Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understanding QFabric System Login Classes

In some cases (such as device-level troubleshooting), it is useful to log in to individual QFabric system components so you can view and manage issues on a per-device basis. This topic explains the login classes that provide individual component access within a QFabric system.

Note:

Under normal operating conditions, you should manage the QFabric system as a single entity by using the QFabric system default partition command-line interface (CLI). The default partition CLI provides you with the ability to configure and monitor your entire QFabric system from a central location and should be used as the primary way to manage the system.

The QFabric system offers three special preset login classes that provide different levels of access to individual components within a QFabric system:

  • qfabric-admin—Provides the ability to log in to individual QFabric system components and manage them. This class is equivalent to setting the following permissions: access, admin, clear, firewall, interface, maintenance, network, reset, routing, secret, security, snmp, system, trace, and view. The qfabric-admin class also enables you issue all operational mode commands except configure. To provide QFabric system component-level login and management privileges, include the qfabric-admin statement at the [edit system login user username authentication remote-debug-permission] hierarchy level.

  • qfabric-operator—Provides the privilege to log in to individual QFabric system components and view component operations and configurations. This class is equivalent to setting the following permissions: trace and view. The qfabric-operator class also enables you issue the monitor and show log messages operational mode commands. To provide limited QFabric system component-level access, include the qfabric-operator statement at the [edit system login user username authentication remote-debug-permission] hierarchy level.

  • qfabric-user—Prevents access to individual QFabric system components. This class is the default setting for all QFabric system users and is equivalent to the preset Junos OS class of unauthorized. To prevent a user from accessing individual QFabric system components, include the qfabric-user statement at the [edit system login user username authentication remote-debug-permission] hierarchy level.

When you perform the initial setup for the Director group, you must specify a username and password for QFabric components. Once configured, this information is stored in the QFabric system and mapped to the QFabric system login classes. Such mapping allows users with the proper login class (qfabric-admin or qfabric-operator) to log in automatically to a component without being prompted for the username and password.

After you assign the qfabric-admin or qfabric-operator class to a user, the user can log in to an individual QFabric system component by issuing the request component login component-name command. You can access Node devices, Interconnect devices, and virtual Junos Routing Engines (diagnostics, fabric control, and fabric manager) one at a time when you issue this command. To leave the CLI prompt of a component and return to the QFabric system default partition CLI, issue the exit command from the component’s operational mode CLI prompt.