Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Example of a rule set in configuration mode

To manage the routing protocols on the system, the user needs access to only the interface and the routing protocol subtrees in the configuration.

To configure RBAC, you must add the protocol administrator role or group.

To add the protocol administrator group and define the rules for this group of users, perform the following steps in configuration mode.

Table 1. Adding a protocol administrator group and defining the rules for the group
Step Description Command

1

Create a protocol administrator group.

vyatta@R1#set system login group protoadmin

2

Add a user to the group.

vyatta@R1#set system login user johngroup protoadmin

3

Create a rule that allows all operations on /protocols.

vyatta@R1#set system acm ruleset rule 10 action allow
vyatta@R1#set system acm ruleset rule 10 group protoadmin
vyatta@R1#set system acm ruleset rule 10 operation *
vyatta@R1#set system acm ruleset rule 10 path /protocols

4

Create a rule that allows all operations on /policy.

vyatta@R1#set system acm ruleset rule 20 action allow
vyatta@R1#set system acm ruleset rule 20 group protoadmin
vyatta@R1# set system acm ruleset rule 20 operation *
vyatta@R1#set system acm ruleset rule 20 path /policy

5

Create a rule that allows all operations on /interfaces.

vyatta@R1#set system acm ruleset rule 30 action allow
vyatta@R1#set system acm ruleset rule 30 group protoadmin
vyatta@R1#set system acm ruleset rule 30 operation *
vyatta@R1#set system acm ruleset rule 30 path /interfaces

6

Deny all operations on all other paths for users of the protoadmin group.

vyatta@R1#set system acm ruleset rule 40 action deny
vyatta@R1#set system acm ruleset rule 40 group protoadmin
vyatta@R1#set system acm ruleset rule 40 operation *
vyatta@R1#set system acm ruleset rule 40 path *

The following example shows the configuration mode rule set that is configured in Adding a protocol administrator group and defining the rules for the group.


super@vyatta# show system acm ruleset
rule 10 {
    action allow
    group protoadmin
    operation "*"
    path /protocols
}
rule 20 {
    action allow
    group protoadmin
    operation "*"
    path /policy
}
rule 30 {
    action allow
    group protoadmin
    operation "*"
    path /interfaces
}
rule 40 {
    action deny
    group protoadmin
    operation "*"
    path "*"
}

The following example shows system login information regarding the protoadmin group with a user called john as a member of that group.

super@vyatta# show system login
group protoadmin {
}
user john {
authentication {
encrypted-password *******
}
group protoadmin
level admin
}
super@vyatta#