[tac_plus] Re: Redesign?

Paul Floyd shadrack at rocketmail.com
Sat Jul 10 10:39:52 UTC 2010 

----- Original Message ----

> From: Kiss Gabor (Bitman) <kissg at ssg.ki.iif.hu>
> To: Paul Floyd <shadrack at rocketmail.com>
> Cc: tac_plus at shrubbery.net
> Sent: Wed, July 7, 2010 9:56:20 PM
> Subject: Re: [tac_plus] Redesign?
> 
> > > Why don't you show us some example configs?  :-)
> > 
> >  group = my_group {
> >     acl = my_acl
> >     tty  = vty[0-4]
> >     time_of_day = Mon-Fri,8a-9p
> >      max_sessions = 2
> > }
> > 
> > user = fred {
> >     member = my_group
> > }
> 
> Fine. :-)
> Let's see a bit more  complex case.
> 
> If Fred logs in terminal_server_A (192.168.0.1) {
>    If logs in on the console or aux port {
>     Execute autocommand  "show ip bgp"
>   }
>   If logs in on the first three modem (tty0-2)  {
>     Execute autocommand "ppp"
>     and set ip  access-group 42 for incoming packets
>   }
>   If logs in on any  other modem (tty*) {
>     Execute autocommand "slip"
>    }
>   If logs in on vty* {
>     Give him an exec  prompt
>     Set privilege level 2
>     Discard commands  containing "ipv6"
>   }
> }
> If Fred logs in any NAS on network_B  (192.168.0.0/25) [including the above!] 
{
>   On the weekends {
>      Executing "configure" command is not allowed
>   }
>   After  4pm and before 8am {
>     Executing "show interface" command is not  allowed unless
>     he connect the NAS from 10.3.3.3
>    }
> }
> If Fred logs in any NAS [including the above] {
>   If he comes  from 10.4.4.4 {
>     Set privilege level 15
>   }
> }
> 
> Regards
> 
> Gabor

OK I see how this works.  I meet your challenge and you just move the 
goalpoasts!  :-)

Right, well, this is pretty rough (I'm sure I'm using half the commands wrong), 
but it should illustrate the basic idea which is that all groups in a hierarchy 
are processed (basically from the bottom up), but only the ones where all the 
conditions are matched have their parameters applied to the user session.  Where 
two parameters conflict (for example autocmd) the last one applied takes 
precedence.  There are probably a few places here where you'd have to UNSET 
parameters applied in an earlier group, but that is left as an exercise for the 
reader :-)

acl = network_b {
   deny  ^192\.168\.0\.12[89]$
   permit ^192\.168\.0\.[0-9][0-9]?$
   permit ^192\.168\.0\.1[0-2][0-9]$
}

acl = term_serv_a {
   permit ^192\.168\.0\.1$
}

group uber_manager {
   address = 10.4.4.4
   service = exec {
      priv-lvl = 15
   }
}

group tsa_conaux {
   acl = term_serv_a
   tty = console|aux
   autocmd="show ip bgp"
   member = uber_manager
}

group tsa_vty {
   acl = term_serv_a
   tty = vty*
   service = exec {
      priv-lvl = 2
   }
   cmd {
    deny .*ipv6.*
    permit .*
   }
   member = tsa_conaux
}

group tsa_firstmodem {
   acl = term_serv_a
   tty = tty*
   autocmd="slip"
   inacl=none
   member = tsa_vty
}

group tsa_othermodem {
   acl = term_serv_a
   tty = tty[0-2]
   autocmd="ppp"
   inacl=42
   member = tsa_firstmodem
}
   

group weekend {
   acl = network_b
   time_of_day = Su,Sa
   cmd = configure {
      deny .*
   }
   member = tsa_othermodem
}   

group overnight {
   acl = network_b
   time_of_day = 0-8;16-24
   address != 10.3.3.3
   cmd = show {
      deny interface
      permit .*
   }
   member = weekend
}   

user = fred {
  member = overnight
}

The example above is kinda bending over backwards in an effort not to depart 
from the existing syntax only to show that I think it could *technically* be 
done.  That being said, it's horribly convoluted.  A better solution might be to 
add a basic if/then/else conditional construct with a little boolean logic 
sprinkled in for good measure.  Something sorta like this:

group example_group {

   if(acl=network_b) {
      if(time_of_day = 0-8;16-24 && address != 10.3.3.3) {
         cmd = show {
            deny interface
            permit .*
         }
      }

      if(time_of_day = Su,Sa) {
         cmd = configure {
            deny .*
         }
      }

      if(acl=term_serv_a) {
         if(tty = console|aux) {
            autocmd="show ip bgp"
         } elseif (tty = tty[0-2]) {
            autocmd="ppp"
            inacl=42
         } elseif (tty = tty.*) {
            autocmd="slip"
         } elseif (tty = vty.*) {
            service = exec {
               priv-lvl = 2
            }
            cmd {
           deny .*ipv6.*
           permit .*
            }
         }
      }
   }

   if(address=10.4.4.4) {
      service = exec {
         priv-lvl = 15
      }   
}

user = fred {
  member = example_group
}

I kind of ignored inheritance here, but if you wanted to allow a "member = " 
clause in a group definition, you could treat it essentially as a substitution 
-- somewhat like an #include statement in C.  I realize the whole idea is a big 
change, but it still seems more straightforward than converting the whole 
backend to SQL.  I suspect it would perform better than SQL too, but then again, 
I haven't looked at the code, so maybe I'm way off base here...

- Paul

More information about the tac_plus mailing list