[tac_plus] IOS XR
Kiss Gabor (Bitman)
kissg at ssg.ki.iif.hu
Wed Oct 13 07:36:00 UTC 2010
> I'm just studying IOS XR administrative model.
> At first sight classifying users as group members and
> inheritance is a built in feature of the IOS.
>
> I.e. the whole tac_plus.conf should be replicated in the router...
> Uhm.
> Have you any experience with IOS XR + tac_plus combination?
Meanwhile I found that the following config file snippet works well:
service = exec {
task = "#operator,rwxd:bgp,rd:ospf"
}
The only problem I found that tac_plus - unlike IOS XR - does not
concatenate privileges defined in various nested groups.
It sends back the first hit only.
So the authorization model differs depending on where authorization
actually happens.
So I plan to modify the source in order to parse "task" keyword
and at least concatenate all values found during inheritance.
Later I can imagine revocation of some privileges granted by
more general groups, like this:
group = friend {
service = exec {
task = "rwxd:bgp,rwxd:ospf"
}
}
user = johndoe {
member = friend
service = exec {
task = "!wxd:bgp,!wx:ospf"
}
}
So his permissions finally would be "r:bgp,rd:ospf".
More complex schemas are also possible. :)
Regards
Gabor
More information about the tac_plus
mailing list