Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Enyi_Ajoku
Collaborator

Read Only Access to Virtual System

I am trying to give certain users read only access to my virtual systems. Would appreciate if i can get some assistance setting this up. I created the users and the roles and i allowed read only to the individual virtual system but when i try using the user credentials to switch between virtual system it doesn't work. Thank You

12 Replies
_Val_
Admin
Admin

How do you mean? Are you talking about OS level read-only user access? if yes, You cannot create any user, full permissions, or otherwise, which is capable to access one particular VS only. VSX is using VRFs to build separate logical GWs on the same HW. They are not fully isolated environment. 

You still can create OS users with limited permissions, but they will be able to see any system settings on all VSs.

My question is, what are you trying to achieve?

0 Kudos
Enyi_Ajoku
Collaborator

Thank You for your response.

I am trying to provide certain users read only access to my virtual systems

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

Depends what commands you want to give them. Read about role based access and roles. Technically it's all there. I just tried and it seems to work - I was logged into a specific VS clish shell. Then it depends what commands you will permit.

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

Full list of commands is here List of Role-Based Access features in Gaia OS 

0 Kudos
_Val_
Admin
Admin

I get that. My question is, why? What purpose?

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

You should be able to set if you define new RBA role, there is option under there

add rba role <role name>virtual-system-access

mind you you will only get clish shell not expert Smiley Happy

0 Kudos
_Val_
Admin
Admin

Uh, I kinda missed that one. Thank Kaspars

Kaspars_Zibarts
Employee Employee
Employee

I suspected it was there as it rung the bell when I played with RBA on R80.10 when it came out so I had to try Smiley Happy Now I know myself too and it's not a bad thing at all - we might use it ourselves Smiley Happy

Kaspars_Zibarts
Employee Employee
Employee

Here is little more info after i did some tests this morning

First create a role, I named it "test", with access to VS 6 and then select commands that you want to allow to this role. Note that ext_xxxx commands do require read-write option as they are expert type commands, so be careful with those. They will still be executed from clish shell not bash though.

add rba role test virtual-system-access 6
add rba role test domain-type System readonly-features interface
add rba role test domain-type System readonly-features route
add rba role test domain-type System readwrite-features ext_cpview
add rba role test domain-type System readwrite-features ext_top
add rba role test domain-type System readwrite-features ext_ping
add rba role test domain-type System readwrite-features ext_cphaprob
add rba role test domain-type System readwrite-features ext_netstat‍‍‍‍‍‍‍‍
add rba role test domain-type System readwrite-features ext_traceroute

Then add a new user, I called it "testing" and couple it with the newly created role

add user testing uid 0 homedir /home/testing
set user testing password
add rba user testing roles test

Now you will have a user that has access to VS6 clish with named commands 

vsxext:0> show rba role test
Role
test
domain-type System
virtual-system access: 6
read-write-feature ext_cphaprob
read-write-feature ext_cpview
read-write-feature ext_netstat
read-write-feature ext_ping
read-write-feature ext_top
read-write-feature ext_traceroute
read-only-feature interface
read-only-feature route
Enyi_Ajoku
Collaborator

Thank you for the feedback. I had time to try this, for me i had to create line 2 first then insert line 1. I got this error "NMSRBA0099 no such role exists" when i did it your way.

Also i have multiple virtual systems and i was hoping i could have readonly access to those as well but i realize that when i have it all set for the individual virtual systems i cant move from one system to another. In essence i can't do "set virtual-system xx"

Thank you for your help

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

Can you elaborate exactly which commands you are running and which order? As both adding role and adding user have lines 1&2

Regarding having access to multiple VSes, I had to play but you can resolve it by adding these commands to your role. In my example, user "testing" has role "test" associated with him and I'm adding access to VS 4. You will be able to use commands set virtual-system after this

add rba role test virtual-system-access 4
add rba role test domain-type System readwrite-features virtual-system
vsx1-ext:0> show rba role test
Role
test
domain-type System
virtual-system access: 4,6
read-write-feature ext_cphaprob
read-write-feature ext_cpview
read-write-feature ext_ifconfig
read-write-feature ext_netstat
read-write-feature ext_ping
read-write-feature ext_top
read-write-feature ext_traceroute
read-write-feature virtual-system
read-only-feature blades
read-only-feature interface
read-only-feature route
read-only-feature vsx


vsx1-ext:4> set virtual-system 6
Context is set to vsid 6
vsx1-ext:6>
0 Kudos
Enyi_Ajoku
Collaborator

I finally got it to work. Once i changed the rba role to 

add rba role test domain-type System readwrite-features virtual-system

i initially had my config to be read only.

Thank You for your help. Greatly appreciated

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events