[SONiC] Implement comprehensive local user management system

This implementation addresses the User Management HLD requirements for centralized user administration in SONiC.
sonic-net/SONiC#2018

**1. YANG Model & Configuration Schema:**
- Added sonic-user.yang model defining LOCAL_USER and LOCAL_ROLE_SECURITY_POLICY tables
- Integrated user management into CONFIG_DB schema with role-based configuration
- Added DEVICE_METADATA.local_user_management feature flag

**2. User Management Daemon (userd):**
- Implemented C++ daemon using SWSS framework for CONFIG_DB integration
- Added user lifecycle management (create/update/delete/enable/disable)
- Implemented role-based group assignment (administrator, operator roles)
- Added SSH key management with proper file permissions
- Integrated PAM faillock configuration using Jinja2 templates

**3. CLI Interface:**
- Extended sonic-utilities with 'config user' and 'show user' commands
- Added user import functionality to migrate existing system users
- Added role-based user management with proper validation

**4. Build System Integration:**
- Added sonic-host-services package with userd daemon and systemd service
- Integrated user management into SONiC image build process
- Added template-based configuration generation for init_cfg.json
- Added build dependencies for JSON processing and password hashing

Author: manoharan-nexthop

files/build_templates/init_cfg.json.j2

@@ -5,6 +5,7 @@
             {%- if include_p4rt == "y" %}"synchronous_mode":"enable",{% endif %}
             "default_bgp_status": {% if shutdown_bgp_on_start == "y" %}"down"{% else %}"up"{% endif %},
             "default_pfcwd_status": {% if enable_pfcwd_on_start == "y" %}"enable"{% else %}"disable"{% endif %},
+            "local_user_management": {%- if username and password %}"enabled"{% else %}"disabled"{% endif %},
             "timezone": "UTC"
         }
     },
@@ -212,5 +213,14 @@
             "admin_state": "enabled",
             "vrf": "default"
         }
+    },
+    "LOCAL_USER": {
+{%- if username and password %}
+        "{{ username }}": {
+            "role": "administrator",
+            "password_hash": "{{ password }}",
+            "enabled": true
+        }
+{%- endif %}
     }
 }

files/build_templates/sonic_debian_extension.j2

@@ -268,6 +268,9 @@ install_pip_package {{sonic_host_services_py3_wheel_path}}
 # Install SONiC host services data files (and any dependencies via 'apt-get -y install -f')
 install_deb_package $debs_path/sonic-host-services-data_*.deb
 
+# Install SONiC host services binary package (C++ userd daemon)
+install_deb_package $debs_path/sonic-host-services_*.deb
+
 {% if enable_ztp == "y" %}
 # Install ZTP (and its dependencies via 'apt-get -y install -f')
 install_deb_package $debs_path/sonic-ztp_*.deb

rules/sonic-host-services.dep

@@ -8,3 +8,13 @@ $(SONIC_HOST_SERVICES_PY3)_DEP_FLAGS   := $(SONIC_COMMON_FLAGS_LIST)
 $(SONIC_HOST_SERVICES_PY3)_DEP_FILES   := $(DEP_FILES)
 $(SONIC_HOST_SERVICES_PY3)_SMDEP_FILES := $(SMDEP_FILES)
 $(SONIC_HOST_SERVICES_PY3)_SMDEP_PATHS := $(SPATH)
+
+# Binary package dependencies
+SPATH_BIN   := $($(SONIC_HOST_SERVICES)_SRC_PATH)
+DEP_FILES_BIN := $(SONIC_COMMON_FILES_LIST) rules/sonic-host-services.mk rules/sonic-host-services.dep
+DEP_FILES_BIN += $(SONIC_COMMON_BASE_FILES_LIST)
+DEP_FILES_BIN += $(addprefix $(SPATH_BIN)/,$(shell git -C $(SPATH_BIN) ls-files | grep -v ^data))
+
+$(SONIC_HOST_SERVICES)_CACHE_MODE  := GIT_CONTENT_SHA
+$(SONIC_HOST_SERVICES)_DEP_FLAGS   := $(SONIC_COMMON_FLAGS_LIST)
+$(SONIC_HOST_SERVICES)_DEP_FILES   := $(DEP_FILES_BIN)

rules/sonic-host-services.mk

@@ -8,3 +8,10 @@ $(SONIC_HOST_SERVICES_PY3)_DEPENDS += $(SONIC_PY_COMMON_PY3) \
 $(SONIC_HOST_SERVICES_PY3)_DEBS_DEPENDS = $(LIBSWSSCOMMON) \
                                           $(PYTHON3_SWSSCOMMON)
 SONIC_PYTHON_WHEELS += $(SONIC_HOST_SERVICES_PY3)
+
+# SONiC host services binary package (C++ userd daemon)
+SONIC_HOST_SERVICES = sonic-host-services_1.0-1_$(CONFIGURED_ARCH).deb
+$(SONIC_HOST_SERVICES)_SRC_PATH = $(SRC_PATH)/sonic-host-services
+$(SONIC_HOST_SERVICES)_DEPENDS += $(LIBSWSSCOMMON_DEV)
+$(SONIC_HOST_SERVICES)_RDEPENDS += $(SONIC_HOST_SERVICES_DATA) $(LIBSWSSCOMMON)
+SONIC_DPKG_DEBS += $(SONIC_HOST_SERVICES)

