Junos OS

 View Only
last person joined: 21 hours ago 

Ask questions and share experiences about Junos OS.
  • 1.  Juniper Op Script permissions

    Posted 05-12-2023 12:50

    Scenario: I want to allow a team of non-networking people to ssh into our SRX and lock it down to where they can only run op scripts. I started with no permissions, "deny-configuration .*", and "deny-commands .*" to completely lock down the login class and built up the permissions, "allow-configuration", and "allow-commands" from there.

    As it is now, I'm in a good spot with "permissions" and "allow-configuration". When I set "allow-commands" to ".*" the script will successfully run. My issue is when I'm not sure which commands to add under "allow-commands". When I add the commands the script would be running as if the user was manually doing the configuration ("configure exclusive" and a specific "deactivate ... ... ..." command) I get error: permission denied: lock-configuration when running the op script but the user can run the manual commands themselves with no issue. This leads me to the conclusion I'm missing a specific "allow-commands" statement but I'm not sure what. I'm fairly positive this has something to do with the execution of the script involving XML (I'm specifically using SLAX).

    In my research I've tried allowing the command "junoscript interactive" but I still get the error: permission denied: lock-configuration error.

    I'll update this if I find the answer.


  • 2.  RE: Juniper Op Script permissions
    Best Answer

    Posted 05-13-2023 19:56

    Unfortunately I wasn't able to figure out which "allow-commands" statement as the user-class level would allow the op script lock the configuration database, but I did find a workable solution.


    "set system scripts op file filename allow-commands .*"

    For anyone who may be a similar position of allowing non-network users access to their Juniper's but minimizing the damage they can do:

    The ".*" portion allows the script to run every command, assuming "every command" fits a very narrow definition I've made by tailoring the user class "permissions" and "allow/deny-configuration" statements of the user class running the script.  In my case I have the "permissions" and "allow/deny-configuration" statements of the user class tailored to where the user/any script they run only has permission to a very specific part of an interface, but the user class' "allow/deny-commands" are set to where the user themselves can only run "op filename" to start the script; the user cant even enter config mode!

    According to Juniper's documentation the command was made available  on version 14.2+.