Automation

last person joined: 4 days ago 

Ask questions and share experiences about Apstra, Paragon, and all things network automation.

  • 1.  Run script (or portion) as privileged user

    Posted 10-27-2010 23:47

    My customer has a requirement to limit the number of concurrent logins to 1. Currently, my login-script identifies if there are multiple users logged in with the same user name and logs a syslog event but does not take any action. This meets part of the requirement. The second part is to take some action (my customer wants options so I need to script and test several solutions). Of the three possible actions, log out user 1, log out user 2, or log out both (option 4 is log only and that currently works), all are similar except in the tty and/or from address. Because logging out all users is the easiest, I started there.

     

    For a full admin, adding:

     

     

    var $RPC = "request system logout user " _ $user _ " all";

var $outputRPC = jcs:invoke( $RPC );

     

     

    to the portion of code that determines number of currently logged-in users with the same user name works. However, for an audit admin, this does not work because that admin doesn't have permission to run that command. Therefore, I need to run this portion of the script as a privileged user; is that possible?

     

    Richard



  • 2.  RE: Run script (or portion) as privileged user
    Best Answer

     
    Posted 10-28-2010 00:26

    One option is to generate an event (syslog message) using jcs:syslog from the login-script. Have an event-script which will be triggered based on that event and the event-script can execute that command.

     

    Thanks,

    Sriram



  • 3.  RE: Run script (or portion) as privileged user

    Posted 10-28-2010 19:18

    Sriram,

    Thanks but I found another way...still using the event script though.  In this case, I had an event script that was logging failed logins already. I wish I could take credit for this but Curtis was instrumental in getting my kludge of a script off the ground and working.  Thanks, Curtis.

     

    The solution I selected was to determine the user name and terminal of the currently logging-in user and use that to discriminate against.  Once I got that working, I was able to provide the customer with 3 configurable options all of which affect only logins with the same user name as the currently logging-in user:

     

    1. Forcibly log out all users

    2. Forcibly log out only the currently logging-in user

    3. Forcibly log out all BUT the currently logging-in user

     

    However, you were right in that the event-script will kick the user regardless whether that user has the requisite permissions or not.

     

    Richard