[j-nsp] allow-configuration/permission + insert
alain.briant at bt.com
alain.briant at bt.com
Thu Aug 14 08:26:03 EDT 2008
Hi Otto
I have made some tests with you simple login config and I can find a simple workaround
I think that's not what you wer looking for but it's works
Just be in the right place:
"edit firewall family inet filter access_in"
Copy the complete filter in a notepad
Insert the new term where you want
Delete the complete filter:
"Delete"
Place the router in a loading mode:
"load merge terminal relative"
Paste the new filter
Then commit
That's done
Hope this helps
Regards
Alain
Here are some traces:
lab at toto> show configuration system login
class test {
permissions configure;
allow-configuration "firewall family inet filter access_in";
}
user test {
uid 2009;
class test;
authentication {
encrypted-password "$1$A85U2lXA$yv9xBZSmwvN6E3XxiMkXm1"; ## SECRET-DATA
}
}
test at toto# edit firewall family inet filter access_in
[edit firewall family inet filter access_in]
test at toto# show
term 1 {
from {
source-address {
192.168.63.63/32;
}
}
then count In;
}
[edit firewall family inet filter access_in]
test at toto# delete
Delete everything under this level? [yes,no] (no) yes
[edit firewall family inet filter access_in]
test at toto# load merge terminal relative
[Type ^D at a new line to end input]
term 2 {
from {
source-address {
192.168.63.64/32;
}
}
then count InBis;
}
term 1 {
from {
source-address {
192.168.63.63/32;
}
}
then count In;
}
load complete
[edit firewall family inet filter access_in]
test at toto# show
term 2 {
from {
source-address {
192.168.63.64/32;
}
}
then count InBis;
}
term 1 {
from {
source-address {
192.168.63.63/32;
}
}
then count In;
}
[edit firewall family inet filter access_in]
test at toto# commit
commit complete
-----Message d'origine-----
De : juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] De la part de Otto Kreiter
Envoyé : jeudi 14 août 2008 13:49
À : juniper-nsp at puck.nether.net
Objet : [j-nsp] allow-configuration/permission + insert
Hi,
I'm trying to create a user with limited rights to access a single firewall filter in the firewall configuration. I have (partially) managed to find the most convenient way of doing it by committing the following configuration:
class test {
permissions configure;
allow-configuration "firewall family inet filter access_in"; } user test {
uid 2002;
class test;
authentication {
encrypted-password "xxx";
}
}
This nicely allows test user to configure the access_in filter and to
*create* new terms. However here comes the problem. When a new term is created this is placed automatically at the end of the filter (fair enough - is there is any way to specify his place?). But then when the user tries to insert it in the right place:
test at router# insert term Test-1 before ?
No valid completions
Yes there are many other terms, even created by the same user in the same session. I've tried countless allow-configurations and permission configuration options and variations but I'm missing something and can't get to the bottom of the problem.
I would be grateful if somebody can point me in the right direction!
Thank you and regards,
Otto
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list