Merge pull request #4674 from dmbaturin/op-mode-permissions

op-mode: T7745: add a CLI for operator user command permissions

Author: dmbaturin

data/config.boot.default

@@ -33,6 +33,11 @@ system {
     }
     host-name "vyos"
     login {
+        operator-group default {
+            command-policy {
+                allow "*"
+            }
+        }
         user vyos {
             authentication {
                 encrypted-password "$6$QxPS.uk6mfo$9QBSo8u1FkH16gMyAVhus6fU3LOzvLR9Z9.82m3tiHFAxTtIkhaZSWssSgzt4v4dGAL8rhVQxTg0oAG9/q11h/"

interface-definitions/system_login.xml.in

@@ -8,6 +8,38 @@
           <priority>400</priority>
         </properties>
         <children>
+          <tagNode name="operator-group">
+            <properties>
+              <help>Operator group</help>
+              <constraint>
+                #include <include/constraint/login-username.xml.i>
+              </constraint>
+              <constraintErrorMessage>Operator group name contains illegal characters or\nexceeds 100 character limitation.</constraintErrorMessage>
+            </properties>
+            <children>
+              <node name="command-policy">
+                <properties>
+                  <help>Command policy</help>
+                </properties>
+                <children>
+                  <leafNode name="allow">
+                    <properties>
+                      <multi/>
+                      <help>Command subtree allowed to execute</help>
+                      <valueHelp>
+                        <format>txt</format>
+                        <description>Exact command (e.g., 'show interfaces')</description>
+                      </valueHelp>
+                      <valueHelp>
+                        <format>txt</format>
+                        <description>Command wildcard (e.g., '* vpn')</description>
+                      </valueHelp>
+                    </properties>
+                  </leafNode>
+                </children>
+              </node>
+            </children>
+          </tagNode>
           <tagNode name="user">
             <properties>
               <help>Local user account information</help>
@@ -17,6 +49,26 @@
               <constraintErrorMessage>Username contains illegal characters or\nexceeds 100 character limitation.</constraintErrorMessage>
             </properties>
             <children>
+              <node name="operator">
+                <properties>
+                  <help>Restrict the user to operational mode</help>
+                </properties>
+                <children>
+                  <leafNode name="group">
+                    <properties>
+                      <multi/>
+                      <help>Operator group</help>
+                      <completionHelp>
+                        <path>system login operator-group</path>
+                      </completionHelp>
+                      <valueHelp>
+                        <format>txt</format>
+                        <description>Operator group name</description>
+                      </valueHelp>
+                    </properties>
+                  </leafNode>
+                </children>
+              </node>
               <node name="authentication">
                 <properties>
                   <help>Authentication settings</help>

src/conf_mode/system_login.py

@@ -14,7 +14,9 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
+import re
 import os
+import json
 
 from passlib.hosts import linux_context
 from psutil import users
@@ -171,6 +173,15 @@ def verify(login):
                 if 'key' not in pubkey_options:
                     raise ConfigError(f'Missing key for public-key "{pubkey}"!')
 
+            if 'operator' in user_config:
+                op_groups = dict_search('operator.group', user_config)
+                if op_groups:
+                    for og in op_groups:
+                        if dict_search(f'operator_group.{og}', login) is None:
+                            raise ConfigError(f'Operator group {og} does not exist')
+                else:
+                    raise ConfigError(f'User {user} is configured as an operator but is not assigned to any operator groups')
+
     if {'radius', 'tacacs'} <= set(login):
         raise ConfigError('Using both RADIUS and TACACS at the same time is not supported!')
 
@@ -306,6 +317,28 @@ def generate(login):
         if os.path.isfile(autologout_file):
             os.unlink(autologout_file)
 
+    # Operator groups and group membership
+    operator_config = {'users': {}, 'groups': {}}
+    if 'user' in login:
+        for user, user_config in login['user'].items():
+            op_groups = dict_search('operator.group', user_config)
+            if op_groups:
+                operator_config['users'][user] = op_groups
+
+    if 'operator_group' in login:
+        operator_config['groups'] = login['operator_group']
+
+        # Convert permissions strings to list
+        # so that the operational command runner doesn't have to
+        for g in operator_config['groups']:
+            policy = dict_search(f'command_policy.allow', operator_config['groups'][g])
+            if policy is not None:
+                policy = list(map(lambda s: re.split(r'\s+', s), policy))
+                operator_config['groups'][g]['command_policy']['allow'] = policy
+
+    with open('/etc/vyos/operators.json', 'w') as of:
+        json.dump(operator_config, of)
+
     return None
 
 
@@ -335,7 +368,11 @@ def apply(login):
             if tmp: command += f" --home '{tmp}'"
             else: command += f" --home '/home/{user}'"
 
-            command += f' --groups frr,frrvty,vyattacfg,sudo,adm,dip,disk,_kea {user}'
+            if 'operator' not in user_config:
+                command += f' --groups frr,frrvty,vyattacfg,sudo,adm,dip,disk,_kea'
+
+            command += f' {user}'
+
             try:
                 cmd(command)
                 # we should not rely on the value stored in user_config['home_directory'], as a

src/opt/vyatta/etc/shell/level/users/allowed-op

@@ -11,7 +11,10 @@ exit
 force
 monitor
 ping
+poweroff
+reboot
 reset
+restart
 release
 renew
 set

src/opt/vyatta/etc/shell/level/users/allowed-op.in

@@ -7,7 +7,10 @@ exit
 force
 monitor
 ping
+poweroff
+reboot
 reset
+restart
 release
 renew
 set

src/opt/vyatta/share/vyatta-op/functions/interpreter/vyatta-op-run

@@ -217,6 +217,20 @@ _vyatta_op_run ()
     local run_cmd=$(_vyatta_op_get_node_def_field $tpath/node.def run)
     run_cmd=$(_vyatta_op_conv_run_cmd "$run_cmd") # convert the positional parameters
     local ret=0
+
+    if groups "$(whoami)" | grep -q -E ' vyattacfg(\s|$)'; then
+      # If the user is an admin,
+      # use sudo directly for now
+      op_runner="sudo"
+    else
+      # If the user is an operator,
+      # use the new operational command runner
+      # (operator users have no sudo permissions)
+      # and give it the original VyOS command
+      op_runner="vyos-op-run"
+      run_cmd="$@"
+    fi
+
     # Exception for the `show file` command
     local file_cmd='\$\{vyos_op_scripts_dir\}\/file\.py'
     local cmd_regex="^(LESSOPEN=|less|pager|tail|(sudo )?$file_cmd).*"
@@ -234,9 +248,9 @@ _vyatta_op_run ()
         # to be able to do their job.
         eval "$run_cmd"
       elif [[ -t 1 && "${args[1]}" == "show" && ! $run_cmd =~ $cmd_regex ]] ; then
-        eval "(sudo $run_cmd) | ${VYATTA_PAGER:-cat}"
+        eval "($op_runner $run_cmd) | ${VYATTA_PAGER:-cat}"
       else
-        eval "sudo $run_cmd"
+        eval "$op_runner $run_cmd"
       fi
     else
       echo -ne "\n  Incomplete command: ${args[@]}\n\n" >&2