[tac_plus] Re: Multiple groups, multiple ACL-s

Karen Durinyan karen.durinyan at gmail.com
Wed Mar 31 05:08:46 UTC 2010 

Hello Gabor,

First of all thanks for your reply and for patch.

I did mean and I did exactly what you say here.
Here is my config.

...
acl = net-staff-r {
        permit = ^10\.0\.127\.12$
        return = .*
}

acl = net-staff-u {
#If I have 100 of NAS can I use permit = ".*" here?
        permit = ^10\.0\.127\.1$
        return = .*
}
...
group = net-staff-r {
        service = exec {
                priv-lvl = 15
        }
        cmd = show {
                permit ip
                permit interface
                deny ".*"
        }
        cmd = exit {
                permit ".*"
        }
}

group = net-staff-u {
        service = exec {
                priv-lvl = 15
        }
        cmd = show {
                permit ".*"
        }
        cmd = exit {
                permit ".*"
        }
}

group = net-staff-all-r {
        acl = net-staff-r
        member = net-staff-r
}

group = net-staff-all-u {
        acl = net-staff-u
        member = net-staff-u
}
...

user = karen {
        login = des <something encrypted>
        member = net-staff-all-r
        member = net-staff-all-u
        name = "Karen Durinyan"
}
...


Result is the following:
[karen at srv1 ~]$ ssh racc1
Password: 

racc1#show run
Command authorization failed.

racc1#show ip int br
...
Loopback0                  10.0.127.12     YES manual up                    up      
racc1#
racc1#exit
Connection to racc1 closed.
[karen at srv1 ~]$ ssh edge1
Password: 

edge1#show run
Command authorization failed.

edge1#show ip int br
...
Loopback0                  10.0.127.1      YES NVRAM  up                    up      
edge1#exit
Connection to edge1 closed.
[karen at srv1 ~]$


It seems ACL match, group match, racc1 working as expected but things are not 
correct with edge1. For edge1 I am expecting to be able to run any command 
with "show ..." as it is in group definition. Am I missing anything?

Thanks in advance.

-- 
Bests,
Karen


On Tuesday 30 March 2010 23:47:55 Kiss Gabor (Bitman) wrote:
> > The problem is the following:
> > 
> > userA can login on nasA but can issue only "show *" cmd
> > userA can login on nasB but can issue only "ping *" cmd
> > userA can login on nasC but can issue only "exit *" cmd
> > 
> > It seems ACLs must be applied to cmd somehow but I do not know how.
> > 
> > Is this possible with your patch? Is this possible with tac+ at all?
> 
> Do you think this?
> 
> 
> user = userA {
> 	member = nasA_show
> 	member = nasB_ping
> 	member = nasC_exit
> 	...
> }
> 
> group nasA_show {
> 	acl = acl_nasA
> 	member = cmd_show
> }
> 
> acl = acl_nasA {
> 	permit = <regexp of nasA address>
> 	return = .*
> }
> 
> group = cmd_show
> 	cmd = show {
> 		permit .*
> 	}
> }
> 
> ...
> 
> Details at
> http://www.shrubbery.net/pipermail/tac_plus/2007-August/000125.html
> 
> Gabor

More information about the tac_plus mailing list