==========
User-level
==========

.. sidebar:: Contents

  .. contents::
      :depth: 2
      :local:


This chapter covers some aspects related to :osdx:cfg:`user-level *`,
which is a feature that can be used to customize the privileges
that are needed to execute the different operational commands
in OSDx.

Users are assigned to a single role that determines the commands
that can be executed. Every role is mapped to a different user-level.
The higher it is, the more privileges a role grants.

Click :doc:`here </articles/system/login/index>` for more information about
OSDx users and roles.

Restricted Commands
===================

All operational commands have an attribute that determines the minimum
privilege level required to run it.

As a general rule, debugging commands or commands that display general system
information, logs or traffic statistics can be executed by all users, including
the ``monitor`` role, which has the lowest security level (0).

There are some other commands that can be used to generate traffic, reload
services or clear statistics. In order to run these commands, users must be
assigned to a role with a security level of 5 or higher (i.e., ``operator``
role or higher).

On the other hand, there are some critical commands that could drastically
change the state of the system, display sensitive information or change the
filesystem. These commands can only be executed by users assigned to a role
with a security level of 10 or higher.

If an unprivileged user tries to run a disallowed command, the following error
message will appear:

.. code-block:: none

  my_guest@osdx$ configure
    CLI Error: Insufficient privileges
  my_guest@osdx$ factory-reset
    CLI Error: Insufficient privileges

There's a special command that can be issued to generate a list of all available
commands that can be run by a specific user: :osdx:op:`show commands`.

Example:

.. code-block:: none

  admin@DUT0$ show commands path file
    # Showing all operational commands available under 'file'
    file compress <txt>
    file copy <txt> <txt>
    file copy <txt> <txt> force
    file copy <txt> <txt> local-address <ipv4>
    file copy <txt> <txt> local-interface <interface>
    file copy <txt> <txt> local-vrf <id>
    file delete <txt>
    file diff <txt> <txt>
    file hash <txt>
    file move <txt> <txt>
    file show <txt>
    file show <txt> details
    file uncompress <txt>

But if a user with ``monitor`` role executes that command, the following output
would appear instead:

.. code-block:: none

  monitor@DUT0$ show commands path file
    # Showing all operational commands available under 'file'
    file diff <txt> <txt>
    file hash <txt>
    file show <txt>
    file show <txt> details


Customizing Commands
====================

User-levels can be modified dynamically using the configuration
command :osdx:cfg:`user-level * command *`.

For example, by default, ``monitor`` users can't execute
:osdx:op:`file copy * *` command, but it is possible to lower the required
level:

.. code-block:: none

  monitor@DUT0$ file copy running://a running://b
    CLI Error: Insufficient privileges

.. code-block:: none

  admin@osdx# set user-level 0 command file copy
  admin@osdx# commit

.. code-block:: none

  monitor@DUT0$ file copy running://a running://b
  monitor@DUT0$ file show running://b | wc -l
  36


In the same way, we can restrict some commands. For example, by default,
all users can execute :osdx:op:`show version` command, but we can raise its
level to 15. Therefore, only ``admin`` users will be able to run it.

.. code-block:: none

  admin@osdx# set user-level 15 command show version
  admin@osdx# commit
  admin@osdx# run show version

    OS vendor:                 Teldat
    OS name:                   OSDx
    OS version:                202008201333.86ee2e9-master-snapshot
    OS Linux kernel:           4.19.67
    ...

.. code-block:: none

  monitor@osdx$ show version
    CLI Error: Insufficient privileges

It is also possible to restrict some specific options for those commands that
accept multiple arguments, for example, the :osdx:op:`ping *` command.

In this example, the option ``vrf`` will be forbidden, so only users with the
``admin`` role will be able to use it:

.. code-block:: none

  admin@osdx# set user-level 15 command ping <txt> vrf <txt>
  admin@osdx# commit

.. code-block:: none

  monitor@osdx$ ping 10.0.0.2 count 1
  PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
  64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.273 ms

  --- 10.0.0.2 ping statistics ---
  1 packets transmitted, 1 received, 0% packet loss, time 0ms
  rtt min/avg/max/mdev = 0.273/0.273/0.273/0.000 ms
  monitor@osdx$
  monitor@osdx$ ping 10.0.0.2 count 1 vrf VRF_TEST
    CLI Error: Insufficient privileges

.. osdx:cmdtree:: cfg

  user-level