Define Operational Mode Commands to Allow in an Op Script
Operation (op) scripts automate operational mode tasks and network troubleshooting on devices running Junos OS. Op scripts can execute operational mode commands within the script. By default, when a user executes a script, the system does not permit the user to execute operational mode commands within a script for which their login class does not normally have permission to execute. Starting in Junos OS Release 14.2, you can configure operational mode commands that a particular op script is allowed to execute. The permission to execute operational mode commands within a script applies to all users, and the commands that you specify are executed, even if the user who executes the script does not have permissions to execute the operational mode commands.
Execution of configuration mode commands is not supported by this feature.
The allow-commands statement is only
supported for op scripts that are local to the device. Remote op scripts
that are executed using the op url command do not support
executing unauthorized operational mode commands even when you configure
the allow-commands statement.
In the following example, the sam.slax script contains this code:
version 1.0;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";
match / {
<op-script-results> {
var $usage = "This script updates the date on the device.";
var $temp = jcs:output($usage);
var $date = jcs:get-input("Enter the date and time (YYYYMMDDHHMM.ss): ");
var $var = <command> "set date " _ $date;
var $results = jcs:invoke( $var );
copy-of $results;
}
}The op script sam.slax uses
the set date operational mode command, which is not permitted
for user user1, who has view permissions.
user1@device> op sam This script updates the date on the device. Enter the date and time (YYYYMMDDHHMM.ss): 201709111000.00 error: permission denied: date
To configure the sam.slax op
script to execute the set date operational mode command
(must be a user in the Junos OS super-user login class):
[edit system scripts op file sam.slax] admin@device# set allow-commands date admin@device# commit
User user1 can now successfully execute the op script.
user1@device> op sam This script updates the date on the device. Enter the date and time (YYYYMMDDHHMM.ss): 201709111000.00 Mon Sep 11 10:00:00 PDT 2017
To define the operational mode commands to allow in an op script:
Navigate to the op script where you want to allow operational mode commands.
Note:Only users who belong to the Junos OS
super-userlogin class can configure op scripts.[edit] admin@device# edit system scripts op file filename
Define the operational mode commands to allow.
[edit system scripts op file filename] admin@device# set allow-commands “regular-expression”
Commit the configuration.
[edit system scripts op] admin@device# commit