04-06-2022 06:43 AM
Hi!
Sorry about this, but i need some very critical information about users creation with NSO.
My concern is this:
I work in a company that implement NSO. THe company have many type of users that allow to change NSO configuration, and consequent, routers configuration.
I need to stop this, by implement some users/groups with permissions:
- admin users;
- read configuration users;
- service configurations users.
The first one it's for "root" permissions, the second and third are the most importante, because one group need to change service parameters on router/NSO, and other, only reed that configurations, and aren't allowed to make any change.
How can i do this with NSO cli?
I need to change any configuration in ncs.conf file?
P.S. - I'm not the development guy, i'm the end user person, and i think that need to be more easy than appears to create.
Best regards;
André Ferreira
04-06-2022 07:15 AM
Permissions in NSO are handled using NACM. If you do a "show running-config nacm" in NSO CLI, you will see the current authorisation rules configured on your NSO server. What you will need to do is create an nacm rule-list for each set of users, which will then contain the details of what the users in the groups bound to the rule-list are and are not allowed to do. This assumes that the different user types are already assigned to different groups during authentication - if not, you will need to set that up first.
For full details of how NACM works in NSO, look at the NSO admin guide chapter "The AAA infrastructure".
04-06-2022 12:33 PM - edited 04-06-2022 12:37 PM
For an as you say "end user person" you should try out doing this in GUI, it is actually somewhat decent experience.
However, if you insist on CLI, here is a sample for admin:
uavsec@vm# show running-config nacm groups group ncsadmin nacm groups group ncsadmin user-name [ admin ] gid 1000 ! uavsec@vm# show running-config nacm rule-list ncsadmin nacm rule-list ncsadmin group [ ncsadmin ] rule any-access action permit ! cmdrule any-command action permit ! !
Observe how user 'admin' is added in groups group ncsadmin and then in the rule-list ncsadmin I made the rules for god mode and added the group to them.
Next a less powerful user rule list:
uavsec@vm# show running-config nacm rule-list Plebs nacm rule-list Plebs group [ Plebs ] rule ro-devices path /devices access-operations read action permit ! rule rw-services path /services action permit ! !
This rule list makes group Plebs able to read only on /devices (anything under show running devices...) and a read write for /services.
Disclaimer, this is just and example, test is on a demo env. first and definitely read about it in admin guide. You can find a pdf in NSO installation directory in doc/
04-13-2022 01:50 AM
Hi!
Thanks for the help.
I have to questions related to this:
Are there some documents where i can see all the commands the i can permit/deny on NSO users/groups?
The pdf that i have it's not very specific with that.
The other question (and more complicated), is about GUI.
I have some troubles to deny/permit same services/commands in GUI with users. Is there some avaliable doc for help?
I think for the GUI it's more easy to control this type os problems, but i hope that my (not) knowledge in python won't be a disadvantage.
Best regards, and thanks for the help
André Ferreira
04-13-2022 02:29 AM - edited 04-13-2022 02:35 AM
Hey
Knowledge of python is not relevant here as everything is just CLI/GUI configuration and in most complex cases (where you would need to develop something in the packages) just some YANG for NACM.
For this user control stuff when user is already logged in, no python is needed form your side.
Regarding GUI issues with users. That is strange, I think usually if CLI permissions work as intended, same user should perform the same in GUI and vice versa.
Regarding the documentation. To my best of knowledge 'The AAA infrastructure' section of Admin guide is more or less the thing. And then trail and error.
04-13-2022 08:21 AM
Hi,
Could you please help me in one thing?
I have one command that i want to block in a specific user (config) as show above:
"aferreira@ncs# ?
Possible completions:
autowizard Automatically query for mandatory elements
call-home Set satellite URL for Smart Licensing
cd Change working directory
clear Clear parameter
compare Compare running configuration to another configuration or a file
complete-on-space Enable/disable completion on space
config Manipulate software configuration information
debug Commands for debugging
describe Display transparent command information
devtools Enable/disable development tools
display-level Configure show command display level
exit Exit the management session
file Perform file operations
help Provide help information
history Configure history size
id Show user id information
idle-timeout Configure idle timeout
ignore-leading-space Ignore leading whitespace (true/false)
job Job operations
leaf-prompting Automatically query for leaf values
license Execute licensing commands
no Negate a command or set its defaults
output-file Copy output to file or terminal
paginate Paginate output from CLI commands
prompt1 Set operational mode prompt
prompt2 Set configure mode prompt
pwd Display current mode path
quit Exit the management session
screen-length Configure screen length
screen-width Configure screen width
script Script actions
send Send message to terminal of one or all users
show Show information about the system
show-defaults Show default values when showing the configuration
source File to source
switch Change CLI style
templatize Find patterns in subtree.
terminal Set terminal type
timestamp Enable/disable the display of timestamp
who Display currently logged on users
write Write configuration
aferreira@ncs#"
When i change the GUI cmd-rule as above
In this case the user can't see any command, and when i "permit" all the command are shows.
How can i do this with cli? It's possible?
In the cmd rule list i have the rules that are show in the above picuter:
Thanks in advanced
Best regards;
André Ferreira
04-13-2022 12:22 PM - edited 04-13-2022 01:08 PM
The easiest way to figure that out, configure what you want in GUI, commit it and then display it in CLI with 'show running-config nacm...'
It should show up like that config_deny.
04-14-2022 06:52 AM
On the 5.7.2 version, don't work.
When i make changes on GUI they are not reply to CLI.
Best regards;
André Ferreira
04-15-2022 01:46 PM
Are you using same user for gui and cli?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide