Re: [j-nsp] "load replace" junoscript login class permissions
This worked with a user whose login class only had "configure", and allow-configuration"policy-options prefix-list AUTO-*". policy-options { replace: prefix-list AUTO-SOMETHING { 10.0.0.0/24; } } -Chris On Fri, Feb 26, 2016 at 8:44 AM, Chuck Anderson wrote: > Can you please provide an example of what you are saying should work > (in text format even)? > > This is what I was trying in XML (from perl) and it doesn't work with > the permissions restricted to "policy-options prefix-list AUTO-.*", > but it does work with the permissions widened to "policy-options .*": > > $jnx->load_configuration( > format => "xml", > action => "replace", > configuration => $replace); > > Where the contents of the $replace variable is: > > > > > AUTO-FOO > > 1.1.1.1/32 > > > > > > I believe I also tried applying the "replace" attribute on the > tag like this: AUTO-FOO, but that isn't > accepted as valid syntax. > > I ended up using a configuration group at Phil's suggestion. That way > I can restrict the permissions to "groups AUTO-PREFIX-LIST > policy-options .*" to allow the replace operation to work but prevent > the script from mucking with objects it isn't supposed to touch. > > Thanks. > > On Thu, Feb 25, 2016 at 12:05:36PM -0500, Chris Spears wrote: > > Can you add a replace attribute in the container for the prefix-lists > > matching /AUTO-*/, and see if the permissions work? The equivalent > > replace: tag in the text format works with a restricted login class when > > using netconf. > > > > > http://www.juniper.net/documentation/en_US/junos14.2/topics/reference/tag-summary/junos-xml-protocol-replace-attribute.html > > > > > > > > > > On Mon, Feb 22, 2016 at 9:46 PM, Chuck Anderson wrote: > > > > > On Mon, Feb 22, 2016 at 09:08:04PM -0500, Jared Mauch wrote: > > > > > 1. "load replace" config with the new prefix list contents > > > > > 2. commit > > > > > > > > > > > > Try ‘load update’ first. > > > > > > > > That should be much faster than load replace. > > > > > > Yes, I see it is fast, but I can't figure out the right XML to do the > > > equivalent of "load update relative" in the CLI. If I leave off the > > > "relative", then the entire configuration is replaced (deleted), not > > > just the prefix-list. > > > > > > "show | compare | display xml" exists in 15.1, but not in 14.2 :-( > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] "load replace" junoscript login class permissions
Can you please provide an example of what you are saying should work (in text format even)? This is what I was trying in XML (from perl) and it doesn't work with the permissions restricted to "policy-options prefix-list AUTO-.*", but it does work with the permissions widened to "policy-options .*": $jnx->load_configuration( format => "xml", action => "replace", configuration => $replace); Where the contents of the $replace variable is: AUTO-FOO 1.1.1.1/32 I believe I also tried applying the "replace" attribute on the tag like this: AUTO-FOO, but that isn't accepted as valid syntax. I ended up using a configuration group at Phil's suggestion. That way I can restrict the permissions to "groups AUTO-PREFIX-LIST policy-options .*" to allow the replace operation to work but prevent the script from mucking with objects it isn't supposed to touch. Thanks. On Thu, Feb 25, 2016 at 12:05:36PM -0500, Chris Spears wrote: > Can you add a replace attribute in the container for the prefix-lists > matching /AUTO-*/, and see if the permissions work? The equivalent > replace: tag in the text format works with a restricted login class when > using netconf. > > http://www.juniper.net/documentation/en_US/junos14.2/topics/reference/tag-summary/junos-xml-protocol-replace-attribute.html > > > > > On Mon, Feb 22, 2016 at 9:46 PM, Chuck Anderson wrote: > > > On Mon, Feb 22, 2016 at 09:08:04PM -0500, Jared Mauch wrote: > > > > 1. "load replace" config with the new prefix list contents > > > > 2. commit > > > > > > > > > Try ‘load update’ first. > > > > > > That should be much faster than load replace. > > > > Yes, I see it is fast, but I can't figure out the right XML to do the > > equivalent of "load update relative" in the CLI. If I leave off the > > "relative", then the entire configuration is replaced (deleted), not > > just the prefix-list. > > > > "show | compare | display xml" exists in 15.1, but not in 14.2 :-( ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] "load replace" junoscript login class permissions
Can you add a replace attribute in the container for the prefix-lists matching /AUTO-*/, and see if the permissions work? The equivalent replace: tag in the text format works with a restricted login class when using netconf. http://www.juniper.net/documentation/en_US/junos14.2/topics/reference/tag-summary/junos-xml-protocol-replace-attribute.html On Mon, Feb 22, 2016 at 9:46 PM, Chuck Anderson wrote: > On Mon, Feb 22, 2016 at 09:08:04PM -0500, Jared Mauch wrote: > > > 1. "load replace" config with the new prefix list contents > > > 2. commit > > > > > > Try ‘load update’ first. > > > > That should be much faster than load replace. > > Yes, I see it is fast, but I can't figure out the right XML to do the > equivalent of "load update relative" in the CLI. If I leave off the > "relative", then the entire configuration is replaced (deleted), not > just the prefix-list. > > "show | compare | display xml" exists in 15.1, but not in 14.2 :-( > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] "load replace" junoscript login class permissions
On Mon, Feb 22, 2016 at 09:08:04PM -0500, Jared Mauch wrote: > > 1. "load replace" config with the new prefix list contents > > 2. commit > > > Try ‘load update’ first. > > That should be much faster than load replace. Yes, I see it is fast, but I can't figure out the right XML to do the equivalent of "load update relative" in the CLI. If I leave off the "relative", then the entire configuration is replaced (deleted), not just the prefix-list. "show | compare | display xml" exists in 15.1, but not in 14.2 :-( ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] "load replace" junoscript login class permissions
Jared Mauch writes: >Try "load update" first. >That should be much faster than load replace. "load update" is faster than "load override", since under the covers, it keeps the old config and finds the delta between the new config and the old, allowing the system to see only the changed bits of the config. "load override" wipes the old and loads the new. "load merge" is identical to "load replace", with the exception that "load replace" honors "replace:" tags, where "merge" ignores them. > On Feb 22, 2016, at 9:06 PM, Chuck Anderson wrote: >Otherwise we get a failure trying to replace the prefix-list. I don't like this because now a rogue script could mess with the entire policy-options hierarchy. Consider using a config group, where the group would be completely "owned" by this app, and the junoscript user would be able to only write to that group, but to the entire contents. Then only apply that group where appropriate. If your "AUTO-*" list is static, you could put "apply-groups auto-app" under each specific prefix list; otherwise, you'd need to put in under policy-options. Thanks, Phil ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] "load replace" junoscript login class permissions
> On Feb 22, 2016, at 9:06 PM, Chuck Anderson wrote: > > Historically, we've implemented scripts to sync prefix-lists with > Junoscript perl using this method: > > 1. get_configuration of the prefix-list > 2. compare prefix list in router to our local copy > 3. "load merge" config to delete prefixes that exist in the router but not > locally > 4. "load merge" config to add prefixes that exist locally but not in the > router > 5. commit > > The reason for this was because we wanted to lock down the junoscript > account like this: > >> show configuration system login class prefix-list > permissions [ configure view view-configuration ]; > allow-commands junoscript; > allow-configuration "policy-options prefix-list AUTO-.*"; > > So any rogue junoscript could only ever change the contents of > prefix-lists whose names begin with "AUTO-". > > However, this method is very slow. So I tried going back to the > "replace" method: > > 1. "load replace" config with the new prefix list contents > 2. commit Try ‘load update’ first. That should be much faster than load replace. - jared ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] "load replace" junoscript login class permissions
Historically, we've implemented scripts to sync prefix-lists with Junoscript perl using this method: 1. get_configuration of the prefix-list 2. compare prefix list in router to our local copy 3. "load merge" config to delete prefixes that exist in the router but not locally 4. "load merge" config to add prefixes that exist locally but not in the router 5. commit The reason for this was because we wanted to lock down the junoscript account like this: > show configuration system login class prefix-list permissions [ configure view view-configuration ]; allow-commands junoscript; allow-configuration "policy-options prefix-list AUTO-.*"; So any rogue junoscript could only ever change the contents of prefix-lists whose names begin with "AUTO-". However, this method is very slow. So I tried going back to the "replace" method: 1. "load replace" config with the new prefix list contents 2. commit This is nice and fast (3-10 times faster). But it doesn't work with the login class restrictions above. Instead we have to open it up: > show configuration system login class prefix-list permissions [ configure view view-configuration ]; allow-commands junoscript; allow-configuration "policy-options .*"; Otherwise we get a failure trying to replace the prefix-list. I don't like this because now a rogue script could mess with the entire policy-options hierarchy. Is there a solution that allows fast on-box merging (load update?) without requiring wide-open permissions? Thanks. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp