Re: Access denied in Maapi get_next

mdeprete · ‎09-06-2017

Hi team,

I am running a very simple Python script that opens a Maapi session, then goes through the list of all my IP address pools, and prints their names (NSO 4.4.2). On the dev server, it works fine, but on the prod one, I'm getting an "access denied" error :

File "<stdin>", line 7, in <module>

File "/opt/ncs/current/src/ncs/pyapi/ncs/maagic.py", line 1150, in next

k = self._cursor.next()

File "/opt/ncs/current/src/ncs/pyapi/ncs/maapi.py", line 946, in next

key = _tm.maapi.get_next(self.cur)

_ncs.error.Error: access denied (3): access denied

On the "broken" server, I have tried with different existing users in NSO ('admin', ...) but with no luck. I've also checked the development guide, and haven't found (yet ?) any recommendation on how to create scripting username/password. Is this a credentials issue, or something else ?

Regards,

Marc

Jan Lindblad · ‎09-06-2017

Is this the first maapi operation, i.e. no other maapi operations succeed earlier in the session?

On a local-install NSO system, there's the admin/admin user we all constantly use. However, there are no default user credentials on an NSO system-install server, so often there is no 'admin' user in a prod system. Could you check that you can manually log in on the prod server using the credentials you supply in your script?

mdeprete · ‎09-06-2017

Hi Jan,

Yes, it is the first Maapi operation of the script.

It's a system-install (and my dev server is indeed a local-install), and the credentials used in the script work fine to log into the prod server.

Here's the code, as you can see, nothing fancy :

NSO_ADMIN_NAME and NSO_ADMIN_PASSWD are variables defined separately and contain the user credentials (exact same issue whther I use the strings or the variables) :

with ncs.maapi.Maapi() as m:
    with ncs.maapi.Session (m, NSO_ADMIN_NAME, NSO_ADMIN_PASSWD):
        with m.start_write_trans(ncs.RUNNING) as t:
            root = ncs.maagic.get_root(t)
            for ipp in root.resource_pools.ip_address_pool:
                print ipp.name

M.

mdeprete · ‎09-06-2017

Talking to myself (just to close the question) :

I had to add the user $NSO_ADMIN_NAME in the admin group under nacm as well , and everything started to work.

Thanks Jan or pointing me in the right direction

M.

ryan-hitch · ‎08-15-2018

I apologize, but I still must be missing something. I am trying to run a python script on a system install, but cannot seem to get authentication working. The user I am supplying can login to the NSO CLI. Is this correct? The authenticate function in the API docs is listed as:

authenticate(self, user, password, n, src_addr=None, src_port=None, context=None,prot=None)

I am not sure what 'n' is supposed to be, or if this is even the correct function to use.

import ncs

USER_NAME = 'nsouser'

USER_PASSWORD = 'test'

m = ncs.maapi.Maapi()

m.start_user_session(USER_NAME, 'python')

m.authenticate(USER_NAME,USER_PASSWORD,1)

root = ncs.maagic.get_root(t)

output = root.devices.check_sync()

I get an "access denied", whether I specify the authenticate line or not, so I am probably doing something incorrectly.

"nsouser" is a member of the ncsadmin group, which has permit access to anything in the 'nacm' configuration section of NSO.

Help please.

Jan Lindblad · ‎08-16-2018

@ryan-hitch wrote:

I apologize, but I still must be missing something. I am trying to run a python script on a system install, but cannot seem to get authentication working. The user I am supplying can login to the NSO CLI. Is this correct? The authenticate function in the API docs is listed as:

authenticate(self, user, password, n, src_addr=None, src_port=None, context=None,prot=None)

I am not sure what 'n' is supposed to be, or if this is even the correct function to use.

import ncs

USER_NAME = 'nsouser'

USER_PASSWORD = 'test'

m = ncs.maapi.Maapi()

m.start_user_session(USER_NAME, 'python')

m.authenticate(USER_NAME,USER_PASSWORD,1)

root = ncs.maagic.get_root(t)

output = root.devices.check_sync()

I get an "access denied", whether I specify the authenticate line or not, so I am probably doing something incorrectly.

"nsouser" is a member of the ncsadmin group, which has permit access to anything in the 'nacm' configuration section of NSO.

Help please.

I had to look up what "n" is in the sources. Turns out it's the number of groups this user belongs to. Giving a too low number seems to lead to random client side stack overwrites in the C level of the python vm, so it seems very unsafe to use this low level function unless you know exactly what you're doing. And completely unnecessary.

I'd suggest having a look at

examples.ncs/getting-started/developing-with-ncs/16-py-maapi/high-level-read.py

to see how you can establish a working maagic environment. This example also specifies context 'system' rather than 'python'. The special 'system' context has two important effects:

- it turns off the access control for this session

- it makes this session not appear in the list of sessions. A CLI user might otherwise be a bit surprised by seeing your script logged in, and wonder who this is.

ryan-hitch · ‎08-16-2018

Many thanks Jan! That worked. I had looked through the MAAGIC/MAAPI API documentation and Development guide to no avail. Seems like this is something that should be mentioned explicitly in the documentation and guide. All of the examples in the Development guide use the 'python' context.

ncs.maapi.Session(m, 'nsouser', 'system'):

gschudel · ‎08-16-2018

Have this same comment, inconsistencies in the dev guide built around the less-rigorous demands of local install... chasing down these details has been "challenging" occasionally...

(glad this blog is archived :)