Skip to content

Commit

Permalink
merge master
Browse files Browse the repository at this point in the history
  • Loading branch information
@dplore
dplore committed Mar 19, 2024
2 parents dd26345 + 63b01d6 commit c74039a
Show file tree
Hide file tree
Showing 12 changed files with 1,061 additions and 326 deletions.
2 changes: 1 addition & 1 deletion .bazelversion
View file
Original file line number Diff line number Diff line change
@@ -1 +1 @@
6.0.0
6.4.0
224 changes: 139 additions & 85 deletions acctz/acctz.pb.go
View file

Large diffs are not rendered by default.

58 changes: 47 additions & 11 deletions acctz/acctz.proto
View file
Original file line number Diff line number Diff line change
Expand Up @@ -284,14 +284,32 @@ message GrpcService {

// A string of bytes that are gRPC encoded. Best to decode using
// PROTO_ANY.
repeated google.protobuf.Any payloads = 3;
// Deprecated in favour of using the payload field.
// A warning when using this field: if a google.protobuf.Any value
// is truncated, then it will not be possible for the client to
// unmarshal this value upon receiving.
repeated google.protobuf.Any payloads = 3 [deprecated=true];

// True, if truncation of payloads occurs due to an implementation
// True, if truncation of payload occurs due to an implementation
// limitation in the originating service, any middleware, or the receiver.
bool payload_istruncated = 5;

// Authorization details
AuthzDetail authz = 6;

// the payload of the RPC, as either a string or proto-encoded.
// Note that this may be partially redacted to avoid leaking
// sensitive info (e.g. private keys rotated via certz/credentialz)
oneof payload {
// the payload in proto form.
// (suitable for small messages which don't require truncation)
// This can be unmarshalled by the acctz client.
google.protobuf.Any proto_val = 7;

// A string describing the payload of the RPC.
// This may be truncated.
string string_val = 8;
}
}

// An accounting record message is generated everytime the user types a
Expand All @@ -304,14 +322,25 @@ message RecordResponse {
// since the unix epoch (Jan 1, 1970 00:00:00 UTC).
google.protobuf.Timestamp timestamp = 2;

// True, if the server's history does not include a message with the given
// RecordRequest.timestamp or an older record, indicating that history
// truncation has occurred relative to the timestamp reference point and
// records might have been missed.
// If RecordRequest.timestamp was not equal to a previously received
// RecordResponse.timestamp received, instead randomly chosen, the Collector
// can not know if it missed records.
// If RecordRequest.timestamp = 0, this must be false.
// True, if the server's history is missing records prior to the time
// specified in the timestamp of the RecordResponse message. This can happen
// in the below scenarios,
// 1. A client connects and sends RecordRequest(timestamp=t1). If the server
// does not have all records after time t1, the first RecordResponse it
// sends will have this field as True. Subsequent RecordResponses
// may have this field as false.
// 2. A client connects and sends RecordResponse(timestamp=t1) where t1 is
// earlier than the uptime of the switch. In such scenarios, the first
// RecordResponse will have this field as True. Subsequent RecordResponses
// may have this field as false.
// 3. A client has an active stream where it's getting RecordResponse messages
// from the server. The server detects that some events were not accounted
// for, the next RecordResponse message it sends to the client will have
// this field as True. Subsequent RecordResponses may have this field as
// false.
// If timestamp=0 in the RecordRequest message, the first RecordResponse
// response message will have this field as False irrespective of history
// truncation. Subsequent RecordResponses may have this field as false.
bool history_istruncated = 3;

// Service request details of the accounting record.
Expand All @@ -324,7 +353,14 @@ message RecordResponse {
// accomplish the request on the system.
repeated string task_ids = 7;

// Name of the component where the accounting record originated from
// Name of the component in a vendor system configuration where the accounting
// record originated from. This helps to indentify the source of the accouting
// record when multiple components can generate them. This is how the
// component is identified in the components hierarchy in the
// openconfig-platform model.
// For reference: /components/component[name="chassis0"]
// Eg: component_name = "linecard0"
// component_name = "chassis0"
string component_name = 8;
}

