[j-nsp] "load replace" junoscript login class permissions

Chuck Anderson cra at WPI.EDU
Mon Feb 22 21:06:49 EST 2016


Historically, we've implemented scripts to sync prefix-lists with
Junoscript perl using this method:

1. get_configuration of the prefix-list
2. compare prefix list in router to our local copy
3. "load merge" config to delete prefixes that exist in the router but not locally
4. "load merge" config to add prefixes that exist locally but not in the router
5. commit

The reason for this was because we wanted to lock down the junoscript
account like this:

> show configuration system login class prefix-list
permissions [ configure view view-configuration ];
allow-commands junoscript;
allow-configuration "policy-options prefix-list AUTO-.*";

So any rogue junoscript could only ever change the contents of
prefix-lists whose names begin with "AUTO-".

However, this method is very slow.  So I tried going back to the
"replace" method:

1. "load replace" config with the new prefix list contents
2. commit

This is nice and fast (3-10 times faster).  But it doesn't work with
the login class restrictions above.  Instead we have to open it up:

> show configuration system login class prefix-list
permissions [ configure view view-configuration ];
allow-commands junoscript;
allow-configuration "policy-options .*";

Otherwise we get a failure trying to replace the prefix-list.  I don't
like this because now a rogue script could mess with the entire
policy-options hierarchy.

Is there a solution that allows fast on-box merging (load update?)
without requiring wide-open permissions?

Thanks.


More information about the juniper-nsp mailing list