Token based authentication for pygnmicli

[ksator]

https://grpc.io/docs/guides/auth/
issue #63
I did not find this option in pygnmicli

same thing for issue #67

arista@devbox:~$ pygnmicli
usage: pygnmicli [-h] -t TARGET -u USERNAME [-p PASSWORD] [-c PATH_CERT] [-k PATH_KEY] [-r PATH_ROOT] [-O OVERRIDE] [-i] [--skip-verify]
                 [-o {capabilities,get,set-update,set-replace,set-delete,subscribe-stream,subscribe-poll,subscribe-once,subscribe2}] [-x GNMI_PATH [GNMI_PATH ...]]
                 [--gnmi-path-target GNMI_PATH_TARGET] [-d [{all,config,operational,state}]] [-f FILE] [-D] [-C {get,print,}] [--ext-history-range-start EXT_HISTORY_RANGE_START]
                 [--ext-history-range-end EXT_HISTORY_RANGE_END] [--ext-history-snapshot-time EXT_HISTORY_SNAPSHOT_TIME]
pygnmicli: error: the following arguments are required: -t/--target, -u/--user
arista@devbox:~$ 

Is it something you would like to add?
If yes, would you like 2 diff issues?

[akarneliuk]

Hey @ksator ,

Good shout, I will work on adding that one, sir.

Best,
Anton

[akarneliuk]

@ksator ,

you would need to provide the token value, or you can call it as $(cat token.txt). Is that OK?

Best,
Anton

[ksator]

Thank you @akarneliuk !
The token will be in a file or in an env variable. so I would say both token=cat token.txt and token=$token

[akarneliuk]

Hey @ksator ,

That is available in the latest release 0.8.4 (Pull #86 ). Please, give a try and let me know.

Best,
Anton

[ksator]

hello @akarneliuk

This one is OK

pygnmicli -t "192.168.0.5:443" --token `cat token.tok` -o capabilities

[ksator]

subscribe-once provides the expected result but then raise an error

pygnmicli -t "192.168.0.5:443" --token `cat token.tok` -o subscribe-once -x /inventory/state/device/device-id
pygnmicli -t "192.168.0.5:443" --token `cat token.tok` -o subscribe-once -x arista:/inventory/state/device/device-id
pygnmicli -t "192.168.0.5:443" --token `cat token.tok` -o subscribe-once -x openconfig:/interfaces/interface[name=Ethernet2]/state/admin-status --gnmi-path-target leaf1

Example

pygnmicli -t "192.168.0.5:443" --token `cat token.tok` -o subscribe-once -x openconfig:/interfaces/interface[name=Ethernet2]/state/admin-status --gnmi-path-target leaf1
{'update': {'update': [{'path': 'interfaces/interface[name=Ethernet2]/state/admin-status', 'val': 'UP'}], 'timestamp': 1658610592663436753, 'prefix': ''}}
{'sync_response': True}
Traceback (most recent call last):
  File "/home/arista/.local/bin/pygnmicli", line 156, in <module>
    main()
  File "/home/arista/.local/bin/pygnmicli", line 152, in main
    print(json.dumps(result, indent=4))
  File "/usr/local/lib/python3.9/json/__init__.py", line 234, in dumps
    return cls(
  File "/usr/local/lib/python3.9/json/encoder.py", line 201, in encode
    chunks = list(chunks)
  File "/usr/local/lib/python3.9/json/encoder.py", line 438, in _iterencode
    o = _default(o)
  File "/usr/local/lib/python3.9/json/encoder.py", line 179, in default
    raise TypeError(f'Object of type {o.__class__.__name__} '
TypeError: Object of type OnceSubscriber is not JSON serializable

