Define Operational Mode Commands to Allow in an Op Script
Operation (op) scripts automate operational tasks and network troubleshooting on Junos
devices. Op scripts can execute operational mode commands within the script. By default,
the user executing the script cannot execute operational mode commands within a script
for which their login class does not have permission to execute. However, you can
configure an op script to execute specific operational mode commands regardless of the
user permissions. Users in the Junos OS super-user login class can
configure the allow-commands statement at the [edit system
scripts op file filename] hierarchy level to define the
commands. The script executes the specified operational mode commands, even if the user
who executes the script does not have permissions to execute those commands.
The allow-commands statement does not support executing configuration mode
commands.
The allow-commands statement is only supported for op scripts that are local to
the device. Remote op scripts that you execute using the op url
command do not support executing unauthorized operational mode commands even when
you configure the allow-commands statement.
In the following example, the sam.slax op script contains the following code:
version 1.2;
ns junos = "http://xml.juniper.net/junos/*/junos";
ns xnm = "http://xml.juniper.net/xnm/1.1/xnm";
ns jcs = "http://xml.juniper.net/junos/commit-scripts/1.0";
import "../import/junos.xsl";
match / {
<op-script-results> {
var $usage = "This script updates the date on the device.";
var $temp = jcs:output($usage);
var $date = jcs:get-input("Enter the date and time (YYYYMMDDHHMM.ss): ");
var $var = <command> "set date " _ $date;
var $results = jcs:invoke( $var );
copy-of $results;
}
}The op script uses the set date operational mode command. User user1 does not
have permission to execute this command.
user1@device> op sam This script updates the date on the device. Enter the date and time (YYYYMMDDHHMM.ss): 201709111000.00 error: permission denied: date
The following configuration enables the sam.slax op script to execute the
set date operational mode command:
[edit system scripts op file sam.slax] admin@device# set allow-commands date admin@device# commit
User user1 can now successfully execute the op script.
user1@device> op sam This script updates the date on the device. Enter the date and time (YYYYMMDDHHMM.ss): 201709111000.00 Mon Sep 11 10:00:00 PDT 2017
To define the operational mode commands to allow in an op script:
Navigate to the op script for which you want to allow operational mode commands.
Note:Only users who belong to the Junos OS
super-userlogin class can configure op scripts.[edit] admin@device# edit system scripts op file filename
Define the operational mode commands to allow.
[edit system scripts op file filename] admin@device# set allow-commands "regular-expression"
Commit the configuration.
[edit system scripts op file filename] admin@device# commit