Customizing Account Privileges

Problem

You want to create a custom privilege class to define the operations and actions a user can perform while logged in to the router.

Solution

Create a privilege class that allows users to read but not modify the configuration and then let them perform all operational mode commands:

	[edit system login]
	aviva@router1# set class operator-plus-read-config permissions [ admin 
clear
	 
configure 
floppy interface 
network 
reset routing shell snmp system trace view
	 
maintenance firewall rollback security ]

 

Discussion

When you set up login accounts on the router (see Recipe 2.5), each account must have a privilege level, or class, which defines the operations and actions the user can and cannot perform on the router. Each privilege level consists of a collection of permission bits that specifies what a user is allowed to do. Table 2-1 lists all the permission bits.

Table 2-1. Login class permissions

Permission

Bit name

All (superuser)

all (can perform all actions)

Delete data from system log, tracing, and other files

clear (using the clear commands)

All control-level operations (bits ending in -control)

control (can view and change all portions of the configuration)

Configure the router

configure (using the configure and commit commands)

Access removable media

floppy

Halt and reboot the router; start a shell and become superuser

maintenance (using the request system commands, and using the CLI start shell command and the su root command)

Access the network

network (using the ping, ssh, telnet, and TRaceroute commands)

Start and stop software processes

reset (using the restart command, and configure at [edit system processes])

Return to previous configuration

rollback (using the rollback command)

Start a local shell

shell (using the start shell command)

Display router, routing table, and protocol values

view (using the show commands)

User account information ( login classes, user IDs)

admin (read-only, using the show configuration command) admin-control (read, and configure at [edit system login])

Firewall filters

firewall (read-only, using the show configuration command) firewall-control (read, and configure at [edit firewall])

Interfaces, chassis, class of service, forwarding options

interface (read-only, using the show configuration command) interface-control (read, and configure at [edit interfaces], [edit chassis], [edit class-of-service], [edit forwarding-options])

Routing, routing protocols, routing policy

routing (read-only, using the show configuration command) routing-control (read, and configure at [edit routing], [edit routing-options], [edit policy-options])

Passwords and authentication keys

secret (read-only, using the show configuration command) secret-control (read and configure)

IPSec security

security (read-only, using the show configuration command) security-control (read, and configure at [edit security])

SNMP

snmp (read-only, using the show configuration command) snmp-control (read, and configure at [edit snmp])

Router name, RADIUS, TACACS+, NTP, and other system-wide information

system (read-only, using the show configuration command) system-control (read, and configure at [edit system])

Tracing and trace files

trace (read tracing files and configuration using the show configuration command) trace-control (read and configure)

Notice that some bits have two forms, a "simple" form, which gives read-only permission, and a -control form, which gives read and write permission. Except for the all bit (which grants all permissions) and the control bit (which grants read/write permission to the entire configuration), the permission bits are not cumulative, so when you create a custom privilege class, you must list all the bits that apply. Always include the view bit so users can use the show commands in operational mode. If you want users to be able to modify the configuration, include the configure bit.

The JUNOS software has four built-in privilege levels:

 

superuser or super-user

Can perform any operations on the router (equivalent to the all permission bit). This is similar to the Unix superuser.

 

operator

Can perform all actions in operational mode available with the clear, network, reset, trace, and view permission bits. Cannot display or alter the configuration and cannot shut down or reboot the router.

 

read-only

Can perform all actions in operational mode available with the view permission bit to show information about the router or network. Cannot perform any operations that delete or change files or file contents, clear statistics, or change the information on the router.

 

unauthorized

Can log in to the router but cannot perform any operations on the router except to log out.

The default privilege levels are not explicitly defined in the configuration, but if you did configure them, the first three would look like this:

	[edit system login]
	aviva@router1# set class superuser permissions all
	aviva@router1# set class read-only permissions view
	aviva@router1# set class operator permissions [clear network 
reset 
trace view]

There is no way to explicitly configure the unauthorized level.

The command in this recipe defines a custom privilege class that allows users to perform all operational mode commands and to read but not modify the configuration. The clear, network, reset, trace, and view permission bits allow this class to use all operational mode commands. The configure bit allows this class to issue the configure command to enter configuration. The remaining bits are all the read-only bits that allow this class to use the show command in configuration mode. Users in this class can view all the contents of the configuration file except for passwords and keys (we have omitted the secret bit). Because this class has no - control bits, users can't change the configuration, even though the configure bit allows them to issue the commit command:

	[edit]
	aviva@router1# set
	unknown command

To find out what privileges you have, use the show cli authorization command. Here is a user with superuser privileges:

	aviva@router1> show cli authorization
	Current user: 'aviva' class 'superuser'
	Permissions:
	 admin -- Can view user accounts
	 admin-control-- Can modify user accounts
	 clear -- Can clear learned network information
	 configure -- Can enter configuration mode
	 control -- Can modify any configuration
	 edit -- Can edit full files
	 field -- Special for field (debug) support
	 floppy -- Can read and write from the floppy
	 interface -- Can view interface configuration
	 interface-control-- Can modify interface configuration
	 network -- Can access the network
	 reset -- Can reset/restart interfaces and daemons
	 routing -- Can view routing configuration
	 routing-control-- Can modify routing configuration
	 shell -- Can start a local shell
	 snmp -- Can view SNMP configuration
	 snmp-control-- Can modify SNMP configuration
	 system -- Can view system configuration
	 system-control-- Can modify system configuration
	 trace -- Can view trace file settings
	 trace-control-- Can modify trace file settings
	 view -- Can view current values and statistics
	 maintenance -- Can become the super-user
	 firewall -- Can view firewall configuration
	 firewall-control-- Can modify firewall configuration
	 secret -- Can view secret configuration
	 secret-control-- Can modify secret configuration
	 rollback -- Can rollback to previous configurations
	 security -- Can view security configuration
	 security-control-- Can modify security configuration
	 access -- Can view access configuration
	 access-control-- Can modify access configuration
	 view-configuration-- Can view all configuration (not including secrets)
	Individual 
command authorization:
	 Allow regular expression: none
	 Deny regular expression: none
	 Allow configuration regular expression: none
	 Deny configuration regular expression: none

