ConfD User Community

Minimize AAA authorization callback

Hi,

I am trying to minimize invocation of authorization callback as much as possible.

Currently callbacks are registered as (taken from example/)

  struct confd_authorization_cbs auth;                                             
  memset(&auth, 0, sizeof(struct confd_authorization_cbs));                        
  auth.chk_cmd_access = cmd_access_cb;                                             
  auth.chk_data_access = NULL;                                                     
                                                                                   
  // filters specify for what not to use callbacks                                 
  // (0x0 ... use for everything, 0xFF ... use for nothing/disable)                
  auth.cmd_filter = CONFD_ACCESS_OP_EXECUTE;                                       
  auth.data_filter = 0xFF;                                                         
                                                                                   
  if (CONFD_OK != confd_register_authorization_cb(dctx, &auth))                    
  {                                                                                
    confd_fatal("Failed to register auth cb!");                                    
  }     

CONFD_ACCESS_OP_READ

Read access. The CLI will use this during command completion, to filter out alternatives that are disallowed by AAA.

CONFD_ACCESS_OP_EXECUTE

Execute access. This is used when a command is about to be executed.

So I was assuming that if we register for ‘CONFD_ACCESS_OP_EXECUTE’ the tab-completion etc would not invoke the callback, but my observation is that a command clear interface packet-stats invokes the callback thrice
a. First with token array = [“clear”]
b. Then [“clear”, “interface”]
c. Finally [“clear”, “interface”, “packet-stats”]

In all cases cmdop being passed as 1 (i.e. CONFD_ACCESS_OP_READ).

Can we do any tweaking to receive the final state only (i.e. state c)?

Regards,

Hi,

You do not register which operations invoke the callback, you register which operations to filter out so that they do not invoke the callback.

Try

auth.cmd_filter = CONFD_ACCESS_OP_READ;

…to filter out the read access check for command completion.
For your use case, there will then be one chk_cmd_access() callback invocation for the “clear interface packet-stats” command.

Regards

1 Like

Hi,

Thanks a lot. I had misinterpreted.
It is working as expected.
Regards,