sonic-net · sneelam20 · Mar 13, 2026 · Feb 4, 2026
diff --git a/models/yang/annotations/openconfig-system-annot.yang b/models/yang/annotations/openconfig-system-annot.yang
@@ -9,6 +9,7 @@ module openconfig-system-annot {
     import sonic-extensions {prefix sonic-ext; }
     import openconfig-system-grpc { prefix oc-sys-grpc; }
     import gnsi-pathz { prefix gnsi-pathz; }
+    import openconfig-gnsi-credentialz { prefix oc-gnsi-credz; }
 
     deviation /oc-sys:system/oc-sys:ssh-server/oc-sys:state {
       deviate add {
@@ -24,6 +25,39 @@ module openconfig-system-annot {
         }
     }
 
+    deviation /oc-sys:system/oc-sys:aaa/oc-sys:authentication/oc-sys:glome/oc-sys:state {
+      deviate add {
+        sonic-ext:db-name "STATE_DB";
+        sonic-ext:table-name "CREDENTIALS";
+        sonic-ext:key-name "GLOME_CONFIG";
+      }
+    }
+
+    deviation /oc-sys:system/oc-sys:aaa/oc-sys:authentication/oc-sys:glome/oc-sys:state/oc-gnsi-credz:active-glome-key-version {
+      deviate add {
+        sonic-ext:field-name "key_version";
+      }
+    }
+
+    deviation /oc-sys:system/oc-sys:aaa/oc-sys:authentication/oc-sys:glome/oc-sys:state/oc-gnsi-credz:active-glome-key-created-on {
+      deviate add {
+        sonic-ext:field-name "last_updated";
+      }
+    }
+
+    deviation /oc-sys:system/oc-sys:aaa/oc-sys:authentication/oc-sys:glome/oc-sys:state/oc-gnsi-credz:enabled {
+      deviate add {
+        sonic-ext:field-name "enabled";
+      }
+    }
+
+    deviation /oc-sys:system/oc-gnsi-credz:console {
+      deviate add {
+        sonic-ext:db-name "STATE_DB";
+        sonic-ext:subtree-transformer "console_counters_xfmr";
+      }
+    }
+
     deviation /oc-sys:system/gnsi-pathz:gnmi-pathz-policies {
       deviate add {
         sonic-ext:key-transformer "pathz_policies_key_xfmr";

diff --git a/translib/transformer/xfmr_system.go b/translib/transformer/xfmr_system.go
@@ -66,6 +66,9 @@ const (
 	PATHZ_WRITE_SUCCESS_TIMESTAMP = PATHZ_WRITES + "/last-access-accept"
 	PATHZ_WRITE_FAILED            = PATHZ_WRITES + "/access-rejects"
 	PATHZ_WRITE_FAILED_TIMESTAMP  = PATHZ_WRITES + "/last-access-reject"
+	ACCOUNT_TBL                   = "CREDENTIALS|SSH_ACCOUNT"
+	CONSOLE_TBL                   = "CREDENTIALS|CONSOLE_ACCOUNT"
+	SSH_TBL                       = "CREDENTIALS|SSH_HOST"
 )
 
 type sshState struct {
@@ -115,6 +118,8 @@ func init() {
 	XlateFuncBind("DbToYang_pathz_policies_xfmr", DbToYang_pathz_policies_xfmr)
 	XlateFuncBind("Subscribe_pathz_policies_xfmr", Subscribe_pathz_policies_xfmr)
 	XlateFuncBind("DbToYang_pathz_policies_key_xfmr", DbToYang_pathz_policies_key_xfmr)
+	XlateFuncBind("DbToYang_console_counters_xfmr", DbToYang_console_counters_xfmr)
+	XlateFuncBind("Subscribe_console_counters_xfmr", Subscribe_console_counters_xfmr)
 }
 
 type grpcState struct {
@@ -879,3 +884,53 @@ var Subscribe_pathz_policies_xfmr SubTreeXfmrSubscribe = func(inParams XfmrSubsc
 		nOpts:    &notificationOpts{mInterval: 0, pType: OnChange},
 	}, nil
 }
+
+var DbToYang_console_counters_xfmr SubTreeXfmrDbToYang = func(inParams XfmrParams) error {
+	var counters accessCounters
+
+	table, err := inParams.dbs[inParams.curDb].GetEntry(&db.TableSpec{Name: "CREDENTIALS"}, db.Key{Comp: []string{"CONSOLE_METRICS"}})
+	if err != nil {
+		log.V(0).Infof("Failed to read from StateDB: %v", inParams.table)
+		return err
+	}
+
+	accepts := table.Get("access_accepts")
+	if counters.accessAccepts, err = strconv.ParseUint(accepts, 10, 64); err != nil && accepts != "" {
+		log.V(0).Infof("Couldn't find access_accepts: %v", err)
+	}
+	lastAccept := table.Get("last_access_accept")
+	if counters.lastAccessAccept, err = strconv.ParseUint(lastAccept, 10, 64); err != nil && lastAccept != "" {
+		log.V(0).Infof("Couldn't find last_access_accept: %v", err)
+	}
+	rejects := table.Get("access_rejects")
+	if counters.accessRejects, err = strconv.ParseUint(rejects, 10, 64); err != nil && rejects != "" {
+		log.V(0).Infof("Couldn't find access_rejects: %v", err)
+	}
+	lastReject := table.Get("last_access_reject")
+	if counters.lastAccessReject, err = strconv.ParseUint(lastReject, 10, 64); err != nil && lastReject != "" {
+		log.V(0).Infof("Couldn't find last_access_reject: %v", err)
+	}
+
+	sysObj := getAppRootObject(inParams)
+	ygot.BuildEmptyTree(sysObj)
+	ygot.BuildEmptyTree(sysObj.Console)
+	ygot.BuildEmptyTree(sysObj.Console.State)
+
+	sysObj.Console.State.Counters.AccessAccepts = &counters.accessAccepts
+	sysObj.Console.State.Counters.AccessRejects = &counters.accessRejects
+	sysObj.Console.State.Counters.LastAccessAccept = &counters.lastAccessAccept
+	sysObj.Console.State.Counters.LastAccessReject = &counters.lastAccessReject
+
+	return nil
+}
+
+var Subscribe_console_counters_xfmr SubTreeXfmrSubscribe = func(inParams XfmrSubscInParams) (XfmrSubscOutParams, error) {
+	log.V(0).Infof("Subscribe_console_counters_xfmr:%s", inParams.requestURI)
+
+	return XfmrSubscOutParams{
+		dbDataMap: RedisDbSubscribeMap{
+			db.StateDB: {"CREDENTIALS": {"CONSOLE_METRICS": {}}}},
+		onChange: OnchangeEnable,
+		nOpts:    &notificationOpts{mInterval: 0, pType: OnChange},
+	}, nil
+}