Add Klish-based AAA CLI commands with OpenConfig to SONiC transformation#1
Open
Add Klish-based AAA CLI commands with OpenConfig to SONiC transformation#1
Conversation
This commit implements Klish-based AAA (Authentication, Authorization, and Accounting) CLI commands for SONiC, migrating from Click-based commands in sonic-utilities to the Klish framework. New files: - CLI/clitree/cli-xml/aaa.xml: XML command definitions for AAA CLI - CLI/actioner/sonic-cli-aaa.py: Python actioner for REST API calls - CLI/renderer/templates/show_aaa.j2: Jinja2 template for show output - docs/AAA_Klish_CLI_HLD.md: High-level design document Commands implemented: - aaa authentication failthrough/fallback/debug/trace enable/disable/default - aaa authentication login <method1> [method2] - aaa authorization login <method1> [method2] - aaa accounting login <method1> [method2] - no aaa authentication/authorization/accounting (reset to defaults) - show aaa Signed-off-by: Devin AI <devin-ai-integration[bot]@users.noreply.github.com> Co-Authored-By: huanle@cisco.com <huanle@cisco.com>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
4 tasks
devin-ai-integration bot
added a commit
to arthur-cog-sonic/sonic-buildimage
that referenced
this pull request
Jan 30, 2026
…Klish CLI This commit updates the submodule references to include: - sonic-mgmt-common: AAA transformer and YANG annotations for OpenConfig to SONiC translation - sonic-mgmt-framework: Klish-based AAA CLI commands with OpenConfig to SONiC transformation Related PRs: - sonic-mgmt-common: arthur-cog-sonic/sonic-mgmt-common#2 - sonic-mgmt-framework: arthur-cog-sonic/sonic-mgmt-framework#1 Co-Authored-By: huanle@cisco.com <huanle@cisco.com>
12 tasks
Co-Authored-By: huanle@cisco.com <huanle@cisco.com>
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
huanlev
commented
Feb 6, 2026
| <!-- aaa authentication debug --> | ||
| <COMMAND name="aaa authentication debug" help="Enable/disable AAA debugging"> | ||
| <PARAM name="option" help="Enable/disable/default debug" ptype="AAA_ENABLE_DISABLE_DEFAULT"> </PARAM> | ||
| <ACTION builtin="clish_pyobj">sonic_cli_aaa patch_openconfig_aaa_aaa_authentication_debug ${option}</ACTION> |
Collaborator
Author
There was a problem hiding this comment.
Would reference to sonic_cli_aaa be resolved correctly as the script name is sonic-cli-aaa.py?
There was a problem hiding this comment.
Good catch! You're right - the clish_pyobj builtin uses underscores in module names, so the file needed to match.
I've renamed the actioner file from sonic-cli-aaa.py to sonic_cli_aaa.py to ensure it resolves correctly. The XML references sonic_cli_aaa which will now match the file sonic_cli_aaa.py.
…lity The clish_pyobj builtin uses underscores in module names, so the actioner file needs to use underscores instead of hyphens to be resolved correctly. Co-Authored-By: huanle@cisco.com <huanle@cisco.com>
huanlev
commented
Feb 6, 2026
| <!-- aaa authentication trace --> | ||
| <COMMAND name="aaa authentication trace" help="Enable/disable AAA packet trace"> | ||
| <PARAM name="option" help="Enable/disable/default trace" ptype="AAA_ENABLE_DISABLE_DEFAULT"> </PARAM> | ||
| <ACTION builtin="clish_pyobj">sonic_cli_aaa patch_openconfig_aaa_aaa_authentication_trace ${option}</ACTION> |
Collaborator
Author
There was a problem hiding this comment.
Same as previous comment. Can we add unit-test to verify config aaa authentication trace enable would execute the sonic-cli-aaa.py script?
There was a problem hiding this comment.
Done! I've added comprehensive unit tests in CLI/actioner/tests/test_sonic_cli_aaa.py (49 tests) that verify the CLI commands correctly invoke the actioner functions.
Tests added:
TestCliCommandMapping- Verifies that CLI commands likeaaa authentication trace enablemap to the correct handler function (patch_openconfig_aaa_aaa_authentication_trace)TestAuthenticationTrace- Tests the trace handler with enable/disable/default/invalid optionsTestRunFunction- Tests therun()entry point that dispatches CLI arguments to handlers- Plus tests for all other handlers (failthrough, fallback, debug, login, authorization, accounting)
How to run:
cd sonic-mgmt-framework
python3 -m pytest CLI/actioner/tests/test_sonic_cli_aaa.py -vAll 49 tests pass locally.
huanlev
commented
Feb 6, 2026
Collaborator
Author
huanlev
left a comment
huanlev
left a comment
There was a problem hiding this comment.
A few comments about the script sonic-cli-aapy.py name, and its execution.
- Add tests directory with 49 unit tests covering all handler functions - Test helper functions: aaa_path, check_ok, option_to_bool, methods_to_list - Test all authentication handlers: failthrough, fallback, debug, trace, login - Test authorization and accounting handlers - Test get_openconfig_aaa_aaa for show command - Test run() entry point function - Test CLI command to handler mapping verification Tests verify that CLI commands like 'aaa authentication trace enable' correctly invoke the sonic_cli_aaa.py script handlers. Co-Authored-By: huanle@cisco.com <huanle@cisco.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add Klish-based AAA CLI commands with OpenConfig REST API integration
Summary
This PR implements Klish-based AAA (Authentication, Authorization, and Accounting) CLI commands for SONiC, migrating from Click-based commands in sonic-utilities to the Klish framework. The implementation follows the three-layer architecture: XML command definitions, Python actioners, and Jinja2 templates.
New files:
CLI/clitree/cli-xml/aaa.xml- XML command definitions for all AAA CLI commandsCLI/actioner/sonic_cli_aaa.py- Python actioner making REST API calls to the management backendCLI/actioner/tests/test_sonic_cli_aaa.py- Unit tests for the actioner (49 tests)CLI/renderer/templates/show_aaa.j2- Jinja2 template forshow aaaoutput formattingdocs/AAA_Klish_CLI_HLD.md- High-level design documentCommands implemented:
aaa authentication failthrough/fallback/debug/trace {enable|disable|default}aaa authentication login <method1> [method2]aaa authorization login <method1> [method2]aaa accounting login <method1> [method2]no aaa authentication/authorization/accounting ...(reset to defaults)show aaaUpdates since last revision
CLI/actioner/tests/test_sonic_cli_aaa.pythat verify CLI commands correctly invoke the actioner handlers. Tests cover all handler functions, helper functions, and CLI-to-handler mapping.sonic-cli-aaa.pytosonic_cli_aaa.py(underscores instead of hyphens) forclish_pyobjbuiltin compatibility.Review & Testing Checklist for Human
xfmr_aaa.go) and YANG annotations (openconfig-system-annot.yang). Verify that PR is merged first.sonic_cli_aaa.py(e.g.,openconfig-system-ext:failthrough) match the actual OpenConfig extensions supported by the backend.aaa.xmlagainst the Klish XML schema to ensure command syntax is correct.ApiClientand other dependencies - they verify handler logic but not actual REST API integration.Recommended test plan:
python3 -m pytest CLI/actioner/tests/test_sonic_cli_aaa.py -vshow aaato verify default values display correctlynocommands to reset valuesNotes
Link to Devin run: https://cisco-demo.devinenterprise.com/sessions/239c6c349b7349a388ecaffa812b80ce
Requested by: @huanlev