Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add time-based ACL High Level Design document #1078

Open
wants to merge 12 commits into
base: master
Choose a base branch
from
Open

Add time-based ACL High Level Design document #1078

wants to merge 12 commits into from
+209 −0

Conversation

wsycqyz
Copy link

@wsycqyz wsycqyz commented Sep 7, 2022

This is new feature: time-based ACL HLD.
The related code PR is:
sonic-net/sonic-utilities#2354
sonic-net/sonic-buildimage#11989

bingwang-ms and others added 4 commits September 5, 2022 01:57
@bingwang-ms @wsycqyz
HLD for dynamic ACL rule
ac94f64 
Signed-off-by: bingwang <wang.bing@microsoft.com>
@bingwang-ms @wsycqyz
HLD for dynamic ACL rule
46ec052 
Signed-off-by: bingwang <wang.bing@microsoft.com>
@bingwang-ms @wsycqyz
Change from monit to supervisord
38c0d11 
Signed-off-by: bingwang <bingwang@microsoft.com>
@wsycqyz
0906 design change
19baeea
Blueve
Blueve requested changes Sep 7, 2022
View reviewed changes
doc/acl/Dynamic-ACL-Design.md Outdated Show resolved Hide resolved
@Blueve
Copy link
Contributor

Blueve commented Nov 1, 2022
edited
Loading

Comments from community:

  1. Support different format for start_time and end_time (might be we can do this in cli's implementation )
  2. Add optional field to existing acl rule instead create new table
  3. Cli to create time_based acl rule based relative semantic such as add acl rule *** expire in 2hrs which will use system current time as start automatically then no time sync consideration here
  4. For general use case, if user want to provide absolute time, the time sync is required
  5. Who can cleanup the config_db? In current HLD, stale rule will be removed by mgr after it expired, however it will change config_db. We suppose sonic will not touch/change config db since it is the system that consuming the config_db. But left stale rules in config_db can be also lead some unnecessary overhead, may be we can provide an option to user and let user to decide if remove the stale rule automatically?

@wsycqyz wsycqyz mentioned this pull request Nov 3, 2022
Draft
7 tasks
@wsycqyz wsycqyz mentioned this pull request Nov 4, 2022
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Blueve Blueve Blueve requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wsycqyz @Blueve @bingwang-ms