pathz - openconfig/featureprofiles GitHub Wiki
Test gNSI Pathz API behaviors and path-level authorization enforcement.
Configure the DUT to enable the following services (that are using gRPC) and use mTLS for authentication:
- gNMI
- gNSI
The support of SPIFFE-ID should NOT require explicitly pre-configured local users in the DUT config.
Prepare the following client certs with the specified SPIFFE ID:
-
gnmi_adminwithspiffe://test-realm.foo.bar/role/admin -
gnmi_readerwithspiffe://test-realm.foo.bar/role/reader -
gnmi_unauthorizedwithspiffe://test-realm.foo.bar/role/unauthorized
The policy used for enforcement tests is defined below.
{
"rules": [
{
"id": "allow-reader-read-system",
"user": "spiffe://test-realm.foo.bar/role/reader",
"path": {
"elem": [
{"name": "system"}
]
},
"action": "ACTION_PERMIT",
"mode": "MODE_READ"
},
{
"id": "deny-reader-write-system",
"user": "spiffe://test-realm.foo.bar/role/reader",
"path": {
"elem": [
{"name": "system"}
]
},
"action": "ACTION_DENY",
"mode": "MODE_WRITE"
},
{
"id": "allow-admin-write-interfaces",
"group": "admin-group",
"path": {
"elem": [
{"name": "interfaces"},
{"name": "interface"}
]
},
"action": "ACTION_PERMIT",
"mode": "MODE_WRITE"
},
{
"id": "deny-admin-write-port1",
"user": "spiffe://test-realm.foo.bar/role/admin",
"path": {
"elem": [
{"name": "interfaces"},
{"name": "interface", "key": {"name": "<DUT_PORT1>"}}
]
},
"action": "ACTION_DENY",
"mode": "MODE_WRITE"
}
],
"groups": [
{
"name": "admin-group",
"users": [
{"name": "spiffe://test-realm.foo.bar/role/admin"}
]
}
]
}This test verifies the rotation mechanism of the Pathz policy and the correctness of the telemetry reporting the policy status.
-
Initial Push:
- Use
gNSI.Pathz.Rotateto push the baseline Pathz policy. - Set
versiontov1andcreated_onto a valid timestamp (e.g.,100). - Do not finalize yet.
- Use
-
Telemetry Verification (Sandbox):
- Verify that the sandbox policy version and creation time are updated in telemetry:
-
/system/gnmi-pathz-policies/policies/policy[instance=SANDBOX]/state/versionshould bev1. -
/system/gnmi-pathz-policies/policies/policy[instance=SANDBOX]/state/created-onshould match the pushed timestamp.
-
- Verify that the sandbox policy version and creation time are updated in telemetry:
-
Rollback on Disconnect:
- Close the gRPC session without sending
Finalize. - Verify that the sandbox policy is cleared or rolled back.
- Close the gRPC session without sending
-
Finalize Rotation:
- Start a new rotation, push the policy (
v1), and sendFinalize. - Verify that the active policy is now updated:
-
/system/gnmi-pathz-policies/policies/policy[instance=ACTIVE]/state/versionshould bev1. -
/system/gnmi-pathz-policies/policies/policy[instance=ACTIVE]/state/created-onshould match the timestamp.
-
- Start a new rotation, push the policy (
-
Get Verification:
- Call
gNSI.Pathz.Getand verify that the returned policy matches the pushedv1policy.
- Call
-
Force Overwrite:
- Attempt to push the same policy version
v1without changing the version string. The rotation should fail with an error. - Push the policy again with the same version string
v1but setforce_overwritetotrue. The rotation should succeed and can be finalized.
- Attempt to push the same policy version
This test verifies that the DUT enforces the Pathz policy correctly using the "Best Match" algorithm.
-
Push Policy:
- Ensure the baseline Pathz policy is active (from Pathz-1).
-
Verify Reader Access (Read Permitted, Write Denied):
- Use
gnmi_readerto perform agNMI.Geton/system/config/hostname.- Expect: Success (allowed by
allow-reader-read-system). - Telemetry check:
/system/grpc-servers/grpc-server/gnmi-pathz-policy-counters/paths/path[name=/system/config/hostname]/state/reads/access-acceptsincrements.
