Configuring Local user management
RBFS allows you to create privileges that are configurable for user-defined and pre-defined roles. RBFS supports a combination of permit and deny regular expressions and a configurable default privilege to support both blacklisting and whitelisting of users. If both permit and deny command regular expressions match, the allow regular expression takes precedence.
Creating Roles
To create a role, you need to configure the following:
-
Configure role-based access control (RBAC) privilege for the role
-
Configure the command privilege for the role
It is important to have secure management enabled when granting any type of privilege, whether it is RBAC or command-based, to any user. Without secure management, privileges will not have the desired impact. |
Configuring the RBAC Privilege
You need to configure the RBAC privilege for both table and object.
Command arguments
<name> |
Authorization role name |
<resource> |
Represents resources in the RBFS (table/object) |
<permission-type> |
Permissions to create, read and
delete. The following are the supported RBAC permission types: |
Configuring the Command Privilege
<role> |
Authorization role name |
<allow-cmds> |
List of allow commands regular expression |
<deny-cmds> |
List of deny commands regular expression |
|
The example below shows the new role named "support" which has RBAC permission to read any table and objects. Also, the user is denied everything except the allowed commands (ping, set, show, traceroute, and watch-mode).
{ "ietf-restconf:data": { "rtbrick-config:system": { "authorization": { "global": { "role": [ { "name": "support", "rbac-permission": [ { "permission": "-/read/-", "resource-type": "object", "resource": ".*" }, { "permission": "-/read/-", "resource-type": "table", "resource": ".*" } ], "cmd-permission": { "allow-cmds": [ "ping .*", "set .*", "show .*", "traceroute .*", "watch .*" ], "deny-cmds": ".*" } } ] } } } } }
Linux pre-configured users, roles and privileges
User Name | Role Name | Default Privileges |
---|---|---|
supervisor |
supervisor |
Allow all actions |
operator |
operator |
Allow all actions |
reader |
reader |
All commands will be denied other than the commands which match any of the below regular expressions. "color.*", "date.*", "exit.*", "history.*", "paging.*", "ping.*", "show.*", "traceroute.*", "watch-mode.*" |
Creating New Users
The new users created through local user management will always have a primary group with the same name and ID of the created user. The new user’s ID will be allocated within the range of 3000 and 3999.
You cannot use usernames such as root , wheel , admin , sudo or any of the SMP Linux pre-configured users and groups such as supervisor , operator , reader . Also, a username cannot start with “rtbrick_”. If a Linux user with the same username already exists but has an ID outside of the 3000-3999 range then the user creation through the RBFS configuration will fail.
|
To create a new user, enter the following command:
Command arguments
<username> |
Name of the local user |
Assigning Roles to Users
A "role" is an RBFS RBAC construct and it is mapped to a Linux group. The list of user roles from the RBFS configuration becomes the list of additional Linux groups that the Linux user belongs to. You can create new users and assign “roles” to the new users. The supervisor
, operator
, and reader
are the pre-defined and pre-configured roles both in Linux and RBFS.
When a user is configured in RBFS under “system users”, RBFS/confd validates that the list of user roles only contain roles that are pre-defined or that are configured under “system authorization”.
Do not create role names that start with “rtbrick_”. In addition, "root", "wheel", "admin", and "sudo" are not acceptable role names. |
To assign a role to a new user, enter the following command:
Command arguments
<username> |
Name of the user |
<role> |
Role of the user (not the primary role) |
Example: Assigning Roles to Users
{ "ietf-restconf:data": { "rtbrick-config:system": { "user": [ { "username": "bob", "role": [ "operator" ], "shell": "/usr/local/bin/cli", "password-hashed-text": "$6$uTE4OYn0iRq.Vppe$JBVMQ5DZHfuCuUP5yTnfl9IJsRLQAXqTLlLMKRO8bCz9WDlB2ele8puwMrT4/QDF2nNOcoHtqYqFljly4B.Vu0" } ] } } }
Configuring Authentication for a New User
There are two ways in which you can create a password for a new user in RBFS:
-
Configuring hashed password
-
Configuring plain-text password
Configuring Hashed Password
You can verify the integrity of your password using hashed passwords. When a user is present in the configuration but a "password hashed text" is not present, the password authentication is considered disabled for that specific user.
You can also disable password authentication for any of the predefined supervisor, operator and reader users by adding a "system users supervisor" configuration section without any "password hashed text" and thus disabling password authentication for the supervisor user.
