[tac_plus] Examples of RBAC in do_auth.py?

Daniel Schmidt daniel.schmidt at wyo.gov
Thu Nov 17 20:58:54 UTC 2011 

Good example, note that troubleshooter group - it essentially allowed full
access to any device not in device_deny.  I can't stress it enough, one
group cannot take away what another group grants.  The nocUser would have
full access to any device except those in that device_deny, no matter what
was put in limitedAccessSite.

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Brian Raaen
Sent: Thursday, November 17, 2011 12:57 PM
To: tac_plus at shrubbery.net
Subject: Re: [tac_plus] Examples of RBAC in do_auth.py?

This is an example I have




[users]
dhcpadm =
        architect
admin =
        architect
architect =
        architect
nocUser =
        limitedAccessSite
        troubleshooter
rancid =
        rancid_access


[architect]
host_allow =
        .*
device_permit =
        .*
command_permit =
        .*

[troubleshooter]
# Normal login for troublshooters
host_allow =
        .*
# Blacklist of hosts with special rules
device_deny =
        #ListOfSpecialDevices
device_permit =
        .*
command_permit =
        .*

[limitedAccessSite]
host_allow =
        .*
device_permit =
        #ListOfSpecialDevices
command_permit =
        show .*
        clear cable modem .*
        clear counters

[rancid_access]
host_allow =
        #RancidAddress
device_permit =
        .*
command_permit =
        show.*
        dir.*
        more.*
        write t.*


---
Brian Raaen
Zcorum
Network Arcitect

On Thu, Nov 17, 2011 at 08:44:57AM -0600, Brandon Ewing wrote:
> Does anyone have any examples of do_auth.py config files that could be
> adapted for Role-based Access control?
>
> I want to break it up so I have groups of commands (l2-only, l3-only,
> routing protocols, etc), and groups of network devices (core, CPE, PE,
> etc), and assign groups of commands on groups of network devices to
> specific users.
>
> I don't know if do_auth.py is setup to provide something like this,
> but if anyone has any examples or pointers on how to approach the
> above, it would be appreciated.
>
> --
> Brandon Ewing
(nicotine at warningg.com)
> -------------- next part -------------- A non-text attachment was
> scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 189 bytes
> Desc: not available
> URL:
> <http://www.shrubbery.net/pipermail/tac_plus/attachments/20111117/8de2
> 0bbd/attachment.bin> _______________________________________________
> tac_plus mailing list
> tac_plus at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
E-Mail to and from me, in connection with the transaction 
of public business,is subject to the Wyoming Public Records 
Act, and may be disclosed to third parties.

More information about the tac_plus mailing list