Change Details

Now that we have a new operational command runner, we can start enforcing command permissions. A possible approach is: * If the user set to be an operator, all commands are allowed. * The user can also be assigned to an "operator group" that allows only selected commands. We almost certainly //do not// want to implement command //deny// lists because there's no obvious way to resolve conflicts between groups where one group has a command in its allow list and another group has exact same command in its deny list. Example: ``` vyos@vyos# show system login operator-group JuniorOperators { command-policy { allow show allow clear allow reset } } user bofh { authentication { ... } operator { # No group — allowed to execute anything } } user pfy { authentication { ... } operator { group JuniorOperators } } ```

Now that we have a new operational command runner, we can start enforcing command permissions. A possible approach is: * If the user set to be an operator, all commands are allowed. * The user can also be assigned to an "operator group" that allows only selected commands. We almost certainly //do not// want to implement command //deny// lists because there's no obvious way to resolve conflicts between groups where one group has a command in its allow list and another group has exact same command in its deny list. Example: ``` vyos@vyos# show system login operator-group JuniorOperators { command-policy { allow show allow clear allow reset } } user bofh { authentication { ... } operator { # No group — allowed to execute anything } } user pfy { authentication { ... } operator { group JuniorOperators } } ``` Extending this system to users who authenticate through RADIUS and other sources is a future work with its own open questions.

Now that we have a new operational command runner, we can start enforcing command permissions. A possible approach is: * If the user set to be an operator, all commands are allowed. * The user can also be assigned to an "operator group" that allows only selected commands. We almost certainly //do not// want to implement command //deny// lists because there's no obvious way to resolve conflicts between groups where one group has a command in its allow list and another group has exact same command in its deny list. Example: ``` vyos@vyos# show system login operator-group JuniorOperators { command-policy { allow show allow clear allow reset } } user bofh { authentication { ... } operator { # No group — allowed to execute anything } } user pfy { authentication { ... } operator { group JuniorOperators } } ``` Extending this system to users who authenticate through RADIUS and other sources is a future work with its own open questions.