[tac_plus] IOS XR
Alan McKinnon
alan.mckinnon at gmail.com
Fri Oct 15 17:06:20 UTC 2010
Apparently, though unproven, at 18:44 on Friday 15 October 2010, john heasley
did opine thusly:
> > config.c functions should traverse the graph of user/group
> > nodes more aggressively and not to stop at the first svc_exec (and
> > similarly svc_cmd!) sub-node found.
> >
> >
> >
> > Config file syntax would be similarly extended as in case of ACLs:
> > (svc_cmd is the simpler so I demonstrate with it)
> >
> >
> >
> > group = bystander {
> > cmd = show {
> > permit interface
> > deny .*
> > }
> > }
> >
> >
> >
> > group = operator {
> > cmd = show {
> > permit ip
> > return
> > }
> > }
> >
> >
> >
> > user = johndoe {
> > cmd = show {
> > permit clock
> > return
> > }
> > member = operator
> > member = bystander
> > }
> >
> >
> >
> > Traverse would be continued with the next parent or sibling group
> > if keyword 'return' is found instead if regexp match.
>
> that doesnt really make sense; if operator is evaluated before bystander,
> it has a return, so bystander is never evaluated. if bystander were to
> preceed operator, it has deny .*, so operator is not evaluated. i don't
> like grammar that is mysteriously ignored.
Or change the rules slightly for default statements.
deny .* is a default catch-all and by definition there can only be one of
those. You can deftly avoid collisions like you describe by moving the
definition out of the user/group/whatever stanza and into a "global" or
"default" area where it right fully belongs.
I honestly don't see any other way to avoid these types of collisions, as a
configuration language should never permit a circumstance where "deny *" and
"permit *" are both valid for the same thing at the same time.
--
alan dot mckinnon at gmail dot com
More information about the tac_plus
mailing list