只讀任務組
組態
要在具有只讀訪問許可權的聚合服務路由器9000(ASR9K)上建立使用者,我們需要定義具有只讀許可權的任務組,使用該任務組建立使用者組,然後將新建立的組附加到使用者上。
建立任務組
以下是允許使用者為其運行show命令的任務。
RP/0/RSP1/CPU0:ASR9000# show run taskgroup taskgroup_read_only taskgroup taskgroup_read_only task read fr task read li task read aaa task read acl task read atm task read bfd task read bgp task read cdp task read cef task read cgn task read eem task read nps task read pbr task read ppp task read qos task read rib task read rip task read sbc task read ancp task read bcdl task read boot task read diag task read dwdm task read hdlc task read hsrp task read ipv4 task read ipv6 task read isis task read lisp task read lpts task read ospf task read ouni task read rcmd task read snmp task read vlan task read vpdn task read vrrp task read admin task read eigrp task read l2vpn task read bundle task read crypto task read fabric task read static task read sysmgr task read system task read tunnel task read drivers task read logging task read monitor task read mpls-te task read netflow task read network task read pos-dpt task read firewall task read mpls-ldp task read pkg-mgmt task read call-home task read fault-mgr task read interface task read inventory task read multicast task read route-map task read sonet-sdh task read transport task read ext-access task read filesystem task read tty-access task read config-mgmt task read ip-services task read mpls-static task read route-policy task read host-services task read basic-services task read config-services task read ethernet-services !
建立使用者組
任務組應用於使用者組。我建立了一個名為usergroup_read_only的使用者組
RP/0/RSP1/CPU0:ASR9000# show run usergroup usergroup_read_only usergroup usergroup_ready_only taskgroup taskgroup_read_only ! end-group
選項1.建立本地使用者
建立一個本地使用者,然後應用該使用者組。
RP/0/RSP1/CPU0:ASR9000# show run username tyler username tyler group usergroup_read_only secret 5 $1$wTwU$CdHKzfRJlJ7kDvJa7NWdi. !
驗證
Show命令有效
RP/0/RSP1/CPU0:ASR9000# show clock 13:42:03.811 UTC Thu Jun 30 2016
RP/0/RSP1/CPU0:ASR9000# show run Building configuration... !! IOS XR Configuration 5.1.3 ! hostname ASR9000 [output omitted]
配置嘗試失敗
無法阻止對配置的訪問,但任何嘗試的配置都將失敗。
建立環回介面等基本配置失敗。
RP/0/RSP1/CPU0:ASR9000# conf t
RP/0/RSP1/CPU0:ASR9000(config)# int loopback 103
% This command is not authorized
刪除BGP也失敗。
RP/0/RSP1/CPU0:ASR9000# configure
RP/0/RSP1/CPU0:ASR9000(config)# no router bgp 65530
% This command is not authorized
檢查組分配
登入的使用者是usergroup_read_only的成員
RP/0/RSP1/CPU0:ASR9000# show user group usergroup_read_only
檢查任務分配
對於指定的任務,此使用者只能訪問READ。
RP/0/RSP1/CPU0:ASR9000# show user tasks Task: aaa : READ Task: acl : READ Task: admin : READ Task: ancp : READ Task: atm : READ Task: basic-services : READ Task: bcdl : READ Task: bfd : READ Task: bgp : READ Task: boot : READ Task: bundle : READ Task: call-home : READ Task: cdp : READ Task: cef : READ Task: cgn : READ Task: config-mgmt : READ Task: config-services : READ Task: crypto : READ Task: diag : READ Task: drivers : READ Task: dwdm : READ Task: eem : READ Task: eigrp : READ Task: ethernet-services : READ Task: ext-access : READ Task: fabric : READ Task: fault-mgr : READ Task: filesystem : READ Task: firewall : READ Task: fr : READ Task: hdlc : READ Task: host-services : READ Task: hsrp : READ Task: interface : READ Task: inventory : READ Task: ip-services : READ Task: ipv4 : READ Task: ipv6 : READ Task: isis : READ Task: l2vpn : READ Task: li : READ Task: lisp : READ Task: logging : READ Task: lpts : READ Task: monitor : READ Task: mpls-ldp : READ Task: mpls-static : READ Task: mpls-te : READ Task: multicast : READ Task: netflow : READ Task: network : READ Task: nps : READ Task: ospf : READ Task: ouni : READ Task: pbr : READ Task: pkg-mgmt : READ Task: pos-dpt : READ Task: ppp : READ Task: qos : READ Task: rcmd : READ Task: rib : READ Task: rip : READ Task: route-map : READ Task: route-policy : READ Task: sbc : READ Task: snmp : READ Task: sonet-sdh : READ Task: static : READ Task: sysmgr : READ Task: system : READ Task: transport : READ Task: tty-access : READ Task: tunnel : READ Task: vlan : READ Task: vpdn : READ Task: vrrp : READ
參考資料
支援論壇 — ASR9000/XR Using Taskgroups and understanding Priv level and authorization - Xander's Guide
意見