[tac_plus] Per Device Command Authorization

Alan McKinnon alan.mckinnon at gmail.com
Thu Nov 18 01:14:50 UTC 2010 

Apparently, though unproven, at 00:57 on Thursday 18 November 2010, Ben 
Wiechman did opine thusly:

> Is it possible to configure a list of commands a user is authorized to
> execute that differs by device?

No.

Well, not easily, and not without mangling the config in insane ways.

A workaround is at the end, after I describe the problem :-)

> In our case we'd like to allow certain users read only type access on most
> devices, but give more access on certain devices to do things like
> configure static NAT, etc. Firewall administrators need more permissions
> on the firewalls, but not on backbone routers as another example.

I have exactly the same issue.

The problem is that the list of commands allowed for a user (or group) is 
applied universally. What you and I want is to be able to create groups of 
*devices* and then tie that to the allow/deny command list for the user. This 
will instantly explode the length and complexity of your config

> I don't see any way to do this with the stock configuration, but I may be
> missing something.
> 
> It looks like it might be possible with the multiple groups patch here
> (http://bakacsin.ki.iif.hu/~kissg/pd/tac_plus/), but I'm not entirely clear
> on that either.

I doubt that will work out well. The idea of multiple groups will work if each 
group has a config that does not conflict in any way with any other group, 
i.e. no two groups attempt to configure the same directive. Then the total 
config for a user is the union of all the groups. In real life, what you get 
is conflicts, and lots of them. How do you resolve that? Mathematics tells us 
it must involve some arbitrary priority process, and that is very hard to 
define. If you know C++ it's exactly the same thing as multiple inheritance 
and you know how insane that can get. There's more info on this in the list 
archives accessible through the web front-end - the question comes up a lot.

The workaround is to use separate tacacs servers for each class of device you 
have, and configure each one separately with the access you want for each 
user/group on those devices. Configure your devices to use the appropriate 
server and port.

You can run multiple tac_plus daemons on one host using different ports and 
devices can be configured as to the port to use. So there's no need to arrange 
for more machines to do this.


-- 
alan dot mckinnon at gmail dot com

More information about the tac_plus mailing list