-cause can cover it, I am fine with it
azmy98
force-pushed
the
dev-long-reset-button-hld
branch
from
939c65e
to
f57585c
Compare
|
@liuh-80 Could you help review? |
|
@azmy98 when do you expect to share the code PRs? |
|
it was decided to remove this HLD for SONiC. PR is closed. |
|
I see no further comments and all seems to be addressed. Appreciate if you can also review the code PRs and provide your feedback. |
|
@venkatmahalingam would you mind to provide code PR review feedback as well? |
|
YANG PR will be reviewed in the YANG workgroup meeting. Other PR review is on-going. |
|
@liat-grozovik will bring this to TSC to get guidance how to handle such PR which needs 2nd reviewers. |
|
@liat-grozovik / @zhangyanzhao can we merge this PR? |
|
@liuh-80 could you please merge it? |
|
@liuh-80 / @zhangyanzhao / @liat-grozovik could you please merge it? It was approved a month ago |
This document provides general information about reset local users' passwords during init implementation in SONiC
The scope of this document is to cover definition, design and implementation of SONiC reset local users' passwords during init feature.