Junos
Highlighted
Junos

User with limited configuration permission but full config read

‎04-23-2020 06:27 AM

Hi there, 

 

I am trying to configure a user class for an ansible script, with limited access to the config. I use regexp in allow-configuration statements to specify what the user can do, and this part works ok. My issue is that the user can only view the part of the config he is able to configure. He can do a show configuration globally or a show | compare but the command does not return anything.

This seems to create an issue with Ansible because the diff between the candidate and the running is null, so Ansible does no commit the change. 

 

How can the user have the right to see full config but only to configure some part of it? Anything else we can do to avoid this issue with Ansible/netconf? 

 

here is my config:

 

show configuration system login class COLIBRI-AUTOMATION
idle-timeout 15;
login-alarms;
login-tip;
permissions [ all configure view view-configuration ];
allow-commands "(configure.*)|(edit.*)|(exit)|(commit)|(rollback .*)|(.*xml-mode)|(.*netconf)|(.*need-trailer)|(load .*)|(show .*)|(get-software-information)|(.*lock.*)|(unlock.*)|(.*close-session)|(configure exclusive)|(.*target)|(.*candidate)|(show | compare)";
deny-commands .*;
allow-configuration "(interfaces interface-set IFLSET_B2B_INET interface xe-1/0/0 unit .*)|(class-of-service interfaces xe-1/0/0 unit .* apply-groups .*)|(class-of-service interfaces xe-1/0/0 unit .*)|(routing-instances NET protocols bgp group B2B-INET_LIGHT-EBGP-IPV.* neighbor .* description [^#]*$)|(routing-instances NET protocols bgp group B2B-INET_LIGHT-EBGP-IPV.*)|(routing-instances NET interface xe-1/0/0.*)|(interfaces xe-1/0/0 unit .* family inet.* mtu .*)|(interfaces xe-1/0/0 unit .* family inet.* address .*)|(interfaces xe-1/0/0 unit .* vlan-tags outer .*)|(interfaces xe-1/0/0 unit .* vlan-tags inner .*)|(interfaces xe-1/0/0 unit .* description [^#]*$)|(interfaces xe-1/0/0 unit .*)|(interfaces xe-1/0/0)";
deny-configuration .*;
allow-hidden-commands;

Thanks!!

 

2 REPLIES 2
Highlighted
Junos

Re: User with limited configuration permission but full config read

‎04-25-2020 07:38 AM

With the configuration you have the user should be able to see the whole configuration from operational mode using

show configuration

 

But in configure mode the user will only have access to the allowed hierarchy.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Junos

Re: User with limited configuration permission but full config read

‎04-27-2020 12:41 AM

Hi Spuluka,

 

Thanks for your answer, unfortunately that's not even the case: 

 

colibri@mx240-lab> show configuration
## Last commit: 2020-04-24 14:49:27 UTC by aurelien

colibri@mx240-lab>

any idea why?

 

 

 

 

Feedback