[tac_plus] Examples of RBAC in do_auth.py?

Brian Raaen mailing-lists at zcorum.com
Thu Nov 17 19:56:49 UTC 2011


This is an example I have




[users]
dhcpadm =
        architect
admin =
        architect
architect =
        architect
nocUser =
        limitedAccessSite
        troubleshooter
rancid =
        rancid_access


[architect]
host_allow =
        .*
device_permit =
        .*
command_permit =
        .*

[troubleshooter]
# Normal login for troublshooters
host_allow =
        .*
# Blacklist of hosts with special rules
device_deny =
        #ListOfSpecialDevices
device_permit =
        .*
command_permit =
        .*

[limitedAccessSite]
host_allow =
        .*
device_permit =
        #ListOfSpecialDevices
command_permit =
        show .*
        clear cable modem .*
        clear counters

[rancid_access]
host_allow =
        #RancidAddress
device_permit =
        .*
command_permit =
        show.*
        dir.*
        more.*
        write t.*


---
Brian Raaen
Zcorum
Network Arcitect

On Thu, Nov 17, 2011 at 08:44:57AM -0600, Brandon Ewing wrote:
> Does anyone have any examples of do_auth.py config files that could be
> adapted for Role-based Access control?
> 
> I want to break it up so I have groups of commands (l2-only, l3-only,
> routing protocols, etc), and groups of network devices (core, CPE, PE, etc),
> and assign groups of commands on groups of network devices to specific
> users.
> 
> I don't know if do_auth.py is setup to provide something like this, but if
> anyone has any examples or pointers on how to approach the above, it would
> be appreciated.
> 
> -- 
> Brandon Ewing                                        (nicotine at warningg.com)
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 189 bytes
> Desc: not available
> URL: <http://www.shrubbery.net/pipermail/tac_plus/attachments/20111117/8de20bbd/attachment.bin>
> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus


More information about the tac_plus mailing list