[j-nsp] junoscript load-configuration w/restricted login account
Chuck Anderson
cra at WPI.EDU
Thu Mar 1 19:48:03 EST 2007
On Thu, Mar 01, 2007 at 02:47:53PM -0800, Lei Zhang wrote:
> Chuck Anderson wrote:
>
> ><rpc>
> ><load-configuration action="replace">
> ><configuration>
> > <policy-options>
> > <prefix-list>
> > <name replace="replace">BAR</name>
> > </prefix-list>
> > </policy-options>
> ></configuration>
> ></load-configuration>
> ></rpc>
> >
> >This appears to succeed (no errors on commit) but has no effect at all
> >to the final configuration.
> >
> >
> Move the replace attribute to the 'prefix-list' element.
>
> You shouldn't need any more permission bits / allow,deny regex.
I tried doing that, but I get permission denied:
<rpc-reply xmlns:junos="http://xml.juniper.net/junos/8.0R2/junos">
<load-configuration-results>
<xnm:error xmlns="http://xml.juniper.net/xnm/1.1/xnm" xmlns:xnm="http://xml.juniper.net/xnm/1.1/xnm">
<message>permission denied for policy-options</message>
</xnm:error>
<load-success/>
</load-configuration-results>
</rpc-reply>
It works if I change the permissions to allow any prefix-list:
class foo-class {
permissions [ configure view ];
allow-commands junoscript;
allow-configuration "policy-options prefix-list";
}
But this gives too much permission to that account. I don't want that
account to mess with any other prefix-list.
More information about the juniper-nsp
mailing list