src/sonic-yang-models/setup.py

@@ -146,6 +146,7 @@
     'sonic-smart-switch.yang',
     'sonic-spanning-tree.yang',
     'sonic-srv6.yang',
+    'sonic-user.yang',
 ]
 
 class my_build_py(build_py):

src/sonic-yang-models/tests/files/sample_config_db.json

@@ -3110,6 +3110,13 @@
         "DEBUG_COUNTER_DROP_REASON": {
             "DEBUG_4|DIP_LINK_LOCAL": {},
             "DEBUG_4|SIP_LINK_LOCAL": {}
+        },
+        "LOCAL_USER": {
+            "admin": {
+                "role": "administrator",
+                "password_hash": "$6$rounds=656000$YI/0Vi2X$YI/0Vi2X.FGpk0yZ0DSbMVyp0/ozeWVnJMSUVJsvZQR2ZjbDxw0jkEQBB2trWecfmJpSg.k2VjbdJVv.JZlnM.",
+                "enabled": "true"
+            }
         }
     },
     "SAMPLE_CONFIG_DB_UNKNOWN": {

src/sonic-yang-models/yang-models/sonic-user.yang

@@ -0,0 +1,102 @@
+module sonic-user {
+    yang-version 1.1;
+    namespace "http://github.com/sonic-net/sonic-user";
+    prefix "sonic-user";
+
+    description "SONIC User Management YANG Module";
+
+    revision 2025-06-19 {
+        description "Initial revision for declarative user management";
+    }
+
+    // Common typedef for user roles
+    typedef user-role {
+        type enumeration {
+            enum "administrator" {
+                description "Grants administrative privileges (e.g., member of sudo, docker groups).";
+            }
+            enum "operator" {
+                description "Grants operator-level (read-only or limited) privileges.";
+            }
+        }
+        description "User role that determines group memberships, privileges, and applicable security policies.";
+    }
+
+    // Top-level container for the User feature
+    container sonic-user {
+        description "Top-level container for local user management configuration";
+
+        container LOCAL_USER {
+            description "LOCAL_USER part of config_db.json";
+
+            list LOCAL_USER_LIST {
+                key "username";
+                description "List of declaratively managed local users.";
+
+                must "count(../LOCAL_USER_LIST[role='administrator' and (not(enabled) or enabled='true')]) >= 1" {
+                    error-message "At least one administrator user must remain enabled.";
+                }
+
+                leaf username {
+                    type string {
+                        pattern '[a-z_][a-z0-9_-]*[$]?' {
+                            error-message "Invalid username. Must start with a lowercase letter or underscore, followed by lowercase letters, numbers, underscores, or hyphens.";
+                        }
+                        length 1..32;
+                    }
+                    must ". != 'root'" {
+                        error-message "Username cannot be 'root'.";
+                    }
+                    description "The username for the local account.";
+                }
+
+                leaf role {
+                    type user-role;
+                    mandatory true;
+                    description "The role assigned to the user, which determines their group memberships and privileges.";
+                }
+
+                leaf password_hash {
+                    type string;
+                    mandatory true;
+                    must "not(starts-with(., '!'))" {
+                        error-message "Password hash cannot start with '!'. Use the 'enabled' attribute to disable user accounts.";
+                    }
+                    description "The hashed password string for the user, as found in /etc/shadow. Password hashes can be generated using 'mkpasswd' utility or programmatically using libraries like 'passlib'. To disable an account, use the 'enabled' attribute instead of prepending '!' to the password hash.";
+                }
+
+                leaf-list ssh_keys {
+                    type string;
+                    description "A list of full public SSH key strings.";
+                }
+
+                leaf enabled {
+                    type boolean;
+                    default true;
+                    description "Whether the user account is enabled. When false, the password is disabled by prepending '!' to prevent password-based login while preserving SSH key access.";
+                }
+            }
+        }
+
+        container LOCAL_ROLE_SECURITY_POLICY {
+            description "LOCAL_ROLE_SECURITY_POLICY part of config_db.json";
+
+            list LOCAL_ROLE_SECURITY_POLICY_LIST {
+                key "role";
+                description "Global security policies applied to users based on their role.";
+
+                leaf role {
+                    type user-role;
+                    description "The role for which this security policy applies.";
+                }
+
+                leaf max_login_attempts {
+                    type uint32 {
+                        range "1..1000";
+                    }
+                    description "Maximum number of failed login attempts before accounts with this role are locked. If not set, system defaults apply.";
+                }
+            }
+        }
+    }
+}