Here is a user with operator privileges:

	mike@router1> show cli authorization
	Current user: 'mike' class 'operator'
	 
Permissions:
	 clear -- Can clear learned network information
	 network -- Can access the network
	 reset -- Can reset/restart interfaces and daemons
	 trace -- Can view trace file settings
	 view -- Can view current values and statistics
	Individual command authorization:
	 Allow regular expression: none
	 Deny regular expression: none
	 Allow configuration regular expression: none
	 Deny configuration regular expression: none

If you do not have permission to perform an operation, you are either "blind" to that operation or you see some type of indication that you cannot perform it. If you try to view the configuration without permission, you see the following warnings:

	aviva@router1> show configuration
	version /* ACCESS-DENIED */;
	system { /* ACCESS-DENIED */ };
	interfaces { /* ACCESS-DENIED */ };
	routing-options { /* ACCESS-DENIED */ };
	protocols { /* ACCESS-DENIED */ };
	policy-options { /* ACCESS-DENIED */ };

If you try to enter a command that you don't have permission to use, the CLI acts as if that command doesn't exist:

	aviva@router1> clear
	unknown command.

You should keep these permission levels in mind when trying to use the commands discussed in this book. If you cannot enter the command or do not see it with the CLI help, review your authorization level and check with your system administrator if you need additional permission.

If a user who has a login account but no login class tries to log in, she can get as far as the operational mode prompt but she can't do anything except log out:

	warning: user "aviva" does not have a valid login class
	aviva@router1> exit

How do you find out which permissions are associated with each command and statement? On the router, you can use the help reference command to see the permissions for the configuration statements:

	aviva@router1> help reference interface address
	…
	Required Privilege Level
	interface--To view this statement in the configuration.
	interface-control--To add this statement to the configuration.

For a configuration that already exists on the router, you can see the permissions for the statements in the configuration. Use this command from operational mode:

	aviva@router1> show configuration system | display detail

and use this command in configuration mode:

	[edit system]
	aviva@router1# show | display detail

Both show the same output:

	##
	## system: System parameters
	## require: admin system
	## domain-name: Domain name for this router
	## match (regex): ^[[:alnum:]._-]+$
	## require: system
	##
	domain-name mynetwork.com;
	##
	## name-server: DNS name servers
	## require: system
	##
	name-server {
	 ##
	 ## DNS name server address
	 ##
	 192.168.15.2;
	}
	##
	## login: Names, 
login classes, and passwords for users
	## require: admin
	##
	login {
	 ##
	 ## Login class name
	 ## match (regex): ^[[:alnum:]_-]+$
	 ##

The only way to find out the permissions for operational mode commands is to look in the JUNOS product documentation.

Login classes have one more feature to help with basic router security. You can set a time after which all users in that class are automatically logged out if they have not typed anything at the keyboard. (By default, a user can remain logged in indefinitely.) Here, the users in the class we created will be automatically logged out if the keyboard is idle for five minutes:

	[edit system login]
	aviva@router1# set class operator-plus-read-config 
permissions idle- 
timeout 5

Warning messages are displayed beforehand:

	aviva@router1> show system users
	 9:56PM up 18:48, 2 users, load averages: 0.16, 0.09, 0.04
	USER TTY FROM LOGIN@ IDLE WHAT
	aviva p0 server.juniper.net 9:42PM 4 cli

	aviva@router1> Warning: session will be closed in 1 minute if there is no acti
	vity
	Warning: session will be closed in 10 seconds if there is no activity
	Idle timeout exceeded: closing session
	Connection closed by foreign host.

As if all this control weren't enough, you can also control, down to the specific command and configuration hierarchy level, what commands users in a particular login class can and cannot issue and what portions of the configuration they can view and modify. For example, you can create a class that has the standard operator permissions but also can issue the request system support command to collect information to send when reporting a problem with the router:

	[edit system login]
	aviva@router1# set class operator-plus-support permissions [ 
clear network reset
	trace view ]
	aviva@router1# set class operator-plus-support allow-commands "request support
	information"

Or you can take the basic operator class and modify it so users can issue all clear commands except clear system commit (which clears pending configuration commit operations) and clear system reboot (which clears pending router reboots):

	[edit system login]
	aviva@router1# set class operator-plus-support permissions [ clear network reset
	trace view ]
	aviva@router1# set class operator-plus-support deny-commands "clear system"

Parallel statements allow you to fine-tune what portions of the configuration can be edited or viewed in configuration mode. This is a way to lock portions of the configuration. The following command does not allow users to modify the protocols portion of the configuration:

	[edit system login]
	aviva@router1# set class all-but-protocols permissions [ all ]
	aviva@router1# set class all-but-protocols deny-configuration "protocols"

A user in this permission class can edit all portions of the configuration except for the [edit protocols] section:

	[edit]
	aviva2@router1# edit protocols
	 ^
	syntax error, expecting  or .


Router Configuration and File Management

Basic Router Security and Access Control

IPSec

SNMP

Logging

NTP

Router Interfaces

IP Routing

Routing Policy and Firewall Filters

RIP

IS-IS

OSPF

BGP

MPLS

VPNs

IP Multicast



JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net