Open adampav opened 4 years ago
mirceaulinic
commented
4 years ago I think we have agreed that these templates were generally a bad idea, and we no longer accept expanding the list of NAPALM native templates. However, I think it makes sense to add these two, to match the coverage with the rest of the drivers. Please feel free to open a PR for this @adampav. Thanks!
adampav
commented
4 years ago Cool @mirceaulinic , will do. Cheers!
adampav
commented
4 years ago regarding the templates for set_users, i have observed that various platforms treat the password in user_details differently.
NXOS --- encrypted password. Interestingly enough password in NXOS is equivalent to secret
{%- for user_name, user_details in users.items() %}
{%- if user_details.get('sshkeys') %}
{%- for sshkey in user_details.sshkeys %}
username {{user_name}} sshkey {{ sshkey }}
{%- endfor %}
{%- endif %}
{%- if user_details.get('password') %}
username {{user_name}} password 5 {{user_details.password}}IOSXR --- unencrypted pass (uses the password directive instead of the secret)
{%- for user_name, user_details in users.items() %}
username {{user_name}}
{% set user_level = user_details.level|default(1) %}
{%- if user_level == 15 %}
group root-system
{%- elif user_level == 5 %}
group operator
{%- elif user_level == 2 %}
group serviceadmin
{%- elif user_level == 1 %}
group sysadmin
{% endif %}
{%- if user_details.get('password') %}
password {{user_details.password}}JUNOS --- attempts to config plain-text-password instead of encrypted-password
system {
login {
{%- for user_name, user_details in users.items() -%}
user {{user_name}} {
{%- if user_details.get('password') or user_details.get('sshkeys') -%}
authentication {
{%- if user_details.get('password') -%}
plain-text-password "{{user_details.password}}";Regarding IOS i have created templates that are based on secret
In my humble opinion, and of course i am looking forward to your input @mirceaulinic @dbarrosop @ktbyers , the base functionality would be to allow administrators to set encrypted passwords or at least it should be consistent across platforms.
Would you be ok with two additional changes for iosxr and junos ?
1) iosxr -> secret 5 instead of password (as in NXOS)
2) junos -> encrypted-password instead of plain-text-password
for the record i tried loading users with the set_users.j2 with salt in junos (14.3), resulting in an error
<<<<<=====
salt junos1 users.set_users "{'mircea': {'password': '$1$gVIOCv9k$7kkxpYna4dPhv0jHttKwc1'}}"
junos1:
----------
already_configured:
False
comment:
Cannot execute "load_template" on juniper-sw.netmode.ntua.gr as root. Reason: [{'source': None, 'message': 'Not a supported JUNOScript tag', 'bad_element': None, 'severity': 'error', 'edit_path': None}, {'source': None, 'message': 'syntax error', 'bad_element': 'kkxpYna4dPhv0jHttKwc1', 'severity': 'error', 'edit_path': None}]!
Configuration discarded.
diff:
[edit system login user mircea]
+ authentication {
+ plain-text-password;
+ }
loaded_config:
result:
False
traceback:
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/salt/utils/napalm.py", line 167, in call
out = getattr(napalm_device.get('DRIVER'), method)(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/napalm/base/base.py", line 171, in load_template
**template_vars
File "/usr/local/lib/python2.7/dist-packages/napalm/base/helpers.py", line 108, in load_template
return cls.load_merge_candidate(config=configuration)
File "/usr/local/lib/python2.7/dist-packages/napalm/junos/junos.py", line 252, in load_merge_candidate
self._load_candidate(filename, config, False)
File "/usr/local/lib/python2.7/dist-packages/napalm/junos/junos.py", line 242, in _load_candidate
raise MergeConfigException(e.errs)
MergeConfigException: [{'source': None, 'message': 'Not a supported JUNOScript tag', 'bad_element': None, 'severity': 'error', 'edit_path': None}, {'source': None, 'message': 'syntax error', 'bad_element': 'kkxpYna4dPhv0jHttKwc1', 'severity': 'error', 'edit_path': None}]salt junos1 users.set_users "{'mircea': {'password': '123456'}}"
junos1:
----------
already_configured:
False
comment:
Cannot execute "load_template" on juniper-sw.netmode.ntua.gr as root. Reason: [{'source': None, 'message': 'Not a supported JUNOScript tag', 'bad_element': None, 'severity': 'error', 'edit_path': None}, {'source': None, 'message': 'syntax error', 'bad_element': '123456', 'severity': 'error', 'edit_path': None}]!
Configuration discarded.
diff:
[edit system login user mircea]
+ authentication {
+ plain-text-password;
+ }
loaded_config:
result:
False
traceback:
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/salt/utils/napalm.py", line 167, in call
out = getattr(napalm_device.get('DRIVER'), method)(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/napalm/base/base.py", line 171, in load_template
**template_vars
File "/usr/local/lib/python2.7/dist-packages/napalm/base/helpers.py", line 108, in load_template
return cls.load_merge_candidate(config=configuration)
File "/usr/local/lib/python2.7/dist-packages/napalm/junos/junos.py", line 252, in load_merge_candidate
self._load_candidate(filename, config, False)
File "/usr/local/lib/python2.7/dist-packages/napalm/junos/junos.py", line 242, in _load_candidate
raise MergeConfigException(e.errs)
MergeConfigException: [{'source': None, 'message': 'Not a supported JUNOScript tag', 'bad_element': None, 'severity': 'error', 'edit_path': None}, {'source': None, 'message': 'syntax error', 'bad_element': '123456', 'severity': 'error', 'edit_path': None}]well this issue started as simple stroll down the "jinja path".. It feels like it is spiraling out of control :D .
i checked the get_users getter across various devices and i am getting inconsistent results.
my problem is again the iosxr and secret vs password.
e.g. from the iosxr napalm driver.
https://github.com/napalm-automation/napalm/blob/develop/napalm/iosxr/iosxr.py#L2203
This extracts the password not the secret .
The getters for IOS devices and Junos devices retrieve the encrypted password.
Do you think we should unify this also?
mirceaulinic
commented
4 years ago Hey @adampav! As platforms generally can't provide the password in clear, I think it makes sense to return the encrypted password across all the drivers. I'm surprised XR is able to return the password in clear (but if it's using the type 7 encryption is like not using any encryption at all, anyway). I'm going to mark this as a bug to fix. Cheers!
adampav
commented
4 years ago thanks for getting back to me @mirceaulinic . Great, so how should i proceed ?
IOS templates?
minor fixes for Junos/IOSXR templates (https://github.com/napalm-automation/napalm/issues/1083#issuecomment-553381407)
iosxr user getter ?
Any combination of the above ? :)
Cheers, Adam
TheRealBecks
commented
4 years ago @mirceaulinic @adampav What's the status here?
mirceaulinic
commented
4 years ago Hey @adampav, sorry, I must have missed your question. Yes, I think we should proceed with the fixes you suggested for Junos and XR, and add the templates for IOS to be consistent across the drivers. Cheers!
adampav
commented
3 years ago Hey @mirceaulinic , @TheRealBecks apologies for vanishing for a while. I was pretty swamped with work and obligations during the past months. If this is still of relevance for napalm I will proceed as described above.
mirceaulinic
commented
3 years ago Sure, @adampav. Feel free to open a PR at your leisure.
Hello,
I noticed that there are no Cisco IOS templates for "set_users" and "delete_users" as there are for other drivers (e.g. Junos, Cisco XR).
I am in the process of creating these templates, would you be interested in me submitting a pull request?
regards, Adam