- Expect: Success (allowed by
- Use
gnmi_readerto perform agNMI.Set(update) on/system/config/hostname.- Expect: Permission Denied (blocked by
deny-reader-write-system). - Telemetry check:
/system/grpc-servers/grpc-server/gnmi-pathz-policy-counters/paths/path[name=/system/config/hostname]/state/writes/access-rejectsincrements.
- Expect: Permission Denied (blocked by
- Use
-
Verify Admin Group Access (Group Permit, Specific User Deny):
- Use
gnmi_admin(member ofadmin-group) to perform agNMI.Set(update) on/interfaces/interface[name=<DUT_PORT2>]/config/description.- Expect: Success (allowed by
allow-admin-write-interfacesvia group membership).
- Expect: Success (allowed by
- Use
gnmi_adminto perform agNMI.Set(update) on/interfaces/interface[name=<DUT_PORT1>]/config/description.- Expect: Permission Denied (blocked by
deny-admin-write-port1which overrides the group permit because user-specific rule is more specific).
- Expect: Permission Denied (blocked by
- Use
-
Verify Default Deny:
- Use
gnmi_unauthorizedto perform anygNMI.GetorgNMI.Set.- Expect: Permission Denied (implicit deny).
- Use
This test verifies the gNSI.Pathz.Probe RPC functionality.
-
Probe Active Policy:
- Use
gNSI.Pathz.Probeto check access forspiffe://test-realm.foo.bar/role/readerto/systemwithMODE_READ.- Expect:
action: ACTION_PERMITin the response.
- Expect:
- Use
gNSI.Pathz.Probeto check access forspiffe://test-realm.foo.bar/role/readerto/systemwithMODE_WRITE.- Expect:
action: ACTION_DENYin the response.
- Expect:
- Use
-
Probe Sandbox Policy (During Rotation):
- Start a rotation and push a new policy that denies all access to
/systemforspiffe://test-realm.foo.bar/role/reader. - Before finalization, call
gNSI.Pathz.Probespecifyingpolicy_instance: POLICY_INSTANCE_SANDBOX.- Expect:
action: ACTION_DENYforMODE_READon/system.
- Expect:
- Call
gNSI.Pathz.Probespecifyingpolcy_instance: POLICY_INSTANCE_ACTIVE.- Expect:
action: ACTION_PERMIT(still using activev1policy).
- Expect:
- Abort the rotation.
- Start a rotation and push a new policy that denies all access to
This test verifies that a Pathz policy can be removed from the device using vendor-native CLI commands, and that this removal is correctly reflected in the gNSI Pathz service.
-
Push Policy:
- Use
gNSI.Pathz.Rotateto push a test Pathz policy and finalize it.
- Use
-
Verify Policy Active:
- Call
gNSI.Pathz.Getand verify that the returned policy is active.
- Call
-
Removal via CLI:
- Access the DUT via vendor-native CLI (using console or SSH).
- Execute the vendor-specific command to remove the Pathz policy.
-
Verify Policy Cleared:
- Call
gNSI.Pathz.Getand verify that no policy is returned (or an empty policy is returned, or the RPC returns an error indicating no policy is configured).
- Call
{
"system": {
"config": {
"hostname": "dut"
}
}
}The below yaml defines the OC paths and RPCs intended to be covered by this test.
paths:
/system/gnmi-pathz-policies/policies/policy/state/version:
/system/gnmi-pathz-policies/policies/policy/state/created-on:
/system/grpc-servers/grpc-server/gnmi-pathz-policy-counters/paths/path/state/reads/access-accepts:
/system/grpc-servers/grpc-server/gnmi-pathz-policy-counters/paths/path/state/writes/access-rejects:
rpcs:
gnsi:
pathz.v1.Pathz.Rotate:
pathz.v1.Pathz.Probe:
pathz.v1.Pathz.Get:
gnmi:
gNMI.Get:
gNMI.Set:- KNE or physical DUT supporting gNSI Pathz.