[j-nsp] command authorization and tacacs

Pierfrancesco Caci pf at caci.it
Wed Dec 12 11:30:34 EST 2018


Hi Timur

>>>>> "Timur" == Timur Maryin <timamaryin at mail.ru> writes:


    Timur> Hello!
    Timur> On 11-Dec-18 15:33, Pierfrancesco Caci wrote:
    >> 
    >> I have not found a way to prevent a user from accidentally delete entire
    >> bgp config, but still allowing him to operate on single neighbors. Or
    >> other similar situation involving top level configuration vs details
    >> inside each block.


    Timur> There are several ways to achieve that, for example:

    Timur> 1. protect  (kb.juniper.net/KB25493)

Thanks for pointing me to this feature, but it doesn't do what I need.

With this config:

routing-instances {
    TEST {
        instance-type vrf;
[...]
        protocols {
            protect: bgp {
                group TRANSIT {
                    neighbor 198.51.100.0 {
[...]

I get this:


[edit routing-instances TEST protocols bgp]
pf_auto at var-mx204# set group TRANSIT description PIPPOPIPPO 
warning: [routing-instances TEST protocols bgp] is protected, 'routing-instances TEST protocols bgp group TRANSIT description' cannot be created

I.e., it protects everything below the level where the protect label is
applied. It doesn't let me change the content *inside* the section.

    Timur> 2. commit script which checks presence of certain parts of config.

I'll need to refresh myself on this and see if I can use this
technique.

Thanks

Pf

-- 
Pierfrancesco Caci


More information about the juniper-nsp mailing list