feature request: tac_plus-ng tags for device grouping criteria
50 views
Skip to first unread message
Petr Issakov
Mar 11, 2024, 12:38:25 AMMar 11
to Event-Driven Servers
Hello, Marc! It would be great to distinct devices with several abstract grouping criteria, for example tags
Usage:
I have huge device config:
device ipcore_ALL {
.......
device ipcore_NN { # about 100 regs with CRs BBRs ASBRs
device ipcore_NN_CR {
device ipcore_NN_CR {
tag = CR
tag = Huawei
address = 1.1.1.1
address = 1.1.1.2
...
}
device ipcore_NN_BBR {
address = 1.1.1.1
address = 1.1.1.2
...
}
device ipcore_NN_BBR {
tag = BBR
tag = Cisco
address = 2.2.2.1
address = 2.2.2.2
...
}
device ipcore_NN_ASBR {
address = 2.2.2.1
address = 2.2.2.2
...
}
device ipcore_NN_ASBR {
tag = ASBR
tag = Juniper
address = 3.3.3.1
address = 3.3.3.1
address = 3.3.3.1
address = 3.3.3.1
}
}
}
.......
}
and I want separate different user to acces to different regions (spans) and different types of devices (CR BBR ASBR) with different profiles (CRs - CRs: read/write, BBRs: only read)
user
user demo_cn_adm {
password login = clear test
member = ipcore_cn_adm, ipcore_NN
}
password login = clear test
member = ipcore_cn_adm, ipcore_NN
}
rules:
realm ipcore {
# import ipcore device
include = /usr/local/etc/tac_plus-ng/.tac_plus_ipcore_dev.cfg
ruleset {
rule ipcore_spans {
enabled = yes
script {
if (!
(
(member == ipcore_ALL && device == ipcore_ALL)
|| (member == ipcore_ST && device == ipcore_NN)
# import ipcore device
include = /usr/local/etc/tac_plus-ng/.tac_plus_ipcore_dev.cfg
ruleset {
rule ipcore_spans {
enabled = yes
script {
if (!
(
(member == ipcore_ALL && device == ipcore_ALL)
|| (member == ipcore_ST && device == ipcore_NN)
........
)
) deny
}
}
rule ipcore_roles {
enabled = yes
script {
if (member == ipcore_cn_adm) {
if (tag== CR) {
profile = mbh_cn_adm
permit
}
if (tag== BBR ) {
profile = mbh_cn_mon
permit
}
}
)
) deny
}
}
rule ipcore_roles {
enabled = yes
script {
if (member == ipcore_cn_adm) {
if (tag== CR) {
profile = mbh_cn_adm
permit
}
if (tag== BBR ) {
profile = mbh_cn_mon
permit
}
}
.................
}
}
}
}
}
}
Yes, I can create Nets config and group them separately according to each of the criteria (tags), but in this case I need to describe the same devices in networks several times according to different criteria
Petr Issakov
Mar 11, 2024, 7:54:17 AMMar 11
to Event-Driven Servers
Found workaround due label log variable. May be will be usefull for others:
device ipcore_NN { # about 100 regs with CRs BBRs ASBRs
device ipcore_NN_CR {
device ipcore_NN_CR {
label = "CR,Cisco"
address = 1.1.1.1
address = 1.1.1.2
...
}
device ipcore_NN_BBR {
address = 1.1.1.2
...
}
device ipcore_NN_BBR {
label = "BBR,Juniper"
address = 2.2.2.1
address = 2.2.2.2
...
}
device ipcore_NN_ASBR {
address = 2.2.2.2
...
}
device ipcore_NN_ASBR {
label = "ASBR,Huawei"
address = 3.3.3.1
address = 3.3.3.1
address = 3.3.3.1
}
}
}
user
user demo_cn_adm {
password login = clear test
member = ipcore_cn_adm, ipcore_NN
}
password login = clear test
member = ipcore_cn_adm, ipcore_NN
}
rules:
realm ipcore {
# import ipcore device
include = /usr/local/etc/tac_plus-ng/.tac_plus_ipcore_dev.cfg
ruleset {
rule ipcore_spans {
enabled = yes
script {
if (!
(
(member == ipcore_ALL && device == ipcore_ALL)
|| (member == ipcore_ST && device == ipcore_NN)
# import ipcore device
include = /usr/local/etc/tac_plus-ng/.tac_plus_ipcore_dev.cfg
ruleset {
rule ipcore_spans {
enabled = yes
script {
if (!
(
(member == ipcore_ALL && device == ipcore_ALL)
|| (member == ipcore_ST && device == ipcore_NN)
........
