[j-nsp] junoscript load-configuration w/restricted login account
Chuck Anderson
cra at WPI.EDU
Thu Mar 1 15:32:28 EST 2007
I'm trying to use Junoscript with a restricted login account to modify
a prefix list. Here is the restricted account configuration:
class foo-class {
permissions [ configure view ];
allow-commands junoscript;
allow-configuration "policy-options prefix-list BAR";
}
user foo {
uid 2003;
class foo-class;
authentication {
}
}
Note that I do not want to allow this account to edit any other
prefix-list, just "BAR" as specified above.
And here is the Junoscript snippet I'm trying to use:
<?xml version="1.0" encoding="us-ascii"?>
<junoscript version="1.0" hostname="client1" release="8.0R2.8">
<rpc>
<open-configuration>
<private/>
</open-configuration>
</rpc>
<rpc>
<load-configuration action="update">
<configuration>
<policy-options>
<prefix-list>
<name>BAR</name>
</prefix-list>
</policy-options>
</configuration>
</load-configuration>
</rpc>
<rpc>
<commit-configuration/>
</rpc>
<rpc>
<request-end-session/>
</rpc>
Basically, I can do a <load-configuration action="merge"> just fine,
but that will not allow me to delete items. I'd like to either delete
all items in the prefix-list (not the prefix-list itself) and then
re-add the needed ones from my script, or find some other way to
achieve the same effect. I don't want to have to iterate over the
existing prefix-list-items in my script.
I tried action="update" as above and got the following error:
<rpc-reply xmlns:junos="http://xml.juniper.net/junos/8.0R2/junos">
<load-configuration-results>
<xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm"
xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">
<filename>/etc/config//junos-defaults.conf</filename>
<line-number>16</line-number>
<column>20</column>
<token>applications</token>
<message>permission denied</message>
</xnm:error>
<xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm"
xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">
<filename>/etc/config//junos-defaults.conf</filename>
<line-number>53</line-number>
<column>41</column>
<token>snmp</token>
<message>permission denied</message>
</xnm:error>
<xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm"
xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">
<filename>/etc/config//junos-defaults.conf</filename>
<line-number>62</line-number>
<column>41</column>
<token>snmp</token>
<message>permission denied</message>
</xnm:error>
<xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm"
xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">
<filename>/etc/config//junos-defaults.conf</filename>
<line-number>71</line-number>
<column>41</column>
<token>snmp</token>
<message>permission denied</message>
</xnm:error>
<xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm"
xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">
<filename>/etc/config//junos-defaults.conf</filename>
<line-number>80</line-number>
<column>41</column>
<token>snmp</token>
<message>permission denied</message>
</xnm:error>
<xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm"
xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">
<filename>/etc/config//junos-defaults.conf</filename>
<line-number>592</line-number>
<column>9</column>
<token>}</token>
<message>error recovery ignores input until this point</message>
</xnm:error>
<xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm"
xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">
<filename>/etc/config//junos-defaults.conf</filename>
<line-number>597</line-number>
<column>14</column>
<token>system</token>
<message>permission denied</message>
</xnm:error>
<xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm"
xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">
<filename>/etc/config//junos-defaults.conf</filename>
<line-number>611</line-number>
<column>2</column>
<token>}</token>
<message>error recovery ignores input until this point</message>
</xnm:error>
</load-configuration-results>
</rpc-reply>
I also tried action="replace" with the following snippet:
<rpc>
<load-configuration action="replace">
<configuration>
<policy-options>
<prefix-list>
<name replace="replace">BAR</name>
</prefix-list>
</policy-options>
</configuration>
</load-configuration>
</rpc>
This appears to succeed (no errors on commit) but has no effect at all
to the final configuration.
Does anyone have any suggestions for what permissions to add to allow
the "update" to work, or some other approach that might work without
having to give out too many permissions on this account?
Thanks.
More information about the juniper-nsp
mailing list