Pipecommands/output processing not available for specific user group

kabhijeet · June 30, 2024, 5:19pm

I have a restricitive rule set applied for a user group which should only allow them to read the configuration and have bare minimum capabilities. But with below configuration of allowed commands, these users are not able to run any output modifier (output processing) commands or pipecommands.

For example, If I run below command and after pipe, put a question mark “?”, I do not see any possible completion like include, match, count, exclude, save etc. Is there a specific command I need to permit so that these users can have these restricted permission and still use output modifiers (output processing)

Confd version: 8.0.14

Output of pipe followed by a question mark:

 # show running-config | 
 Possible completions:
   |  <cr>

Rules applied for given user group:

<rule-list>
     <name>readonly-rules</name>
     <group>readonly</group>
     <rule>
        <name>nacm-deny</name>
        <path>/nacm</path>
        <access-operations>create update delete read</access-operations>
        <action>deny</action>
     </rule>
     <rule>
       <name>any-config-access</name>
       <module-name>*</module-name>
       <access-operations>read</access-operations>
       <action>permit</action>
     </rule>
     <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>config-permit</name>
       <command>config</command>
       <action>permit</action>
     </cmdrule>
     <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>describe-permit</name>
       <command>describe</command>
       <action>permit</action>
     </cmdrule>
     <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>display-level-permit</name>
       <command>display-level</command>
       <action>permit</action>
     </cmdrule>
     <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>help-permit</name>
       <command>help</command>
       <action>permit</action>
     </cmdrule>
     <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>id-permit</name>
       <command>id</command>
       <action>permit</action>
     </cmdrule>
     <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>idle-timeout-permit</name>
       <command>idle-timeout</command>
       <action>permit</action>
     </cmdrule>
     <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>ignore-leading-space-permit</name>
       <command>ignore-leading-space</command>
       <action>permit</action>
     </cmdrule>
     <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>help-permit</name>
       <command>help</command>
       <action>permit</action>
     </cmdrule>
     <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>leaf-prompting-permit</name>
       <command>leaf-prompting</command>
       <action>permit</action>
     </cmdrule>
     <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>paginate-permit</name>
       <command>paginate</command>
       <action>permit</action>
     </cmdrule>
     <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>output-file-permit</name>
       <command>output-file</command>
       <action>permit</action>
     </cmdrule>
     <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>prompt1-permit</name>
       <command>prompt1</command>
       <action>permit</action>
     </cmdrule>
       <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>prompt2-permit</name>
       <command>prompt2</command>
       <action>permit</action>
     </cmdrule>
     <cmdrule xmlns="http://tail-f.com/yang/acm">
        <name>pwd-permit</name>
        <command>pwd</command>
        <action>permit</action>
     </cmdrule>
     <cmdrule xmlns="http://tail-f.com/yang/acm">
        <name>screen-length-permit</name>
        <command>screen-length</command>
        <action>permit</action>
     </cmdrule>
     <cmdrule xmlns="http://tail-f.com/yang/acm">
        <name>screen-width-permit</name>
        <command>screen-width</command>
        <action>permit</action>
     </cmdrule>
       <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>script-permit</name>
       <command>script</command>
       <action>permit</action>
     </cmdrule>
     <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>send-permit</name>
       <command>send</command>
       <action>permit</action>
     </cmdrule>
     <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>show-permit</name>
       <command>show</command>
       <action>permit</action>
     </cmdrule>
     <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>show-defaults-permit</name>
       <command>show-defaults</command>
       <action>permit</action>
     </cmdrule>
     <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>terminal-permit</name>
       <command>terminal</command>
       <action>permit</action>
     </cmdrule>
       <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>timestamp-permit</name>
       <command>timestamp</command>
       <action>permit</action>
     </cmdrule>
     <cmdrule xmlns="http://tail-f.com/yang/acm">
        <name>any-commands-deny</name>
        <command>*</command>
        <action>deny</action>
     </cmdrule>
   </rule-list>

sbarvick · July 3, 2024, 8:51pm

Hi. I used the configuration you provided and was able to see the output control commands, but it was certainly limiting the output that I could read:

MBP-2# show running-config | ?
Possible completions:
  annotation      Show only statements whose annotation matches a pattern
  append          Append output text to a file
  begin           Begin with the line that matches

You can use the devel.log to see what it is doing

MBP-2:log linux$ tail -f devel.log
<DEBUG> 3-Jul-2024::16:46:38.505 MBP-2 confd[<0.416.0>]: devel-aaa User: admin[admin,staff,everyone,localaccounts,_appserverusr,_appserveradm,_lpadmin,com.apple.access_ssh,com.apple.sharepoint.group.1,_appstore,_lpoperator,_developer,_analyticsusers,com.apple.access_ftp,com.apple.access_screensharing,com.apple.access_remote_ae] rejected data access path /nacm:nacm/read-default op read due to no rule matched and node has nacm:default-deny-all

with

<developerLogLevel>trace</developerLogLevel>

There is probably more at play than what you listed, but that may be how you can get to the bottom of it.

kabhijeet · July 8, 2024, 9:09am

Hi @sbarvick , thanks for the input, Not sure why even few of the commands would be allowed after we deny all commands with “*”.

And I did use the logs and it helped figuring out how I can get the pipecommands for a user with all commands restricted.
I added all pipecommands like below sample -

...
       <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>annotation-permit</name>
       <command>annotation</command>
       <action>permit</action>
     </cmdrule>
       <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>append-permit</name>
       <command>append</command>
       <action>permit</action>
     </cmdrule>
       <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>begin-permit</name>
       <command>begin</command>
       <action>permit</action>
     </cmdrule>
       <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>best-effort-permit</name>
       <command>best-effort</command>
       <action>permit</action>
     </cmdrule>
       <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>context-match-permit</name>
       <command>context-match</command>
       <action>permit</action>
     </cmdrule>
       <cmdrule xmlns="http://tail-f.com/yang/acm">
       <name>count-permit</name>
       <command>count</command>
       <action>permit</action>
     </cmdrule>
...

Note: Above is just a few of the commands but I added for all, ommitted others here for brevity.
After this config I got all the pipecommands for a readonly user

# show running-config | ?          
Possible completions:
  annotation      Show only statements whose annotation matches a pattern
  append          Append output text to a file
  begin           Begin with the line that matches
  best-effort     Display data even if data provider is unavailable or continue loading from file in presence of failures
  context-match   Context match
  count           Count the number of lines in the output
  csv             Show table output in CSV format
  de-select       De-select columns
  details         Display default values
  display         Display options
  exclude         Exclude lines that match
  extended        Display referring entries
  hide            Hide display options
  icount          Count the number of matching instances
  include         Include lines that match
  linnum          Enumerate lines in the output
  match-all       All selected filters must match
  match-any       At least one filter must match
  more            Paginate output
  nomore          Suppress pagination
  repeat          Repeat show command with a given interval
  save            Save output text to a file
  select          Select additional columns
  sort-by         Select sorting indices
  tab             Enforce table output
  tags            Show only statements whose tags matches a pattern
  until           End with the line that matches

sbarvick · July 8, 2024, 1:56pm

Glad it helped and thanks for sharing the info back to the community.

Best,
Scott