SRX Services Gateway
Highlighted
SRX Services Gateway

User Login class

‎04-12-2019 02:03 PM

Hello,

I am trying to create a custom login class with a very limited access, allowing only few commands. Here is what worked for me

set system login class t-user_class permissions interface
set system login class t-user_class permissions view
set system login class t-user_class allow-commands "(show interfaces terse)|(show system uptime)|(ping .*)|(exit)"
set system login class t-user_class deny-commands .*

 

Now, I need to furter limit the interface visibility, so user can only see one interface. I have tried the following and varios combinations of it with no luck. As soon as I specify interface it does not work. Meaning that i can commit the changes but user is not able to execute it.

set system login class t-user_class allow-commands "(show interfaces ge-0/0/0)|(show system uptime)|(ping .*)|(exit)"

 

I read through this https://www.juniper.net/documentation/software/junos/junos95/swconfig-access-privilege/id-10521195.h... .It mentions that rutime variables are not supported but I do not beleive this applies to interface names. 

2 REPLIES 2
SRX Services Gateway

Re: User Login class

‎04-13-2019 10:08 AM

Hello There,

 

It is very interesting that you have such a requirement to hide even the IP addresses of other interfaces.

 

I think JunOS will not allow you to mention the individual interface in the allow-commands section because for JunOS the interface names are runtime parameter.

 

We need to acknowledge that this OS runs on almost all Juniper platform and NOT all of them have same hardware configuration.

 

E,g, SRX branch devices will always have ge-0/0/0 but SRX100 does NOT. It has fe-0/0/0 instead. Similarly SRX5Ks don't have fixed interfaces and depend upon which slot is being populated with IOCs.

 

Hence from the OS' perspective, interface names are runtime variable.

 

If this requirement is too critical for your operation, you may look into the logical system solution (Its a licensed feature if needed more than 2 LSYS).

 

In a logical system, a user is restricted to view the resources assigned to that system only.

 

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/user-logical-system-overview.html

 

Hope this helps!

 

Thanks! 

SRX Services Gateway

Re: User Login class

‎04-14-2019 02:24 PM

Hi,

it can be achieved via allow/deny commands regexps

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/allow-com...

Supported from 18.1R1, for now you can do similar thing but for configuration commands only

 

Quick try from a lab, you see interfaces from the list but when try to show their stats:

test@router> show cli authorization
Current user: 'test ' class 't-user_class'
Permissions:
interface -- Can view interface configuration
view -- Can view current values and statistics
Individual command authorization:
Allow regular expression: none
Deny regular expression: ".* .* [xe][et]-[0-9]/[0-9]/[1-9]" ".* .* [xe][et]-[0-9]/[1-9]/[0-9]" ".* .* [xe][et]-[1-9]/[0-9]/[0-9]"
Allow configuration regular expression: none
Deny configuration regular expression: none

 

test@router> show interfaces et-0/0/0
Physical interface: et-0/0/0, Enabled, Physical link is Up
Interface index: 255, SNMP ifIndex: 582
Link-level type: Ethernet, MTU: 9192, Speed: 100Gbps, BPDU Error: None, Loop Detect PDU Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled
Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x4000
Link flags : None
CoS queues : 8 supported, 8 maximum usable queues
Schedulers : 0
Current address: <snip>, Hardware address: <snip>
Last flapped : 2019-04-14 12:04:31 PDT (02:08:36 ago)
Input rate : 385177968 bps (422350 pps)
Output rate : 6888 bps (11 pps)
Active alarms : None
Active defects : None
PCS statistics Seconds
Bit errors 0
Errored blocks 0
Ethernet FEC Mode : NONE
Ethernet FEC statistics Errors
FEC Corrected Errors 0
FEC Uncorrected Errors 0
FEC Corrected Errors Rate 0
FEC Uncorrected Errors Rate 0
PRBS Statistics : Disabled
Interface transmit statistics: Disabled

Logical interface et-0/0/0.0 (Index 376) (SNMP ifIndex 583)
Flags: Up SNMP-Traps 0x4004000 Encapsulation: ENET2
Input packets : 3197979487
Output packets: 99800
Protocol inet, MTU: 9178
Max nh cache: 100000, New hold nh limit: 100000, Curr nh cnt: 1, Curr new hold cnt: 0, NH drop cnt: 0
Flags: Sendbcast-pkt-to-re
Addresses, Flags: Is-Preferred Is-Primary
Destination: 10.1.0.4/31, Local: 10.1.0.5
Protocol mpls, MTU: 9166, Maximum labels: 3
Protocol multiservice, MTU: Unlimited

test@starfire-re0> show interfaces et-0/4/0
error: unknown command: show

test@starfire-re0> show interfaces xe-0/1/2
error: unknown command: show

test@starfire-re0> show interfaces xe-0/1/2:0
error: unknown command: show

 

Hope this helps