Expand Down
181 changes: 181 additions & 0 deletions acctz/gnsi-acctz.yang
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,181 @@
module gnsi-acctz {
yang-version 1.1;
namespace "https://github.com/openconfig/gnsi/acctz/yang";
prefix gnsi-acctz;

import openconfig-system {
prefix oc-sys;
}
import openconfig-system-grpc {
prefix oc-sys-grpc;
}
import openconfig-types {
prefix oc-types;
}
import openconfig-yang-types {
prefix oc-yang;
}
organization
"Google LLC";

contact
"Google LLC";

description
"This module provides a data model for the metadata of the gRPC
accounting operations on a device.";

revision 2023-01-24 {
description
"Remove duplicate counters container.";
reference "0.2.0";
}

revision 2023-12-01 {
description
"Initial revision.";
reference "0.1.0";
}

typedef cmd_service {
description "enum CommandService.CmdServiceType";
type enumeration {
enum UNSPECIFIED {
value 0;
}
enum SHELL {
value 1;
}
enum CLI {
value 2;
}
enum WEBUI {
value 3;
}
enum RESTCONF {
value 4;
}
enum NETCONF {
value 5;
}
}
}
typedef grpc_service {
description "enum GrpcService.GrpcServiceType";
type enumeration {
enum UNSPECIFIED {
value 0;
}
enum GNMI {
value 1;
}
enum GNOI {
value 2;
}
enum GNSI {
value 3;
}
enum GRIBI {
value 4;
}
enum P4RT {
value 5;
}
}
}
typedef service-request {
description "enum RecordResponse.service_request";
type enumeration {
enum cmd_service {
value 4;
}
enum grpc_service {
value 5;
}
}
}
typedef service-type {
description "enum cmd or grpc service type";
type union {
type cmd_service;
type grpc_service;
}
}

// gnsi.acctz client statistics
grouping client-counters {
description
"A collection of counters that were collected by the gNSI.acctz
module while servicing acctz clients.";

leaf history_istruncated {
type oc-yang:counter64;
description
"The total number of times that a RecordResponse were marked
with history_istruncated true. ie: a request was made for a
timestamp that did not exist in the history or another
qualifying event as documented in acctz.prot.";
}
leaf RecordRequests {
type oc-yang:counter64;
description
"The total number of RecordRequest RPCs that have been received.";
}
leaf RecordResponses {
type oc-yang:counter64;
description
"The total number of RecordResponse RPCs that have been sent.";
}
}

// gnsi.acctz producer statistics
grouping source-counters {
description
"A collection of counters for gNSI.acctz record production per
service request type.";

list source-records {
key "service type";
// unique "service type";
description
"The total number of times the gNSI.authz module denied access
to a RPC.";

leaf service {
type service-request;
mandatory true;
}
leaf type {
type service-type;
mandatory true;
}
leaf records {
type oc-yang:counter64;
description
"The total number of records produced for the service_request
type.";
}
}
}

grouping grpc-server-acctz-counters {
description
"A collection of counters from the gNSI.acctz module. This collection
augments the existing certz grpc counters";

container client-counters {
uses client-counters;
}
container source-counters {
uses source-counters;
}
}

// Augments section.
augment "/oc-sys:system/oc-sys-grpc:grpc-servers/oc-sys-grpc:grpc-server" {
description
"Counters collected by the gNSI.acctz module.";

uses grpc-server-acctz-counters;
}
}
11 changes: 7 additions & 4 deletions certz/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,10 +40,9 @@ Certificate Authority chain of certificates (a.k.a. a CA trust bundle) and
a set of Certificate Revocation Lists into a set that then can be assigned
as a whole to a gRPC server.

There is at least one profile present on a target - the one that is used by
the gNxI server. Its ID is `gNxI` but when the `ssl_profile_id` field in the
There is always at least one profile present on a target - the `system_default_profile` which is vendor provided. This profile cannot be changed. If the use but when the `ssl_profile_id` field in the
`RotateCertificateRequest` message is not set (or set to an empty string) it
also refers this SSL profile.
also refers this SSL profile. (This statement will be deprecated once all vendors standardize on the key name)

Profiles existing on a target can be discovered using the
`Certz.GetProfileList()` RPC.
Expand Down Expand Up @@ -97,14 +96,18 @@ policy before accepting the connection.

The system will always provide a default TLS profile that uses the IDevID cert.
This profile will always be available and cannot be changed. It should use the name
"gNxI".
"system_default_profile".

An attempt to change or delete this profile will return an error.

The system will start with this profile and either bootz or enrollz will be responsible for creating an alternate profile during device turnup if those workflows are used.

#### Create a SSL profile

Call `Certz.AddProfile` RPC with the `ssl_profile_id` field specifying the ID
of the new SSL profile.
A new profile can choose to use existing artifacts from other profiles, via sending `Entity` messages with `ExistingEntity` set with the `ssl_profile_id` set to the source
profile to copy from, and the `entity_type` field set to the type of entity to be copied.

#### Delete a SSL profile

Expand Down
Loading

0 comments on commit c74039a

Please sign in to comment.