token auth

[ksator]

Hello would like to use pygnmi with token authentication but I dont see this option? token based auth https://grpc.io/docs/guides/auth/ here's the implementations of 2 gnmi clients https://github.com/karimra/gnmic/issues/412 Thank you!

[akarneliuk]

Hey @ksator ,

we haven't looked into that yet, but will try to work that out, yes. Do you have access to CVP to get that tested?

Best, Anton

[akarneliuk]

Hey @ksator,

We've added authentication with Token. I cannot test if that work properly as I don't have CVP to test it against, but we have validated that the corresponding header is generated. So I have 2 questions to you:

1. Can you please test it
2. What shall be in general the mechanics, i.e. shall it be both username/password AND token or just token for CVP?

Thanks, Anton

[ksator]

@akarneliuk hello many thanks. I will test it and come back to you with the answers. I can also provide you in a private message an access to a CVP lab

[akarneliuk]

Hey @ksator ,

that sounds perfect, thank you. If you do both, it will be perfect.

Best, Anton

[ksator]

arista@devbox:~$ pip freeze | grep pygnmi
pygnmi==0.7.0

arista@devbox:~$ python
Python 3.9.9 (main, Dec  3 2021, 01:15:49) 
[GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pprint import pprint as pp
>>> import json
>>> from pygnmi.client import gNMIclient
>>> 
>>> with open("token.tok") as f:
...   TOKEN = f.read().strip('\n')
... 
>>> host = ('192.168.0.5', '443')
>>> with gNMIclient(target=host, token=TOKEN, insecure=True) as gc:
...   result = gc.capabilities()
...   pp(result)
... 
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/arista/.local/lib/python3.9/site-packages/pygnmi/client.py", line 96, in __enter__
    return self.connect()
  File "/home/arista/.local/lib/python3.9/site-packages/pygnmi/client.py", line 106, in connect
    self.__channel = grpc.insecure_channel(self.__target_path,
  File "/home/arista/.local/lib/python3.9/site-packages/grpc/__init__.py", line 1978, in insecure_channel
    return _channel.Channel(target, () if options is None else options, None,
  File "/home/arista/.local/lib/python3.9/site-packages/grpc/_channel.py", line 1478, in __init__
    self._channel = cygrpc.Channel(
  File "src/python/grpcio/grpc/_cython/_cygrpc/channel.pyx.pxi", line 454, in grpc._cython.cygrpc.Channel.__cinit__
  File "src/python/grpcio/grpc/_cython/_cygrpc/arguments.pyx.pxi", line 76, in grpc._cython.cygrpc._ChannelArgs.__cinit__
  File "src/python/grpcio/grpc/_cython/_cygrpc/arguments.pyx.pxi", line 60, in grpc._cython.cygrpc._ChannelArg.c
TypeError: Expected int, bytes, or behavior, got <class 'NoneType'>
>>> 

but this one works

arista@devbox:~$ gnmic -a 192.168.0.5:443 capabilities --token=`cat token.tok` --skip-verify

[ksator]

fyi to sub to the BGP YANG container in the cvp database (cvp address is 192.168.0.5) for the device spine1:

gnmic -a 192.168.0.5:443 subscribe --path "openconfig:/network-instances/network-instance/protocols/protocol/bgp/" --token=$token --target=spine1_SN --skip-verify

so we need only the token no need to include username/password as well note: -a is the cvp address and --target is the device SN

Here's the doc

[ksator]

Many thanks @akarneliuk

Here's the working example you did:

arista@devbox:~$ cat test_pygnmi.py 
from pprint import pprint as pp
import json
from pygnmi.client import gNMIclient

with open("token.tok") as f:
    TOKEN = f.read().strip('\n')

host = ('192.168.0.5', '443')
with gNMIclient(target=host, username="",
                password="", token=TOKEN,
                override="192.168.0.5") as gc:
    result = gc.capabilities()

pp(result) 

arista@devbox:~$ pip freeze | grep pyg
pygnmi==0.7.0

[akarneliuk]

Thanks @ksator , I see you opened a dedicated issue for target, so I will close this one.

[ksator]

Thank you.

This works as well:

• pygnmi 0.7.1
• token
• no username and no password

  arista@devbox:~$ pip freeze | grep gn
  pygnmi==0.7.1

  
  arista@devbox:~$ cat test.py 
  from pprint import pprint as pp
  import json
  from pygnmi.client import gNMIclient

with open("token.tok") as f: TOKEN = f.read().strip('\n')

    host = ('192.168.0.5', '443')
    with gNMIclient(target=host, token=TOKEN, override="192.168.0.5") as gc:
            result = gc.capabilities()

            pp(result) 

arista@devbox:~$

[ksator]

This is also working

• pygnmi 0.7.1
• token
• no username and no password
• skip_verify instead of override

  arista@devbox:~$ pip freeze | grep gnm
  pygnmi==0.7.1

  
  arista@devbox:~$ cat test2.py 
  from pprint import pprint as pp
  import json
  from pygnmi.client import gNMIclient

with open("token.tok") as f: TOKEN = f.read().strip('\n')

host = ('192.168.0.5', '443') with gNMIclient(target=host, token=TOKEN, skip_verify=False) as gc: result = gc.capabilities()

pp(result) arista@devbox:~$

[ksator]

Thank you!

[ksator]

but it should be skip_verify=True not skip_verify=False isnt it? using skip_verify=True it doesn't work would u like me to create an issue ? or am I wrong?