Enhanced redis security: ACL and TLS

[davidpil2002]

Why I did it

Enhance Redis Security.
Add Redis ACL support
Add Redis TLS support

PR title	state	context
[sonic-py-swsssdk] Added support for Redis
[sonic-swss-common] Added support for Redis
[sonic-platform-common]Added support for Redis
[redis-dump-load]Added support for Redis

Work item tracking

• Microsoft ADO (number only):

How I did it

Add Redis ACL support by creating 2 users nad configure them in Redis Server.
one admin user who has access to any commands and operations like write/read
one monitor user who has access to read-only
Add Redis TLS by enable it in Redis Server.

How to verify it

Good flow:
each flow that exists today that uses the Redis DB should continue to be supported
Bad flow:
Add a new user which not belong to the admin group, and try to write to the Redis DB, this operation should be blocked.

Which release branch to backport (provide reason below if selected)

• 201811
• 201911
• 202006
• 202012
• 202106
• 202111
• 202205
• 202211
• 202305

Tested branch (Please provide the tested image version)

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

[davidpil2002]

The feature was built and tested locally when including all the submodule modifications.
Looks like all the dockers working correctly. But, required some adjustment in the sonic-mgmt test.
When we finish all the sonic-mgmt adjustments it will be possible to merge this feature.

For now, I would appreciate if you could review all the PRs related.
Thanks

[qiluo-msft]

In this PR's description, all the code PR link text is "Added support for LDAP". Is it a mistake?

[liuh-80]

The CA cert need protect by file permission? for example only RW/Admin user can modify it?

[Yarden-Z]

It's a nice addition, but currently we generated a cert just to have TLS working.
We tried performing the TLS without a certificate but did not manage to do so.

I think that adding some write protect (for admin only) is possible in this case.
@davidpil2002 - please review it :)

[davidpil2002]

yes - the file was copied to the filesystem with the owner admin,
the code can be seen in this PR in the filename
files/build_templates/sonic_debian_extension.j2

[Yarden-Z]

@liuh-80 Any additional comments on this PR and the related PRs?

[liuh-80]

@liuh-80 Any additional comments on this PR and the related PRs?

No for this PR, for related PRs I suggest:

1. Because sonic need use an SSL enabled hiredis_ssl, the build pipeline of other SONiC repo may failed because the hiredis_ssl debian package need install before build or run with sonic-swss-common lib. you may need check and fix all pipeline before PR merge to prevent build break. I think most .yml file in this query may need update: https://github.com/search?q=org%3Asonic-net+libswsscommon_1.0.0_&type=code

2. For python code change, there may also some other python file need update with ACL:https://github.com/search?q=org%3Asonic-net%20redis.Redis&type=code

3. There are code conflict in sonic-swss-common, you may need merge and pass all UT.

[davidpil2002]

In this PR's description, all the code PR link text is "Added support for LDAP". Is it a mistake?

yes - a mistake with the name not with the pointer linked,
fixed, thanks

[liat-grozovik]

@Yarden-Z @davidpil2002 are you planning to handle the conflict and to have it ready for merge in 1 week or we should de prioritize it and have it for next release? if needed for 202405 we need you to make it ready and community to prioritize the review.

[Yarden-Z]

@Yarden-Z @davidpil2002 are you planning to handle the conflict and to have it ready for merge in 1 week or we should de prioritize it and have it for next release? if needed for 202405 we need you to make it ready and community to prioritize the review.

We will not make it in time for this release, please move it to the next one.