)
) deny
}
}
rule ipcore_roles {
enabled = yes
script {
if (member == ipcore_cn_adm) {
)
) deny
}
}
rule ipcore_roles {
enabled = yes
script {
if (member == ipcore_cn_adm) {
if ('${label}' =~ /CR/) {
profile = mbh_cn_adm
permit
}
if ('${ label }' =~ /BBR/ ) {
profile = mbh_cn_mon
permit
}
}
profile = mbh_cn_adm
permit
}
if ('${ label }' =~ /BBR/ ) {
profile = mbh_cn_mon
permit
}
}
.................
}
}
}
}
}
}
понедельник, 11 марта 2024 г. в 10:38:25 UTC+6, Petr Issakov:
Marc Huber
Mar 11, 2024, 1:43:00 PMMar 11
to event-driv...@googlegroups.com
Hi Petr,
glad you've found a workaround !
I think that adding host tagging is a nice idea, thanks for that! One of
the next commits will support
- "device.tag = ..." and, as a shortcut, "tag = ..." in device/host context
- "device.tag" comparisions in script context.
Cheers,
Marc
On 11.03.2024 12:54, Petr Issakov wrote:
> Found workaround due label log variable. May be will be usefull for
> others:
> device ipcore_NN { # about 100 regs with CRs BBRs ASBRs
> device ipcore_NN_CR {
> *label = "CR,Cisco"*
> if ('${*label*}' =~ /CR/) {
> profile = mbh_cn_adm
> permit
> }
> if ('${ *label* }' =~ /BBR/ ) {
> * tag = Huawei
> *address = 1.1.1.1
> * tag = Cisco
> *address = 2.2.2.1
> *tag = Juniper*
> if (*tag*== CR) {
> profile = mbh_cn_adm
> permit
> }
> if (*tag*== BBR ) {
> You received this message because you are subscribed to the Google
> Groups "Event-Driven Servers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to event-driven-ser...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/event-driven-servers/0795660e-9df4-428f-9611-37584bafda28n%40googlegroups.com
> <https://groups.google.com/d/msgid/event-driven-servers/0795660e-9df4-428f-9611-37584bafda28n%40googlegroups.com?utm_medium=email&utm_source=footer>.
glad you've found a workaround !
I think that adding host tagging is a nice idea, thanks for that! One of
the next commits will support
- "device.tag = ..." and, as a shortcut, "tag = ..." in device/host context
- "device.tag" comparisions in script context.
Cheers,
Marc
On 11.03.2024 12:54, Petr Issakov wrote:
> Found workaround due label log variable. May be will be usefull for
> others:
> device ipcore_NN { # about 100 regs with CRs BBRs ASBRs
> device ipcore_NN_CR {
> address = 1.1.1.1
> address = 1.1.1.2
> ...
> }
> device ipcore_NN_BBR {
> *label = "BBR,Juniper"*
> address = 1.1.1.2
> ...
> }
> device ipcore_NN_BBR {
> address = 2.2.2.1
> address = 2.2.2.2
> ...
> }
> device ipcore_NN_ASBR {
> * label = "ASBR,Huawei"*
> address = 2.2.2.2
> ...
> }
> device ipcore_NN_ASBR {
> profile = mbh_cn_adm
> permit
> }
> if ('${ *label* }' =~ /BBR/ ) {
> profile = mbh_cn_mon
> permit
> }
> }
> .................
> }
> }
> }
> понедельник, 11 марта 2024 г. в 10:38:25 UTC+6, Petr Issakov:
>
> Hello, Marc! It would be great to distinct devices with several
> abstract grouping criteria, for example *tags *
> permit
> }
> }
> .................
> }
> }
> }
> понедельник, 11 марта 2024 г. в 10:38:25 UTC+6, Petr Issakov:
>
> Hello, Marc! It would be great to distinct devices with several
> Usage:
> I have huge device config:
> device ipcore_ALL {
> .......
> device ipcore_NN { # about 100 regs with CRs BBRs ASBRs
> device ipcore_NN_CR {
> *tag = CR*
> I have huge device config:
> device ipcore_ALL {
> .......
> device ipcore_NN { # about 100 regs with CRs BBRs ASBRs
> device ipcore_NN_CR {
> * tag = Huawei
> *address = 1.1.1.1
> address = 1.1.1.2
> ...
> }
> device ipcore_NN_BBR {
> *tag = BBR*
> ...
> }
> device ipcore_NN_BBR {
> * tag = Cisco
> *address = 2.2.2.1
> address = 2.2.2.2
> ...
> }
> device ipcore_NN_ASBR {
> *tag = ASBR*
> ...
