User-level
This chapter covers some aspects related to user-level <u32>,
which is a feature that can be used to customize the privileges
that are needed to execute the different operational commands
in OSDx.
Users are assigned to a single role that determines the commands that can be executed. Every role is mapped to a different user-level. The higher it is, the more privileges a role grants.
Click here for more information about OSDx users and roles.
Restricted Commands
All operational commands have an attribute that determines the minimum privilege level required to run it.
As a general rule, debugging commands or commands that display general system
information, logs or traffic statistics can be executed by all users, including
the monitor role, which has the lowest security level (0).
There are some other commands that can be used to generate traffic, reload
services or clear statistics. In order to run these commands, users must be
assigned to a role with a security level of 5 or higher (i.e., operator
role or higher).
On the other hand, there are some critical commands that could drastically change the state of the system, display sensitive information or change the filesystem. These commands can only be executed by users assigned to a role with a security level of 10 or higher.
If an unprivileged user tries to run a disallowed command, the following error message will appear:
my_guest@osdx$ configure
CLI Error: Insufficient privileges
my_guest@osdx$ factory-reset
CLI Error: Insufficient privileges
There’s a special command that can be issued to generate a list of all available
commands that can be run by a specific user: show commands.
Example:
admin@DUT0$ show commands path file
# Showing all operational commands available under 'file'
file compress <txt>
file copy <txt> <txt>
file copy <txt> <txt> force
file copy <txt> <txt> local-address <ipv4>
file copy <txt> <txt> local-interface <interface>
file copy <txt> <txt> local-vrf <id>
file delete <txt>
file diff <txt> <txt>
file hash <txt>
file move <txt> <txt>
file show <txt>
file show <txt> details
file uncompress <txt>
But if a user with monitor role executes that command, the following output
would appear instead:
monitor@DUT0$ show commands path file
# Showing all operational commands available under 'file'
file diff <txt> <txt>
file hash <txt>
file show <txt>
file show <txt> details
Customizing Commands
User-levels can be modified dynamically using the configuration
command user-level <u32> command <txt>.
For example, by default, monitor users can’t execute
file copy <file> <file> command, but it is possible to lower the required
level:
monitor@DUT0$ file copy running://a running://b
CLI Error: Insufficient privileges
admin@osdx# set user-level 0 command file copy
admin@osdx# commit
monitor@DUT0$ file copy running://a running://b
monitor@DUT0$ file show running://b | wc -l
36
In the same way, we can restrict some commands. For example, by default,
all users can execute show version command, but we can raise its
level to 15. Therefore, only admin users will be able to run it.
admin@osdx# set user-level 15 command show version
admin@osdx# commit
admin@osdx# run show version
OS vendor: Teldat
OS name: OSDx
OS version: 202008201333.86ee2e9-master-snapshot
OS Linux kernel: 4.19.67
...
monitor@osdx$ show version
CLI Error: Insufficient privileges
It is also possible to restrict some specific options for those commands that
accept multiple arguments, for example, the ping <ipv4|ipv6|txt> command.
In this example, the option vrf will be forbidden, so only users with the
admin role will be able to use it:
admin@osdx# set user-level 15 command ping <txt> vrf <txt>
admin@osdx# commit
monitor@osdx$ ping 10.0.0.2 count 1
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.273 ms
--- 10.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.273/0.273/0.273/0.000 ms
monitor@osdx$
monitor@osdx$ ping 10.0.0.2 count 1 vrf VRF_TEST
CLI Error: Insufficient privileges