summaryrefslogtreecommitdiff
path: root/src/conf_mode
diff options
context:
space:
mode:
authorDaniil Baturin <daniil@baturin.org>2025-08-21 13:31:33 +0100
committerDaniil Baturin <daniil@baturin.org>2025-08-26 12:01:42 +0100
commit00c78f33a8772b847ef6c2ee8fcbcbaf8dc87cb5 (patch)
treefa73eea2a6d88ad252f273080741c5fef2650fca /src/conf_mode
parent4ad89d66634b7aa1464ae3e44bce179be48cc2bf (diff)
downloadvyos-1x-00c78f33a8772b847ef6c2ee8fcbcbaf8dc87cb5.tar.gz
vyos-1x-00c78f33a8772b847ef6c2ee8fcbcbaf8dc87cb5.zip
op-mode: T7745: add a CLI for operator user command permissions
Diffstat (limited to 'src/conf_mode')
-rwxr-xr-xsrc/conf_mode/system_login.py39
1 files changed, 38 insertions, 1 deletions
diff --git a/src/conf_mode/system_login.py b/src/conf_mode/system_login.py
index 234b24770..c2562be7b 100755
--- a/src/conf_mode/system_login.py
+++ b/src/conf_mode/system_login.py
@@ -14,7 +14,9 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
+import re
import os
+import json
from passlib.hosts import linux_context
from psutil import users
@@ -171,6 +173,15 @@ def verify(login):
if 'key' not in pubkey_options:
raise ConfigError(f'Missing key for public-key "{pubkey}"!')
+ if 'operator' in user_config:
+ op_groups = dict_search('operator.group', user_config)
+ if op_groups:
+ for og in op_groups:
+ if dict_search(f'operator_group.{og}', login) is None:
+ raise ConfigError(f'Operator group {og} does not exist')
+ else:
+ raise ConfigError(f'User {user} is configured as an operator but is not assigned to any operator groups')
+
if {'radius', 'tacacs'} <= set(login):
raise ConfigError('Using both RADIUS and TACACS at the same time is not supported!')
@@ -306,6 +317,28 @@ def generate(login):
if os.path.isfile(autologout_file):
os.unlink(autologout_file)
+ # Operator groups and group membership
+ operator_config = {'users': {}, 'groups': {}}
+ if 'user' in login:
+ for user, user_config in login['user'].items():
+ op_groups = dict_search('operator.group', user_config)
+ if op_groups:
+ operator_config['users'][user] = op_groups
+
+ if 'operator_group' in login:
+ operator_config['groups'] = login['operator_group']
+
+ # Convert permissions strings to list
+ # so that the operational command runner doesn't have to
+ for g in operator_config['groups']:
+ policy = dict_search(f'command_policy.allow', operator_config['groups'][g])
+ if policy is not None:
+ policy = list(map(lambda s: re.split(r'\s+', s), policy))
+ operator_config['groups'][g]['command_policy']['allow'] = policy
+
+ with open('/etc/vyos/operators.json', 'w') as of:
+ json.dump(operator_config, of)
+
return None
@@ -335,7 +368,11 @@ def apply(login):
if tmp: command += f" --home '{tmp}'"
else: command += f" --home '/home/{user}'"
- command += f' --groups frr,frrvty,vyattacfg,sudo,adm,dip,disk,_kea {user}'
+ if 'operator' not in user_config:
+ command += f' --groups frr,frrvty,vyattacfg,sudo,adm,dip,disk,_kea'
+
+ command += f' {user}'
+
try:
cmd(command)
# we should not rely on the value stored in user_config['home_directory'], as a