Junos OS

Confirmed that it works properly on 12.3R9, recommend you upgrade.  12.1 is out of support, and there were some bugs around allow-configuration-regexps.  I don't recall the specifics, but I remember seeing something about it when I was dabbling in this a month or two ago.

Also, you're missing view-configuration in your test class.  Without that the only configuration that is visible is the stuff inside system services.

cmyers@lab-ex8208-2.re0# show 
permissions [ configure view ];
allow-configuration-regexps "system services";


cmyers@lab-ex8208-2.re0> show cli authorization 
Current user: 'ccm-test' login: 'cmyers' class 'testclass'
Permissions:
    configure   -- Can enter configuration mode
    view        -- Can view current values and statistics
Individual command authorization:
    Allow regular expression: none
    Deny regular expression: none
    Allow configuration regular expression: "system services"
    Deny configuration regular expression: none


{master}                                
cmyers@lab-ex8208-2.re0> configure 
Entering configuration mode

{master}[edit]
cmyers@lab-ex8208-2.re0# set ?
Possible completions:
> access-profile       Access profile for this instance
+ apply-groups         Groups from which to inherit configuration data
> groups               Configuration groups
> multi-chassis        
> redundant-power-system  Redundant power system configuration
> system               System parameters
{master}[edit]
cmyers@lab-ex8208-2.re0# set system ?
Possible completions:
> services             System services
{master}[edit]
cmyers@lab-ex8208-2.re0# set system services ?
Possible completions:
  <[Enter]>            Execute this command
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> database-replication  Database replication configuration
> dhcp                 Configure DHCP server
> dhcp-local-server    Dynamic Host Configuration Protocol server configuration
> finger               Allow finger requests from remote systems
> ftp                  Allow FTP file transfers
> netconf              Allow NETCONF connections
> outbound-ssh         Initiate outbound SSH connection
> service-deployment   Configuration for Service Deployment (SDXD) management application
> ssh                  Allow ssh access
> subscriber-management  Subscriber management configuration
> telnet               Allow telnet login
> tftp-server          Allow TFTP file transfers in default routing instance
> web-management       Web management configuration
> xnm-clear-text       Allow clear text-based JUNOScript connections
> xnm-ssl              Allow SSL-based JUNOScript connections

 If you notice, there are some top level entries that aren't blocked when using allow-configuration-regexps.  You should be able to filter them with deny-configuration-regexps.

To give you an idea what you can do, here is what I was messing with originally.

class prestador {
    permissions [ configure interface-control view view-configuration ];
    allow-configuration-regexps [ "poe interface" "ethernet-switching-options voip interface" ];
    deny-configuration-regexps [ "poe interface ge-0/0/.*" "ethernet-switching-options voip interface ge-0/0/.*" "interfaces ge-0/0/.*" ];
}

That was built around another forum request to only allow access to the uplink ports on an EX4200.  That filters out all of the non-uplink ports when doing ? expansion.

-Chad

Hello Chad,

thanks for your information, so for now it's really seems like a bug in 12.1. Actually I tried 12.1x44 and 12.1x46, and first one is the recommended for SRX devices. Strange that this command doesn't work taking in mind it was introduced in 11.2.

At least  now I know  that syntax is ok 🙂

Found it, PR931415.  Says it affects MX and SRX and should be resolved in 12.1X44-D45 12.1X46-D25 12.1X47-D10 12.3R8 13.1R5 13.2R5 13.3R3 14.1R2 14.2R1.

-Chad

may be, but title is very strange - "Allow-configuration-regexps auto-complete is not working."

I'm upgrading and check then.

upgrade to 12.1x47-D20.7  resolved this problem. Thanks again for your help, Chad!