3.2.8. auth¶
Configuration data for local users.
vsr running config# system auth
root-user-enabled¶
Enable root user login.
vsr running config# system auth
vsr running auth# root-user-enabled true|false
- Default value
true
session-count (state only) (pushed)¶
The number of running sessions.
vsr> show state system auth session-count
role¶
The list of user role.
vsr running config# system auth role <role>
|
Name of administrative group to which users can be assigned. |
priority¶
The priority of processing for this role. If a user is member of several roles, the role with the lowest priority will be processed first. If two roles have the same priority the order of processing is undefined.
vsr running config# system auth role <role>
vsr running role <role># priority <uint8>
- Default value
255
deny¶
Configure deny rules for this role. These rules will be always processed before permit rules.
vsr running config# system auth role <role> deny
config¶
Permit/deny read-only or read/write access to a specific configuration path. This rule is also applied to the corresponding state path.
vsr running config# system auth role <role> deny
vsr running deny# config <config>
|
A data path. |
state¶
Permit/deny read access to a specific state path.
vsr running config# system auth role <role> deny
vsr running deny# state <state>
|
A data path. |
rpc¶
Give execution access to a specific RPC.
vsr running config# system auth role <role> deny rpc <rpc>
|
A notification or RPC yang name. |
vrf¶
Apply this rule only for RPCs called with this vrf/l3vrf.
vsr running config# system auth role <role> deny rpc <rpc>
vsr running rpc <rpc># vrf <vrf> l3vrf L3VRF
|
Description |
---|---|
|
The VRF name. |
|
The VRF name. |
l3vrf¶
The list of L3VRF name.
l3vrf L3VRF
|
Description |
---|---|
|
No description. |
|
No description. |
notification¶
Give access to a specific notification.
vsr running config# system auth role <role> deny
vsr running deny# notification <notification>
|
A notification or RPC yang name. |
permit¶
Configure permit rules for this role. These rules will be always processed after deny rules.
vsr running config# system auth role <role> permit
config¶
Permit/deny read-only or read/write access to a specific configuration path. This rule is also applied to the corresponding state path.
vsr running config# system auth role <role> permit
vsr running permit# config <config> access-permission ACCESS-PERMISSION
|
A data path. |
access-permission¶
Permit read or read/write access to a specific configuration path.
access-permission ACCESS-PERMISSION
|
Description |
---|---|
|
Give read only access to this path. |
|
Give read/write access to this path. |
- Default value
read
state¶
Permit/deny read access to a specific state path.
vsr running config# system auth role <role> permit
vsr running permit# state <state>
|
A data path. |
rpc¶
Give execution access to a specific RPC.
vsr running config# system auth role <role> permit rpc <rpc>
|
A notification or RPC yang name. |
vrf¶
Apply this rule only for RPCs called with this vrf/l3vrf.
vsr running config# system auth role <role> permit rpc <rpc>
vsr running rpc <rpc># vrf <vrf> l3vrf L3VRF
|
Description |
---|---|
|
The VRF name. |
|
The VRF name. |
l3vrf¶
The list of L3VRF name.
l3vrf L3VRF
|
Description |
---|---|
|
No description. |
|
No description. |
notification¶
Give access to a specific notification.
vsr running config# system auth role <role> permit
vsr running permit# notification <notification>
|
A notification or RPC yang name. |
user¶
Prevent creating administrator or viewer user with several roles.
vsr running config# system auth user <user>
|
A user name. |
role (mandatory)¶
The role of the user.
vsr running config# system auth user <user>
vsr running user <user># role ROLE
|
Description |
---|---|
|
No description. |
|
The user can view configuration and state and run standard commands. However, he/she cannot edit the configuration, read protected config/state nodes (such as passwords) nor run privileged commands (such as reboot, poweroff, etc.). |
|
The user can view all configuration and state, including protected nodes (such as password). He/she may edit the configuration and run any command including privileged ones (such as reboot, poweroff, etc.). |
|
The user can manage notification subscriptions and has access to the keystore and the truststore. |
|
Deny access to any protected data and sensitive RPCs to this user. This role can be used to hide secret data in the configuration or the state and deny execution rights to sensitive RPC (like reboot, show license, certificate management, and more). |
password¶
The user password, supplied as a hashed value using the notation described in the definition of the crypt-hash type.
vsr running config# system auth user <user>
vsr running user <user># password PASSWORD
|
The crypt-hash type is used to store passwords using a hash function. The algorithms for applying the hash function and encoding the result are implemented in various UNIX systems as the function crypt(3). A value of this type matches one of the forms: $0$<clear text password> $<id>$<salt>$<password hash> $<id>$<parameter>$<salt>$<password hash> The ‘$0$’ prefix signals that the value is clear text. When such a value is received by the server, a hash value is calculated, and the string ‘$<id>$<salt>$’ or $<id>$<parameter>$<salt>$ is prepended to the result. This value is stored in the configuration data store. If a value starting with ‘$<id>$’, where <id> is not ‘0’, is received, the server knows that the value already represents a hashed value and stores it ‘as is’ in the data store. When a server needs to verify a password given by a user, it finds the stored password hash string for that user, extracts the salt, and calculates the hash with the salt and given password as input. If the calculated hash value is the same as the stored value, the password given by the client is accepted. This type defines the following hash functions: id | hash function | feature —+—————+——————- 1 | MD5 | crypt-hash-md5 5 | SHA-256 | crypt-hash-sha-256 6 | SHA-512 | crypt-hash-sha-512 The server indicates support for the different hash functions by advertising the corresponding feature. |
ssh-enabled¶
Enable SSH connection for this user.
vsr running config# system auth user <user>
vsr running user <user># ssh-enabled true|false
- Default value
true
authorized-key¶
A public SSH key for this user in the OpenSSH format. This key is
allowed for SSH authentication without a password to both the NETCONF
and SSH servers. You may use the ssh-keygen utility to generate a new
key-pair and paste the contents of the *.pub
file (the public key)
here. from="pattern-list"
can be placed on the same line and before
the public key. See man authorized_keys
and man ssh_config
for
more details on from=""
.
vsr running config# system auth user <user>
vsr running user <user># authorized-key <string>
session (state only)¶
The list of logged users on the system.
source (state only) (pushed)¶
The host from where the user logged in.
vsr> show state system auth session <string> source
started (state only) (pushed)¶
The date at which the connection was started.
vsr> show state system auth session <string> started