[tac_plus] More complex do_auth.py
Daniel Schmidt
daniel.schmidt at wyo.gov
Tue May 10 15:34:27 UTC 2011
You're welcome. As for regular expressions, I might recommend Pyreb.
http://freshmeat.net/projects/pyreb/ I would also recommend it because,
as I noted in the documentation, python re freaks out if you get the
regular expression wrong. Best to test it before applying to your ini
file.
You might also simply consider using command_deny for "router.*"
-----Original Message-----
From: nicotine at radiological.warningg.com
[mailto:nicotine at radiological.warningg.com] On Behalf Of Brandon Ewing
Sent: Saturday, May 07, 2011 9:48 AM
To: Daniel Schmidt
Cc: tac_plus at shrubbery.net
Subject: Re: [tac_plus] More complex do_auth.py
On Wed, May 04, 2011 at 09:46:38AM -0600, Daniel Schmidt wrote:
> Yeah, and that darn, lazy author of do_auth didn't provide much
> documentation! Seriously, there is only this:
Thanks -- I found my issue -- I was putting in implicit command_deny's in
the groups instead of relying on fall-through.
Quick question, since I'm not as familiar with Python regexp as I'd like
to be -- if I'd like to permit the "no" version of a command at the same
time as the command itself, could I just do:
command_permit =
(no )? interface.*
Would definitely shorten my do_auth config file. Trying to do config-mode
authorization as well as command authorization, so I can have groups that
can re-configure interfaces and IPs, but not muck about in router ospf and
router bgp.
--
Brandon Ewing
(nicotine at warningg.com)
More information about the tac_plus
mailing list