Add AAA Klish CLI commands, actioner, template, and HLD

[devin-ai-integration]

Add Klish-based AAA CLI commands, actioner, and show template

Summary

Implements the sonic-mgmt-framework half of migrating AAA CLI from Click (sonic-utilities) to Klish. Adds the three-layer Klish components:

• CLI/clitree/cli-xml/aaa.xml — Klish XML command definitions for aaa authentication {failthrough|fallback|debug|login}, aaa authorization login, aaa accounting login, corresponding no commands, and show aaa
• CLI/actioner/sonic_cli_aaa.py — Python actioner that translates CLI inputs into OpenConfig REST PATCH/DELETE/GET calls via ApiClient
• CLI/renderer/templates/show_aaa.j2 — Jinja2 template rendering show aaa output
• AAA_Klish_CLI_HLD.md — High-level design document
• CLI/actioner/tests/test_sonic_cli_aaa.py — Unit tests (31 tests, 97% coverage)

Companion PR required: sonic-mgmt-common must also receive the YANG annotation (openconfig-aaa-annot.yang), Go transformer (xfmr_aaa.go), and augmentation YANG (openconfig-aaa-sonic-ext.yang) for the end-to-end flow to work. See sonic-mgmt-common PR #3.

Updates since last revision

• Removed unused import json from sonic_cli_aaa.py (lint fix).
• The companion sonic-mgmt-common PR now includes openconfig-aaa-sonic-ext.yang, which augments the OpenConfig AAA model with SONiC-specific failthrough, fallback, and debug leaves. The REST paths used by this actioner (e.g. /openconfig-aaa:aaa/authentication/config/failthrough) depend on that augmentation being present.

Review & Testing Checklist for Human

Risk level: 🟡 YELLOW — Changes span two repos and cannot be fully validated until both PRs merge and submodule SHA is updated in sonic-buildimage.

• Verify Klish optional parameter expansion behavior — In aaa.xml line 79, the aaa authentication login command passes up to 5 optional method parameters. Confirm on a real DUT that unset optional params are either omitted or passed as empty strings (the actioner filters empties with [m for m in args if m and m.strip()]). If Klish passes literal ${auth-method2} strings, the filtering won't work.

• Validate boolean type conversion — The actioner sends Python True/False for failthrough/fallback/debug, and the augmentation YANG defines these as type boolean. SONiC's native model uses stypes:boolean_type (string "True"/"False"). Verify the transformer framework handles this conversion correctly without a custom field transformer (these fields only have sonic-ext:field-name, no sonic-ext:field-transformer).

• End-to-end DUT testing — After both PRs merge and sonic-buildimage submodule SHA is updated:

  • Run aaa authentication login tacacs+ local and verify ConfigDB has AAA|authentication|login = "tacacs+,local"
  • Run aaa authentication failthrough enable and verify AAA|authentication|failthrough = "True"
  • Run show aaa and verify output matches expected format
  • Test no aaa authentication login to reset to default
  • Verify bidirectional transformation (OpenConfig ↔ SONiC) works via REST API

Notes

• The show_aaa.j2 template shows defaults for failthrough and fallback but not debug — this is intentional per the existing Click command behavior.
• HLD document is at repo root; consider moving to docs/ directory if that's the convention.
• All new files have "Copyright 2024 Broadcom" headers copied from reference files. Verify this is appropriate for arthur-cog-sonic/Cisco project.

---

Link to Devin run: https://cisco-demo.devinenterprise.com/sessions/dac62833768e40b09aeafb00c78f66be
Requested by: @arthurkkp-cog

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring