3.2.8. auth

Configuration data for local users.

vsr running config# system auth

root-user-enabled

Enable root user login.

vsr running config# system auth
vsr running auth# root-user-enabled true|false
Default value
true

session-count (state only) (pushed)

The number of running sessions.

vsr> show state system auth session-count

role

The list of user role.

vsr running config# system auth role <role>

<role>

Name of administrative group to which users can be assigned.

priority

The priority of processing for this role. If a user is member of several roles, the role with the lowest priority will be processed first. If two roles have the same priority the order of processing is undefined.

vsr running config# system auth role <role>
vsr running role <role># priority <uint8>
Default value
255

deny

Configure deny rules for this role. These rules will be always processed before permit rules.

vsr running config# system auth role <role> deny

config

Permit/deny read-only or read/write access to a specific configuration path. This rule is also applied to the corresponding state path.

vsr running config# system auth role <role> deny
vsr running deny# config <config>

<config>

A data path.

state

Permit/deny read access to a specific state path.

vsr running config# system auth role <role> deny
vsr running deny# state <state>

<state>

A data path.

rpc

Give execution access to a specific RPC.

vsr running config# system auth role <role> deny rpc <rpc>

<rpc>

A notification or RPC yang name.

vrf

Apply this rule only for RPCs called with this vrf/l3vrf.

vsr running config# system auth role <role> deny rpc <rpc>
vsr running rpc <rpc># vrf <vrf> l3vrf L3VRF

<vrf> values

Description

<leafref>

The VRF name.

<string>

The VRF name.

l3vrf

The list of L3VRF name.

l3vrf L3VRF

L3VRF values

Description

<leafref>

No description.

<string>

No description.

notification

Give access to a specific notification.

vsr running config# system auth role <role> deny
vsr running deny# notification <notification>

<notification>

A notification or RPC yang name.

permit

Configure permit rules for this role. These rules will be always processed after deny rules.

vsr running config# system auth role <role> permit

config

Permit/deny read-only or read/write access to a specific configuration path. This rule is also applied to the corresponding state path.

vsr running config# system auth role <role> permit
vsr running permit# config <config> access-permission ACCESS-PERMISSION

<config>

A data path.

access-permission

Permit read or read/write access to a specific configuration path.

access-permission ACCESS-PERMISSION

ACCESS-PERMISSION values

Description

read

Give read only access to this path.

read-write

Give read/write access to this path.

Default value
read

state

Permit/deny read access to a specific state path.

vsr running config# system auth role <role> permit
vsr running permit# state <state>

<state>

A data path.

rpc

Give execution access to a specific RPC.

vsr running config# system auth role <role> permit rpc <rpc>

<rpc>

A notification or RPC yang name.

vrf

Apply this rule only for RPCs called with this vrf/l3vrf.

vsr running config# system auth role <role> permit rpc <rpc>
vsr running rpc <rpc># vrf <vrf> l3vrf L3VRF

<vrf> values

Description

<leafref>

The VRF name.

<string>

The VRF name.

l3vrf

The list of L3VRF name.

l3vrf L3VRF

L3VRF values

Description

<leafref>

No description.

<string>

No description.

notification

Give access to a specific notification.

vsr running config# system auth role <role> permit
vsr running permit# notification <notification>

<notification>

A notification or RPC yang name.

user

Prevent creating administrator or viewer user with several roles.

vsr running config# system auth user <user>

<user>

A user name.

role (mandatory)

The role of the user.

vsr running config# system auth user <user>
vsr running user <user># role ROLE

ROLE values

Description

<leafref>

No description.

viewer

The user can view configuration and state and run standard commands. However, he/she cannot edit the configuration, read protected config/state nodes (such as passwords) nor run privileged commands (such as reboot, poweroff, etc.).

admin

The user can view all configuration and state, including protected nodes (such as password). He/she may edit the configuration and run any command including privileged ones (such as reboot, poweroff, etc.).

nacm-netconf-admin

The user can manage notification subscriptions and has access to the keystore and the truststore.

nacm-deny-protected

Deny access to any protected data and sensitive RPCs to this user. This role can be used to hide secret data in the configuration or the state and deny execution rights to sensitive RPC (like reboot, show license, certificate management, and more).

password

The user password, supplied as a hashed value using the notation described in the definition of the crypt-hash type.

vsr running config# system auth user <user>
vsr running user <user># password PASSWORD

PASSWORD

The crypt-hash type is used to store passwords using a hash function. The algorithms for applying the hash function and encoding the result are implemented in various UNIX systems as the function crypt(3). A value of this type matches one of the forms: $0$<clear text password> $<id>$<salt>$<password hash> $<id>$<parameter>$<salt>$<password hash> The ‘$0$’ prefix signals that the value is clear text. When such a value is received by the server, a hash value is calculated, and the string ‘$<id>$<salt>$’ or $<id>$<parameter>$<salt>$ is prepended to the result. This value is stored in the configuration data store. If a value starting with ‘$<id>$’, where <id> is not ‘0’, is received, the server knows that the value already represents a hashed value and stores it ‘as is’ in the data store. When a server needs to verify a password given by a user, it finds the stored password hash string for that user, extracts the salt, and calculates the hash with the salt and given password as input. If the calculated hash value is the same as the stored value, the password given by the client is accepted. This type defines the following hash functions: id | hash function | feature —+—————+——————- 1 | MD5 | crypt-hash-md5 5 | SHA-256 | crypt-hash-sha-256 6 | SHA-512 | crypt-hash-sha-512 The server indicates support for the different hash functions by advertising the corresponding feature.

ssh-enabled

Enable SSH connection for this user.

vsr running config# system auth user <user>
vsr running user <user># ssh-enabled true|false
Default value
true

authorized-key

A public SSH key for this user in the OpenSSH format. This key is allowed for SSH authentication without a password to both the NETCONF and SSH servers. You may use the ssh-keygen utility to generate a new key-pair and paste the contents of the *.pub file (the public key) here. from="pattern-list" can be placed on the same line and before the public key. See man authorized_keys and man ssh_config for more details on from="".

vsr running config# system auth user <user>
vsr running user <user># authorized-key <string>

session (state only)

The list of logged users on the system.

user (state only) (pushed)

The user.

vsr> show state system auth session <string> user

source (state only) (pushed)

The host from where the user logged in.

vsr> show state system auth session <string> source

started (state only) (pushed)

The date at which the connection was started.

vsr> show state system auth session <string> started