[tac_plus] IOS XR
Kiss Gabor (Bitman)
kissg at ssg.ki.iif.hu
Fri Oct 15 15:54:18 UTC 2010
> > > So I plan to modify the source in order to parse "task" keyword
> > > and at least concatenate all values found during inheritance.
> >
> > I gave up. :-(
> > This would require fundamental changes in config.c.
>
> i havent thought about this feature, which is probably most sensibly
> done as an external authorization script, but i have begun rewritting
> the config parser to make it more flexible to changes....and thread-safe.
IMHO this not a parser issue.
config.c functions should traverse the graph of user/group
nodes more aggressively and not to stop at the first svc_exec (and
similarly svc_cmd!) sub-node found.
Config file syntax would be similarly extended as in case of ACLs:
(svc_cmd is the simpler so I demonstrate with it)
group = bystander {
cmd = show {
permit interface
deny .*
}
}
group = operator {
cmd = show {
permit ip
return
}
}
user = johndoe {
cmd = show {
permit clock
return
}
member = operator
member = bystander
}
Traverse would be continued with the next parent or sibling group
if keyword 'return' is found instead if regexp match.
I developed the general graph traversal routines years ago we just
have to use them.
Have a nice weekend. :)
Gabor
More information about the tac_plus
mailing list