Skip to content

ACCTZ-7.1: gNSI.acctz.v1 (Accounting) Test Accounting Authentication Failure - Multi-transaction#5476

Open
mihaitomaro wants to merge 5 commits into
openconfig:mainfrom
open-traffic-generator:otg-acctz-7.1
Open

ACCTZ-7.1: gNSI.acctz.v1 (Accounting) Test Accounting Authentication Failure - Multi-transaction#5476
mihaitomaro wants to merge 5 commits into
openconfig:mainfrom
open-traffic-generator:otg-acctz-7.1

Conversation

@mihaitomaro
Copy link
Copy Markdown
Contributor

@mihaitomaro mihaitomaro commented May 15, 2026
edited
Loading

@mihaitomaro mihaitomaro requested review from a team as code owners May 15, 2026 10:33
@OpenConfigBot
Copy link
Copy Markdown

OpenConfigBot commented May 15, 2026
edited
Loading

Pull Request Functional Test Report for #5476 / 7a2f5d2

Virtual Devices

Device Test Test Documentation Job Raw Log
Arista cEOS status
 ACCTZ-7.1: gNSI.acctz.v1 (Accounting) Test Accounting Authentication Failure - Multi-transaction
Cisco 8000E status
 ACCTZ-7.1: gNSI.acctz.v1 (Accounting) Test Accounting Authentication Failure - Multi-transaction
Cisco XRd status
 ACCTZ-7.1: gNSI.acctz.v1 (Accounting) Test Accounting Authentication Failure - Multi-transaction
Juniper ncPTX status
 ACCTZ-7.1: gNSI.acctz.v1 (Accounting) Test Accounting Authentication Failure - Multi-transaction
Nokia SR Linux status
 ACCTZ-7.1: gNSI.acctz.v1 (Accounting) Test Accounting Authentication Failure - Multi-transaction
Openconfig Lemming status
 ACCTZ-7.1: gNSI.acctz.v1 (Accounting) Test Accounting Authentication Failure - Multi-transaction

Hardware Devices

Device Test Test Documentation Raw Log
Arista 7808 status
 ACCTZ-7.1: gNSI.acctz.v1 (Accounting) Test Accounting Authentication Failure - Multi-transaction
Cisco 8808 status
 ACCTZ-7.1: gNSI.acctz.v1 (Accounting) Test Accounting Authentication Failure - Multi-transaction
Juniper PTX10008 status
 ACCTZ-7.1: gNSI.acctz.v1 (Accounting) Test Accounting Authentication Failure - Multi-transaction
Nokia 7250 IXR-10e status
 ACCTZ-7.1: gNSI.acctz.v1 (Accounting) Test Accounting Authentication Failure - Multi-transaction

Help

@gemini-code-assist
Copy link
Copy Markdown
Contributor

gemini-code-assist Bot commented May 15, 2026

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a new test suite to validate that the gNSI accounting service correctly logs authentication failures across multiple SSH attempts. It also includes a critical fix for Arista device configuration, ensuring that AAA command authorization is applied in a way that does not block the initial setup of users and roles.

Highlights

  • New Test Case: Added a new test file accounting_authen_fail_multi_test.go to verify gNSI accounting records for multiple SSH authentication failure scenarios.
  • Arista Configuration Fix: Updated aristaFailAuthzCliRole in acctz.go to split the AAA configuration into two steps, preventing commit failures caused by immediate enforcement of command authorization.
  • Refactoring: Exported GetSSHTarget in acctz.go to allow its use in the new test suite.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new test suite for gNSI accounting, specifically verifying that records are correctly generated for multiple failed SSH authentication attempts using both passwords and keys. It also refactors the Arista-specific AAA configuration to split command authorization into two steps, preventing implicit commit failures during gNMI sessions. The review feedback correctly identified critical concurrency issues in the test's record collection loop, including a potential goroutine leak and a data race, and provided actionable suggestions to ensure thread safety and efficiency.

Comment thread feature/gnsi/acctz/tests/AccountingAuthenFailMulti/accounting_authen_fail_multi_test.go Outdated
mihaitomaro and others added 3 commits May 15, 2026 11:00
@mihaitomaro
fix as per Gemini suggestion (buffered channel, inside the loop, loca…
7c7873f 
…l variables, no data race on outer err)
@mihaitomaro
Merge branch 'main' into otg-acctz-7.1
7633828
@mihaitomaro
ACCTZ-7.1: Enhance record collection debugging
7a2f5d2 
Add delays between attempts, increase timeout to 30s, track skip reasons with
counters and user identity in logs, and provide collection summary stats and
per-record details for troubleshooting platform-specific behavior.
sam-homa
sam-homa reviewed May 29, 2026
View reviewed changes
Comment thread feature/gnsi/acctz/tests/AccountingAuthenFailMulti/accounting_authen_fail_multi_test.go
// Verify local_address and local_port. On Arista, local = DUT (server), remote = client.
if la := sessionInfo.GetLocalAddress(); la != "" {
if la != expectedRemoteAddr {
t.Logf("local_address is %q (DUT), expected SSH target %q: platform-dependent interpretation", la, expectedRemoteAddr)
Copy link
Copy Markdown

@sam-homa sam-homa May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this be t.Errorf() instead?

Comment thread feature/gnsi/acctz/tests/AccountingAuthenFailMulti/accounting_authen_fail_multi_test.go
t.Logf("local_address is %q (DUT), expected SSH target %q: platform-dependent interpretation", la, expectedRemoteAddr)
}
} else {
t.Logf("local_address not populated by DUT (platform-dependent)")
Copy link
Copy Markdown

@sam-homa sam-homa May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same here and the ones below, should they all be Logf?

Comment thread feature/gnsi/acctz/tests/AccountingAuthenFailMulti/accounting_authen_fail_multi_test.go
r.GetSessionInfo().GetAuthn().GetCause())
}

// Verify each authentication failure record.
Copy link
Copy Markdown

@sam-homa sam-homa May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this verification logic is too large and difficult to read. it'd be easier to read if you could split to multiple verify...() functions

Comment thread internal/security/acctz/acctz.go
}

// AcctzStream_RecordSubscribeClient is a local interface for the RecordSubscribe gRPC stream.
type AcctzStream_RecordSubscribeClient interface {
Copy link
Copy Markdown

@sam-homa sam-homa May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it common in this directory to use underscore for types or other IDs?

it's not a Golang best practice

Comment thread internal/security/acctz/acctz.go
return &nokiaAcctzClient{conn: conn}
}

// func getGrpcTarget(t *testing.T, dut *ondatra.DUTDevice, service introspect.Service) string {
Copy link
Copy Markdown

@sam-homa sam-homa May 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this commented function serving a purpose? or should we clean it up?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sam-homa sam-homa sam-homa left review comments

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mihaitomaro @OpenConfigBot @sam-homa