自定义用户角色,要求角色可以创建并删除静态路由,角色定义如下
role name test
rule 1 permit command system-view ; ip route-static *
rule 2 permit command undo ip route-static *
rule 3 permit command display ip routing-table *
rule 4 permit command screen-length disable ; undo screen-length disable
登陆测试发现可以执行创建操作,但是无法执行删除操作,提示权限不足
System View: return to User View with Ctrl+Z.
[SJKF-P-PUB-CMNET-H3C-CR16018F-01-ITC11]
[SJKF-P-PUB-CMNET-H3C-CR16018F-01-ITC11]undo ip rou?
Permission denied.
[SJKF-P-PUB-CMNET-H3C-CR16018F-01-ITC11]undo ip ?
Permission denied.
[SJKF-P-PUB-CMNET-H3C-CR16018F-01-ITC11]ip rou
[SJKF-P-PUB-CMNET-H3C-CR16018F-01-ITC11]ip route-static ?
X.X.X.X Destination IP address
bfd Configure BFD parameters
default-preference Preference value for IPv4 static-routes
fast-reroute Specify fast reroute configuration
group Specify a static route group
primary-path-detect Enable primary path detect function
vpn-instance Specify a VPN instance
[SJKF-P-PUB-CMNET-H3C-CR16018F-01-ITC11]ip route-static 192.168.2.0 ?
INTEGER<0-32> Mask length of the IP address
X.X.X.X Mask of the IP address
在配置RBAC对用户角色进行命令授权时,需要对用户命令进行视图详细配置,修改用户配置如下,方可进入命令行视图
需要在用户权限中添加system-view命令,如下
role name test
rule 1 permit command system-view ; ip route-static *
rule 2 permit command system-view ;undo ip route-static *
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作