Create MaaS RBAC for Cisco NX-OS switch
to allow MaaS service to deploy the BareMetal Server and put it to appropriate private vlan, MaaS service need to login to cisco TOR switch and execute some codes. to reduce humane error and security?risk we create a stand alone user for MaaS service on each TOR switch.
username is : maas-sw. and create a specific Role for this user
Step11: create RBAC Role
Role name MaaS
vlan policy deny
permit vlan?500-510
rule?20?permit read-write feature vlan
interface?policy deny
permit?interface?ethernet?1/1-10
rule?30?permit read-write feature?interface
rule?40?permit command show*
this rule will allow maas-sw user to work only with vlan 500-501 and do it's related task like create,delete, private-vlan,.....
vlan configuration can be apply only to interface eth1/1-10 and maas-sw user can not modify any other interface.
optional: for debug i all show command via rule 40.
step-2: create a user for MaaS service and assign it to MaaS role.
Username maas-sw role MaaS password ******