[ksator]

subscribe-stream provides an error

arista@devbox:~$ pygnmicli -t "192.168.0.5:443" --token `cat token.tok` -o subscribe-stream -x openconfig:/interfaces/interface[name=Ethernet2]/state/admin-status --gnmi-path-target leaf1
Exception in thread Thread-5:
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/threading.py", line 973, in _bootstrap_inner
    self.run()
  File "/usr/local/lib/python3.9/threading.py", line 910, in run
    self._target(*self._args, **self._kwargs)
  File "/home/arista/.local/lib/python3.9/site-packages/pygnmi/client.py", line 950, in enqueue_updates
    for update in subscription:
  File "/home/arista/.local/lib/python3.9/site-packages/grpc/_channel.py", line 426, in __next__
    return self._next()
  File "/home/arista/.local/lib/python3.9/site-packages/grpc/_channel.py", line 826, in _next
    raise self
grpc._channel._MultiThreadedRendezvous: <_MultiThreadedRendezvous of RPC that terminated with:
        status = StatusCode.UNIMPLEMENTED
        details = "SubscriptionMode SAMPLE not supported yet"
        debug_error_string = "{"created":"@1659034592.377608029","description":"Error received from peer ipv4:192.168.0.5:443","file":"src/core/lib/surface/call.cc","file_line":966,"grpc_message":"SubscriptionMode SAMPLE not supported yet","grpc_status":12}"
>

[ksator]

subscribe2 provides an error

pygnmicli -t "192.168.0.5:443" --token `cat token.tok` -o subscribe2 -x openconfig:/interfaces/interface[name=Ethernet2]/state/admin-status --gnmi-path-target leaf1
Traceback (most recent call last):
  File "/home/arista/.local/bin/pygnmicli", line 156, in <module>
    main()
  File "/home/arista/.local/bin/pygnmicli", line 72, in main
    mode = args.operation.split("-")[1]
IndexError: list index out of range

[akarneliuk]

Hello @ksator ,

thanks for testing that. It is great that token worked as expected. I will take a look into reported issues with subscriptions in pygnmicli as well.

Best,
Anton

[brunoonovais]

hey folks, seems like token is assumed to be default even if username/password is specified, so it fails connecting to a device. Removing that from line 39 makes a connection work. I think we just need to check that to treat properly. thanks!

[akarneliuk]

Hey @brunoonovais

can you please share the debug info? From what I saw during the tests against network functions in lab, that would be ignored even if included. Obviously, it may depend on the network operating system. However, it would be good to have more input.

Also, are you talking specifically about pygnmi or pygnmicli ?

Here is an example from Cisco NX-OS:

# pygnmicli -t 192.168.101.20:50051 -u ${USERNAME} -p ${PASSWORD} -o capabilities -c certs/c-1-s1.pem --skip-verify --token='avc'
Cannot get Subject Alternative Names: No <ObjectIdentifier(oid=2.5.29.17, name=subjectAltName)> extension was found
ssl_target_name_override is applied, should be used for testing only!
Doing capabilities request to ('192.168.101.20', 50051)...
Collecting Capabilities...
Collection of Capabilities is successfull
{
    "supported_models": [
        {
            "name": "Cisco-NX-OS-device",
            "organization": "Cisco Systems, Inc.",
            "version": "2022-02-04"
        },
        {
            "name": "DME",
            "organization": "Cisco Systems, Inc.",
            "version": ""
        },
        {
            "name": "Cisco-NX-OS-Syslog-oper",
            "organization": "Cisco Systems, Inc.",
            "version": "2019-08-15"
        }
    ],
    "supported_encodings": [
        "json",
        "proto"
    ],
    "gnmi_version": "0.5.0"
}

Same output I have from Arista EOS

Best,
Anton

[akarneliuk]

Hey @brunoonovais ,

I believe it shall be now fixed in #90 and release pygnmi==0.8.5. Can you please test and let me know?

Best,
Anton

[akarneliuk]

@brunoonovais , please, reopen if any help is still needed

[akarneliuk]

@brunoonovais , please, for auth with token in pygnmicli use this one

[akarneliuk]

Hey @brunoonovais ,

per our today's conversation, we figured out that if you install the pygnmi rather than clone it, the pygnmicli works fine. As such, I close the issue. Please, feel free to re-open if assistance is needed.

Best,
Anton