Add accounting-method and authorization-method leaf-lists inside the /system/aaa/accounting/events/event and /system/aaa/authorization/events/event lists, respectively.

[LeonGWang]

(M) system/openconfig-aaa.yang

Change Scope

AAA accounting-method and authorization-method should be able to be configured per event-type.
For example event-type=AAA_ACCOUNTING_EVENT_COMMAND can have a different accounting-method configured vs. event-type=AAA_ACCOUNTING_EVENT_LOGIN.

This change is an addition of AAA capabilities for accounting-method and authorization-method and is a non-breaking (backwards-compatible) change.

Platform Implementations

Arista AAA configuration:
accounting and authorization can have different accounting-methods and authorization-methods configured (e.g. group tacacs+, group radius, local, logging) per event type (e.g. commands, exec, etc.)

(config)#aaa accounting commands all console start-stop group tacacs+
(config)#aaa accounting exec console start-stop group radius logging
(config)#aaa authorization commands all default group radius
(config)#aaa authorization exec default group tacacs+ local

Arista documentation for authorization

Arista documentation for accounting

Pyang output for the new model:

module: openconfig-system
  +--rw system
     +--rw aaa
        +--rw config
        +--ro state
        +--rw authorization
        |  +--rw config
        |  |  +--rw authorization-method*   union
        |  +--ro state
        |  |  +--ro authorization-method*   union
        |  +--rw events
        |     +--rw event* [event-type]
        |        +--rw event-type    -> ../config/event-type
        |        +--rw config
        |        |  +--rw event-type?             identityref
        |        |  +--rw authorization-method*   union
        |        +--ro state
        |           +--ro event-type?             identityref
        |           +--ro authorization-method*   union
        +--rw accounting
        |  +--rw config
        |  |  +--rw accounting-method*   union
        |  +--ro state
        |  |  +--ro accounting-method*   union
        |  +--rw events
        |     +--rw event* [event-type]
        |        +--rw event-type    -> ../config/event-type
        |        +--rw config
        |        |  +--rw event-type?          identityref
        |        |  +--rw record?              enumeration
        |        |  +--rw accounting-method*   union
        |        +--ro state
        |           +--ro event-type?          identityref
        |           +--ro record?              enumeration
        |           +--ro accounting-method*   union

[dplore]

Hi @LeonGWang , thanks for this PR. Please refactor to make this a non-breaking change. One way you could do this is by introducing only new containers/leaves. (ie: instead of move, simply add the authorization-method to the events/event list.).

[dplore]

/gcbrun

[OpenConfigBot]

No major YANG version changes in commit 69846c3

[LeonGWang]

Hi @LeonGWang , thanks for this PR. Please refactor to make this a non-breaking change. One way you could do this is by introducing only new containers/leaves. (ie: instead of move, simply add the authorization-method to the events/event list.).

Thanks for the quick review @dplore. I've added back the original leaf-lists but marked them as deprecated. This is now a non-breaking changes.

I have also changed the title, the description, and the pyang output.

[dplore]

/gcbrun

[LeonGWang]

Updated the submodules openconfig-aaa-radius.yang and openconfig-aaa-tacacs.yang to version 1.1.0 as well. This should satisfy the failing check.

[jsterne]

Should we not be referencing at least a few other references to implementations with this granularity in this PR?

Although this is not currently a non-backwards-compatible change, by marking the current approach deprecated we are signalling the intent to remove it later (and break current implementations).

[jsterne]

No actual change in this file (maybe vestigal from earlier drafts?). Same with the tacacs file.

[LeonGWang]

This is actually only added in the latest draft to satisfy a linter check which states submodules openconfig-aaa-radius.yang and openconfig-aaa-tacacs.yang don't share the same version as the main openconfig-aaa.yang module.

[LeonGWang]

Thanks for the feedback @jsterne

Should we not be referencing at least a few other references to implementations with this granularity in this PR?

As per company (Arista) policy, unfortunately I am unable to provide references outside of Arista. Usually @dplore is kind enough to provide additional references should that be required.

Although this is not currently a non-backwards-compatible change, by marking the current approach deprecated we are signalling the intent to remove it later (and break current implementations).

This is intended. The newly added *-method leaf-lists at a more granular level provides a functional superset of the original, so there is no reason to keep the original leaf-lists.

[LeonGWang]

/gcbrun

[dplore]

/gcbrun