home

Supported platforms

Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Example of a rule set in operational mode

Operational mode has a rule set like the configuration mode that allows administrators to specify which operation mode commands a user is allowed to run. For example, as a protocol administrator, the user needs to execute only the show interfaces and show ip families of commands and, therefore, should not be allowed to run other administrative actions.

To define the operation mode rules for the protocol administrator group (protoadmin), perform the following steps in configuration mode.

Table 1. Defining the operational mode rules for the protocol administrator group
Step Description Command

1

Create a rule allowing all operations on /show/ip for the protoadmin group.

vyatta@R1# set system acm operational-ruleset rule 10 action 'allow'
vyatta@R1#set system acm operational-ruleset rule 10 command '/show/ip/*'
vyatta@R1#set system acm operational-ruleset rule 10 group 'protoadmin'

2

Create a rule allowing all operations on /show/interfaces for the protoadmin group.

vyatta@R1# set system acm operational-ruleset rule 20 action 'allow'
vyatta@R1#set system acm operational-ruleset rule 20 command '/show/interfaces/*'
vyatta@R1#set system acm operational-ruleset rule 20 group 'protoadmin'

3

Create a rule allowing all operations on /configure for the protoadmin group.

vyatta@R1# set system acm operational-ruleset rule 30 action 'allow'
vyatta@R1#set system acm operational-ruleset rule 30 command '/configure'
vyatta@R1#set system acm operational-ruleset rule 30 group 'protoadmin'

4

Deny all operations on all other paths for the protoadmin group.

vyatta@R1# set system acm operational-ruleset rule 40 action 'deny'
vyatta@R1#set system acm operational-ruleset rule 40 command '*'
vyatta@R1#set system acm operational-ruleset rule 40 group 'protoadmin'

The following example shows the operational mode rule set that is configured in Defining the operational mode rules for the protocol administrator group.

super@vyatta# show system acm operational-ruleset
rule 10 {
    action allow
    command "/show/ip/*"
    group protoadmin
}
rule 20 {
    action allow
    command "/show/interfaces/*"
    group protoadmin
}
rule 30 {
    action allow
    command /configure
    group protoadmin
}
rule 40 {
    action deny
    command "*"
    group protoadmin
}

The following example shows system login information regarding the protoadmin group with a user called john as a member of that group.


super@vyatta# show system login
group protoadmin {
}
user john {
authentication {
encrypted-password *******
}
group protoadmin
level admin
}
super@vyatta#