Hello, Team,
I am facing an issue relevant to AAA: When I changed a user’s role, looks like its privilege doesn’t sync up.
There two user roles: 1) Administrator, which is allowed to access all user information. 2) Operator, it’s only allowed to access its own detailed information.
The scenario as below:
- Logged into CLI with Administrator, I created a user of test4 with role of Operator. And then login CLI with test4 to retrieve user information, only test4’s information shown:
test4@localhost> show system aaa authentication users
PASSWORD USER LAST
USERNAME USERNAME PASSWORD HASHED ROLE STATUS LOGIN
admin - - - - - -
test1 - - - - - -
test2 - - - - - -
test4 test4 - - Operator - -
- Change test4’s role to Administrator, I can see that its role already changed to Administrator, but still only access its own information:
test4@localhost> show system aaa authentication users
PASSWORD USER LAST
USERNAME USERNAME PASSWORD HASHED ROLE STATUS LOGIN
admin - - - - - -
test1 - - - - - -
test2 - - - - - -
test4 test4 - - Administrator - -
- when I logout from CLI and re-login, everything now is as expected:
test4@localhost> show system aaa authentication users
PASSWORD
USERNAME USERNAME PASSWORD HASHED ROLE USER STATUS LAST LOGIN
admin admin - - Administrator USER_STATUS_ENABLED 1621213428551317680
test1 test1 - - Operator USER_STATUS_ENABLED 0
test2 test2 - - Operator USER_STATUS_ENABLED 0
test4 test4 - - Administrator USER_STATUS_ENABLED 1621213549107633206
Looks like the CLI session cached user information and doesn’t sync-up from Netconf server. BTW, I use the confd internal AAA feature and it doesn’t make any difference even invoking “maapi_aaa_reload” on the application on user’s role changing.
Could you shed some light on how it work like this?