SSH public keys can still be configured even if "password hashed text" is not present.
To create a password hashed text and authenticate the new user, perform the following steps:
-
Generate hash password on any Linux server.
mkpasswd --method=SHA-512
-
Configure authentication using a password hashed text and an SSH public key.
set system user <username> password-hashed-text <password-hashed-text>
set system user <username> ssh-pub-key <ssh-pub-key>
Command arguments
<username> |
Name of the user. |
<password-hashed-text> |
Password string. |
<ssh-pub-key> |
public keys of a user. You can specify multiple ssh-pub-keys. |
-
Log in using username and password hashed text.
|
Example
{ "ietf-restconf:data": { "rtbrick-config:system": { "user": [ { "username": "bob", "shell": "/usr/local/bin/cli", "password-hashed-text": "$5$L2DaOYYuddhBV$9RA5MX9RQzLC9fIKJzbnoFBb88w9rkSXl7GVrVJ9PY7", "ssh-pub-key": [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQCBAAABAQCubg5sdDycPN5EViNkV6w7rfp2GAfKWuInfaL3xOXyvSNpsmaHILYmgrLUU0GKQH9gauPUJpDcvvYaMt0ZBuTbWHVMUc4cvhgbNDkTB2bG2cTZ5QzbicyXff3BlDWQThVp2LtVBiW2tf7JTTa9SnL4Lnm+CQcXsQ0rxqy2S6bJpsRYlFMyQl/hZ4QEWE153dw0HGvcG8mjfnPN4wvCc/omfD3ljxx+Gf4oFS0davX6pdphUKLvgL33VVG5xaK71imv2l3897LIJZaHxy7FbB+CjSYT6QNq1XksX8omrbRjiP3enEQi/bANtzTNnGDnIm1KHf3xuKpoKw+B5fhDZogx" ] } ] } } }
Configuring a Plain-Text Password
To configure a password with plain text password for a new user, enter the following command:
Command arguments
<username> |
Name of the user |
<password-plain-text> |
Specifies the plain-text password |
Example for Configuring Plain Text Password
set system user bob password-plain-text bob123 set system user bob shell /usr/local/bin/cli set system user bob role operator
Viewing Configuration of Plain Text Password
{ "ietf-restconf:data": { "rtbrick-config:system": { "user": [ { "username": "bob", "role": [ "operator" ], "shell": "/usr/local/bin/cli", "password-hashed-text": "$6$uTE4OYn0iRq.Vppe$JBVMQ5DZHfuCuUP5yTnfl9IJsRLQAXqTLlLMKRO8bCz9WDlB2ele8puwMrT4/QDF2nNOcoHtqYqFljly4B.Vu0" } ] } } }
Setting the User Shell
RBFS validates that the shell is one of the following 3 valid options:
-
/usr/sbin/nologin
-
/bin/bash
-
/usr/local/bin/cli
To configure user shell, enter the following command:
Command arguments
<username> |
Name of the user |
<shell> |
Name of the shell |
Example
root@rtbrick: cfg> set system user smith shell /usr/local/bin/cli
Specifying the Display Name for User Names
The display name allows you to specify a preferred name so that you can easily identify the user. You can change your display name by entering the following command:
Command arguments
<username> |
Name of the user |
<display_name> |
Display name to easily identify the user |
Example
set system user smith display-name primeuser
Enabling or disabling CLI access
You can control a user’s access to the CLI. By default, users will have access to the CLI.
Command arguments
<username> |
Name of the user |
<true | false> |
When the no-cli-access is set to |
Example
set system user smith no-cli-access false
Configuring sudo Without Password
You can configure local system users to log in via passwords or using SSH keys. From a security perspective, it is desirable to allow authentication with SSH keys only. RBFS provides a configuration knob to disable the requirement for a 'sudo' password so that local users can authenticate with SSH keys only. This knob is configurable only if the user or one of its roles is supervisor
.
You can enter the following command to enable or disable the 'sudo' password. By default, this is set to false which ensures that the supervisor must provide a password when using sudo.
Command arguments
<username> |
Name of the user |
<true | false> |
When the |
Example Configuration:
{ "rtbrick-config:user": [ { "username": "smith", "role": "supervisor", "shell": "/bin/bash", "ssh-pub-key": "ssh-rsa AAAAB3Nza<...>", "no-sudo-password": "true" } ] }
Note: If 'no-sudo-password' is set, you can log in with your SSH key.