Skip to content

feat: Implement comprehensive local user management system #23923

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: Implement comprehensive local user management system #23923

wants to merge 1 commit into from

Conversation

@manoharan-nexthop
Copy link

@manoharan-nexthop manoharan-nexthop commented Sep 8, 2025

Why I did it

This implementation addresses the User Management HLD requirements for centralized user administration in SONiC. sonic-net/SONiC#2018

Work item tracking
  • Microsoft ADO (number only):

How I did it

1. YANG Model & Configuration Schema:

  • Added sonic-user.yang model defining LOCAL_USER and LOCAL_ROLE_SECURITY_POLICY tables
  • Integrated user management into CONFIG_DB schema with role-based configuration
  • Added DEVICE_METADATA.local_user_management feature flag

2. User Management Daemon (userd):

  • Implemented C++ daemon using SWSS framework for CONFIG_DB integration
  • Added user lifecycle management (create/update/delete/enable/disable)
  • Implemented role-based group assignment (administrator, operator roles)
  • Added SSH key management with proper file permissions
  • Integrated PAM faillock configuration using Jinja2 templates

3. CLI Interface:

  • Extended sonic-utilities with 'config user' and 'show user' commands
  • Added user import functionality to migrate existing system users
  • Added role-based user management with proper validation

4. Build System Integration:

  • Added sonic-host-services package with userd daemon and systemd service
  • Integrated user management into SONiC image build process
  • Added template-based configuration generation for init_cfg.json
  • Added build dependencies for JSON processing and password hashing

How to verify it

Tested for all the features that are implemented.

Which release branch to backport (provide reason below if selected)

  • 202205
  • 202211
  • 202305
  • 202311
  • 202405
  • 202411
  • 202505

Tested branch (Please provide the tested image version)

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

@mssonicbld
Copy link
Collaborator

mssonicbld commented Sep 8, 2025

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link

azure-pipelines bot commented Sep 8, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@manoharan-nexthop manoharan-nexthop mentioned this pull request Sep 8, 2025
Open
@mssonicbld
Copy link
Collaborator

mssonicbld commented Sep 23, 2025

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link

azure-pipelines bot commented Sep 23, 2025

Azure Pipelines will not run the associated pipelines, because the pull request was updated after the run command was issued. Review the pull request again and issue a new run command.

aidan-gallagher
aidan-gallagher reviewed Sep 24, 2025
View reviewed changes
spandan-nexthop
spandan-nexthop reviewed Sep 28, 2025
View reviewed changes
Copy link

@spandan-nexthop spandan-nexthop left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mssonicbld
Copy link
Collaborator

mssonicbld commented Sep 29, 2025

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link

azure-pipelines bot commented Sep 29, 2025

Azure Pipelines will not run the associated pipelines, because the pull request was updated after the run command was issued. Review the pull request again and issue a new run command.

@mssonicbld
Copy link
Collaborator

mssonicbld commented Sep 29, 2025

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link

azure-pipelines bot commented Sep 29, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@mssonicbld
Copy link
Collaborator

mssonicbld commented Sep 29, 2025

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link

azure-pipelines bot commented Sep 29, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@manoharan-nexthop
feat: Implement local user management system (sonic-net#1550)
cda3f06 
This implementation addresses the User Management HLD requirements for
centralized user administration in SONiC.
sonic-net/SONiC#2018

nexthop-ai/private-sonic-host-services#54
nexthop-ai/private-sonic-utilities#120

**1. YANG Model & Configuration Schema:**
- Added sonic-user.yang model defining LOCAL_USER and
LOCAL_ROLE_SECURITY_POLICY tables
- Integrated user management into CONFIG_DB schema with role-based
configuration
- Added DEVICE_METADATA.local_user_management feature flag

**2. User Management Daemon (userd):**
- Implemented C++ daemon using SWSS framework for CONFIG_DB integration
- Added user lifecycle management (create/update/delete/enable/disable)
- Implemented role-based group assignment (administrator, operator
roles)
- Added SSH key management with proper file permissions
- Integrated PAM faillock configuration using Jinja2 templates

**3. CLI Interface:**
- Extended sonic-utilities with 'config user' and 'show user' commands
- Added user import functionality to migrate existing system users
- Added role-based user management with proper validation

**4. Build System Integration:**
- Added sonic-host-services package with userd daemon and systemd
service
- Integrated user management into SONiC image build process
- Added template-based configuration generation for init_cfg.json
- Added build dependencies for JSON processing and password hashing

Tested for all the features that are implemented.
@manoharan-nexthop manoharan-nexthop force-pushed the sonic-net.user-management branch from df7a458 to cda3f06 Compare November 18, 2025 16:06
@mssonicbld
Copy link
Collaborator

mssonicbld commented Nov 18, 2025

/azp run Azure.sonic-buildimage

@azure-pipelines
Copy link

azure-pipelines bot commented Nov 18, 2025

Azure Pipelines will not run the associated pipelines, because the pull request was updated after the run command was issued. Review the pull request again and issue a new run command.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qiluo-msft qiluo-msft Awaiting requested review from qiluo-msft qiluo-msft is a code owner

@xumia xumia Awaiting requested review from xumia xumia is a code owner

@lguohan lguohan Awaiting requested review from lguohan lguohan is a code owner

2 more reviewers

@aidan-gallagher aidan-gallagher aidan-gallagher left review comments

@spandan-nexthop spandan-nexthop spandan-nexthop left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@manoharan-nexthop @mssonicbld @aidan-gallagher @spandan-nexthop