> }
> device ipcore_NN_ASBR {
> *tag = Juniper*
> profile = mbh_cn_adm
> permit
> }
> if (*tag*== BBR ) {
> profile = mbh_cn_mon
> permit
> }
> }
> .................
> }
> }
> }
>
> Yes, I can create *Nets *config and group them separately
> permit
> }
> }
> .................
> }
> }
> }
>
> according to each of the criteria (tags), but in this case I need
> to describe the same devices in networks several times according
> to different criteria
>
> --
> to describe the same devices in networks several times according
> to different criteria
>
> You received this message because you are subscribed to the Google
> Groups "Event-Driven Servers" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to event-driven-ser...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/event-driven-servers/0795660e-9df4-428f-9611-37584bafda28n%40googlegroups.com
> <https://groups.google.com/d/msgid/event-driven-servers/0795660e-9df4-428f-9611-37584bafda28n%40googlegroups.com?utm_medium=email&utm_source=footer>.
Petr Issakov
Mar 15, 2024, 4:51:21 AMMar 15
to Event-Driven Servers
Hi, Marc!
I have tested new feature (device tags)
Works great!
Thanks a lot!
понедельник, 11 марта 2024 г. в 23:43:00 UTC+6, Marc Huber:
Petr Issakov
Mar 28, 2024, 3:13:55 AMMar 28
to Event-Driven Servers
Marc, Hi again!
Very appreciated to you for this feature. Its enable write very flexible rules
But it would be great if children tags inherited tags from its parents, for example:
Very appreciated to you for this feature. Its enable write very flexible rules
But it would be great if children tags inherited tags from its parents, for example:
device ipcore_MR1 {
tag = UTC3
device ipcore_reg1 {
tag = Huawei
device ipcore_ reg1 _CR { #
tag = CR
address = 10.1.1.1 # this device will inherite tag=UTC3 tag=Huawei
address = 10.1.1.2
}
}
device ipcore_reg2 {
tag = Nokia
device ipcore_reg2_CR {
tag = CR
address = 10.2.1.1
address = 10.2.1.2
}
tag = UTC3
device ipcore_reg1 {
tag = Huawei
device ipcore_ reg1 _CR { #
tag = CR
address = 10.1.1.1 # this device will inherite tag=UTC3 tag=Huawei
address = 10.1.1.2
}
}
device ipcore_reg2 {
tag = Nokia
device ipcore_reg2_CR {
tag = CR
address = 10.2.1.1
address = 10.2.1.2
}
device ipcore_reg2_BBR {
tag = BBR
address = 10.3.1.1
address = 10.3.1.2
}
}
tag = BBR
address = 10.3.1.1
address = 10.3.1.2
}
}
Is it possible?
пятница, 15 марта 2024 г. в 14:51:21 UTC+6, Petr Issakov:
Marc Huber
Mar 28, 2024, 8:14:30 AMMar 28
to event-driv...@googlegroups.com
Hi Petr,
my bad, thanks for reporting! I'd thought I'd have implemented that but
forgot to update the argument to tac_tag_regex_check(). I've just pushed
925dca1c58508950b6ea047f0ad680ac3f70b30d to fix this.
--- a/tac_plus-ng/config.c
+++ b/tac_plus-ng/config.c
@@ -4297,7 +4297,7 @@ static int tac_script_cond_eval(tac_session *
session, struct mavis_cond *m)
{
tac_host *h = session->ctx->host;
while (!res && h) {
- res = tac_tag_regex_check(session, m,
session->ctx->host->tags);
+ res = tac_tag_regex_check(session, m, h->tags);
h = h->parent;
}
return tac_script_cond_eval_res(session, m, res);
Cheers,
Marc
my bad, thanks for reporting! I'd thought I'd have implemented that but
forgot to update the argument to tac_tag_regex_check(). I've just pushed
925dca1c58508950b6ea047f0ad680ac3f70b30d to fix this.
--- a/tac_plus-ng/config.c
+++ b/tac_plus-ng/config.c
@@ -4297,7 +4297,7 @@ static int tac_script_cond_eval(tac_session *
session, struct mavis_cond *m)
{
tac_host *h = session->ctx->host;
while (!res && h) {
- res = tac_tag_regex_check(session, m,
session->ctx->host->tags);
+ res = tac_tag_regex_check(session, m, h->tags);
h = h->parent;
}
return tac_script_cond_eval_res(session, m, res);
Cheers,
Marc
Petr Issakov
Apr 2, 2024, 1:36:38 AMApr 2
to Event-Driven Servers
Hi, Marc!
Thank you, working great!
четверг, 28 марта 2024 г. в 18:14:30 UTC+6, Marc Huber:
Reply all
Reply to author
Forward
0 new messages