Routing

Expand all | Collapse all

Minimum Permissions Needed for "show commands" over Netconf

Jump to Best Answer
  • 1.  Minimum Permissions Needed for "show commands" over Netconf

    Posted 05-06-2020 15:43

    I've tried using the built in operator class and that did not suffice. I'm trying to backup configuration on MX204\VMX routers using Ansible. Ansible connects to the router via netconf. I want to use a 'read only' user which only has permissions to view the configuration. I'm trying to execute the following commands:

     

    - show version
    - show configuration
    - show configuration | display set
    - show system information

     

    I only want this read only user to be able to execute the above and nothing more.

     

    If I give my custom 'read only' class the "all" permission it works.  I would rather not give this permission though.


    #read-only
    #login


  • 2.  RE: Minimum Permissions Needed for "show commands" over Netconf

     
    Posted 05-06-2020 16:06

    Hello Junos user,

     

    You can make the commands more specific using allow-commands "<regular expression>"

     

    For instance:

    set system login class test allow-commands "show\ version\ (brief|detail).*"

     

    Cheers

    Pooja

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!



  • 3.  RE: Minimum Permissions Needed for "show commands" over Netconf

     
    Posted 05-06-2020 17:00
    Hi Junosuser,

    The generalized command to achieve what you have mentioned above is,

    set system login class test allow-commands "(cmd1)|(cmd2)|(cmdn)"


    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

    Regards
    Nadeem



  • 4.  RE: Minimum Permissions Needed for "show commands" over Netconf

     
    Posted 05-06-2020 19:11

    Hello Junos user,

     

    Greetings!

     

    Yes, you can make use of allow-commands and also deny-commands for a specific user to limit the access of that user to a specific level.

     

    Go through the below link to explore more about allowing and denying the commands for a specific user,

     

    Link for more clarification:

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/junos-os-access-privileges.html#id-regular-expressions-for-allowing-and-denying-junos-os-operational-mode-commands

     

     

    [edit system login class test]
    user@host# set permissions configure
    user@host# set allow-commands "(cmd1)|(cmd2)|(cmd3|(cmdn)"

    user@host# set deny-configuration "(cmd4)|(cmd5)|(cmd6|(cmdn)"


    With the above configuration, the users assigned to the test login class have operational mode access restricted to only the commands specified in the allow-commands statement, and access to the configuration mode, excluding the hierarchy levels specified in the deny-configuration statement.

     



  • 5.  RE: Minimum Permissions Needed for "show commands" over Netconf
    Best Answer

    Posted 05-06-2020 23:34

    Hi junosuser33, 

     

    Greetings, 

    I would recommend you to configure something like below:

     

    1. Create a custom class (read-only-show) would allows only specific commands like below:
    # set system login class read-only-show allow-commands "(show version)|(show configuration)|(show configuration | display set)|(show system information)"

    2. Further map the user to this class with the below command:

    # set system login user test class read-only-show

     

    > Output from lab device:

    # show | compare
    [edit system login]
    + class read-only-show {
    + allow-commands "(show version)|(show configuration)|(show configuration | display set)|(show system information)";
    + }
    [edit system login]
    + user test {
    + class read-only-show;
    + }

     

    After adding and logging with the user (say test) this will only list the allowed commands like : 

    test@lab> show ?
    Possible completions:
    configuration Show current configuration
    system Show system information
    version Show software process revision levels

     

    I hope this helps. Please mark "Accept as solution" if this answers your query. 

     

    Kudos are appreciated too! 

     

    Regards, 

    Sharat Ainapur