Routing

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Minimum Permissions Needed for "show commands" over Netconf

    Posted 05-06-2020 15:43

    I've tried using the built in operator class and that did not suffice. I'm trying to backup configuration on MX204\VMX routers using Ansible. Ansible connects to the router via netconf. I want to use a 'read only' user which only has permissions to view the configuration. I'm trying to execute the following commands:

     

    - show version
    - show configuration
    - show configuration | display set
    - show system information

     

    I only want this read only user to be able to execute the above and nothing more.

     

    If I give my custom 'read only' class the "all" permission it works.  I would rather not give this permission though.


    #read-only
    #login


  • 2.  RE: Minimum Permissions Needed for "show commands" over Netconf

     
    Posted 05-06-2020 16:06

    Hello Junos user,

     

    You can make the commands more specific using allow-commands "<regular expression>"

     

    For instance:

    set system login class test allow-commands "show\ version\ (brief|detail).*"

     

    Cheers

    Pooja

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!



  • 3.  RE: Minimum Permissions Needed for "show commands" over Netconf

     
    Posted 05-06-2020 17:00
    Hi Junosuser,

    The generalized command to achieve what you have mentioned above is,

    set system login class test allow-commands "(cmd1)|(cmd2)|(cmdn)"


    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

    Regards
    Nadeem



  • 4.  RE: Minimum Permissions Needed for "show commands" over Netconf

     
    Posted 05-06-2020 19:11

    Hello Junos user,

     

    Greetings!

     

    Yes, you can make use of allow-commands and also deny-commands for a specific user to limit the access of that user to a specific level.

     

    Go through the below link to explore more about allowing and denying the commands for a specific user,

     

    Link for more clarification:

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-regular-expressions-for-allowing-and-denying-junos-os-operational-mode-commands

     

     

    [edit system login class test]
    user@host# set permissions configure
    user@host# set allow-commands "(cmd1)|(cmd2)|(cmd3|(cmdn)"

    user@host# set deny-configuration "(cmd4)|(cmd5)|(cmd6|(cmdn)"


    With the above configuration, the users assigned to the test login class have operational mode access restricted to only the commands specified in the allow-commands statement, and access to the configuration mode, excluding the hierarchy levels specified in the deny-configuration statement.

     



  • 5.  RE: Minimum Permissions Needed for "show commands" over Netconf
    Best Answer

    Posted 05-06-2020 23:34

    Hi junosuser33, 

     

    Greetings, 

    I would recommend you to configure something like below:

     

    1. Create a custom class (read-only-show) would allows only specific commands like below:
    # set system login class read-only-show allow-commands "(show version)|(show configuration)|(show configuration | display set)|(show system information)"

    2. Further map the user to this class with the below command:

    # set system login user test class read-only-show

     

    > Output from lab device:

    # show | compare
    [edit system login]
    + class read-only-show {
    + allow-commands "(show version)|(show configuration)|(show configuration | display set)|(show system information)";
    + }
    [edit system login]
    + user test {
    + class read-only-show;
    + }

     

    After adding and logging with the user (say test) this will only list the allowed commands like : 

    test@lab> show ?
    Possible completions:
    configuration Show current configuration
    system Show system information
    version Show software process revision levels

     

    I hope this helps. Please mark "Accept as solution" if this answers your query. 

     

    Kudos are appreciated too! 

     

    Regards, 

    Sharat Ainapur