[tac_plus] IOS XR
john heasley
heas at shrubbery.net
Fri Oct 15 16:44:45 UTC 2010
Fri, Oct 15, 2010 at 05:54:18PM +0200, Kiss Gabor (Bitman):
> > > > So I plan to modify the source in order to parse "task" keyword
> > > > and at least concatenate all values found during inheritance.
> > >
> > > I gave up. :-(
> > > This would require fundamental changes in config.c.
> >
> > i havent thought about this feature, which is probably most sensibly
> > done as an external authorization script, but i have begun rewritting
> > the config parser to make it more flexible to changes....and thread-safe.
>
> IMHO this not a parser issue.
its not a parser issue, i just refuse to change the parser any
further until its written in a way that is easier to update and
there are several requests for additions, like your multiple group
change.
> config.c functions should traverse the graph of user/group
> nodes more aggressively and not to stop at the first svc_exec (and
> similarly svc_cmd!) sub-node found.
>
> Config file syntax would be similarly extended as in case of ACLs:
> (svc_cmd is the simpler so I demonstrate with it)
>
> group = bystander {
> cmd = show {
> permit interface
> deny .*
> }
> }
>
> group = operator {
> cmd = show {
> permit ip
> return
> }
> }
>
> user = johndoe {
> cmd = show {
> permit clock
> return
> }
> member = operator
> member = bystander
> }
>
> Traverse would be continued with the next parent or sibling group
> if keyword 'return' is found instead if regexp match.
that doesnt really make sense; if operator is evaluated before bystander,
it has a return, so bystander is never evaluated. if bystander were to
preceed operator, it has deny .*, so operator is not evaluated. i don't
like grammar that is mysteriously ignored.
maybe a grammar more like a simple form of juniper's policy configuration
would be better.
user = foo {
cmd = A B DENYALL
}
policy = A show {
permit clock
}
policy = B show {
permit ip
}
policy = DENYALL show {
deny .*
}
that could be extended to be able to set variables to make more clever
decisions.
> I developed the general graph traversal routines years ago we just
> have to use them.
>
> Have a nice weekend. :)
>
> Gabor
More information about the tac_plus
mailing list