We have an action that is used to populate the list of available interfaces on a device. It was developed on a dev instance, i.e. local install where it runs with no issues. It doesn't work however in our lab/production environments which are system-installs.
# -*- mode: python; python-indent: 4 -*-
import ncs
from ncs.dp import Action
from _ncs.dp import action_reply_completion
import re
class NokiaPortCompletionAction(Action):
@Action.action
def cb_action(self, uinfo, name, kp, input, output, trans):
self.log.info("ActionCallback: ", "cb_action")
def cb_completion(self, uinfo, cli_style, token, completion_char,
kp, cmdpath, cmdparam_id, simpleType, extra):
self.log.info("ActionCallback: ", "cb_completion({},{},{},{},{},{},{},{},{})".format(
uinfo, cli_style, token, completion_char, kp, cmdpath, cmdparam_id, simpleType,
extra))
# Open NCS transaction.
with ncs.maapi.Maapi() as m:
with ncs.maapi.Session(m, uinfo.username, uinfo.context):
with m.start_read_trans() as t:
self.log.info(
f'Opened transaction for {uinfo.username} in context {uinfo.context}')
root = ncs.maagic.get_root(t)
self.log.info(f'Getting device keypath: {kp}')
device = re.findall(r'{.*?}', str(kp))[0].lstrip('{').rstrip('}').split(' ')[0]
self.log.info(f'Fetching all LAGs on {device}')
all_lags = root.ncs__devices.device[device].config.alu__lag
access_lags = [lag for lag in all_lags if lag.mode == 'access']
self.log.info(f'Fetching all ports on {device}')
all_ports = root.ncs__devices.device[device].config.alu__port
self.log.info(f'Device id: {device}')
We see this error in the devel.log of our lab (not working):
<ERR> 25-Oct-2023::10:29:01.741 nso-lab ncs[<0.25658.352>]: devel-c action completion() error {application, "Python cb_completion error. access denied (3): access denied"} for callpoint 'nokia_port_completion_act-action'
<ERR> 25-Oct-2023::10:29:01.741 nso-lab ncs[<0.25658.352>]: ncs Return error {cs_error,undefined,misc,application,undefined,undefined,
<<"Python cb_completion error. access denied (3): access denied">>,
undefined,undefined,false}
We've checked the permissions on our action.py file and its the same as a working action, so that's not the issue.
NACM config looks like this:
show running-config nacm
nacm read-default deny
nacm write-default deny
nacm exec-default deny
nacm rule-list [removed]
group [ removed ]
rule tailf-aaa-user
module-name tailf-aaa
path /user[name='$USER']
access-operations create,read,update,delete
action permit
!
rule tailf-webui-user
module-name tailf-webui
path /webui/data-stores/user-profile[username='$USER']
access-operations create,read,update,delete
action permit
!
rule tailf-aaa-alluser
module-name tailf-aaa
path /user
action deny
!
rule tailf-aaa-aaa
module-name tailf-aaa
path /aaa
action deny
!
rule nacm
module-name ietf-netconf-acm
path /
action deny
!
rule sync-to-one
path /devices/device/sync-to
access-operations exec
action deny
!
rule sync-to-all
path /devices/sync-to
access-operations exec
action deny
!
rule network-mgmt
path /
access-operations create,read,update,delete,exec
action permit
!
cmdrule c-logout
command logout
action deny
!
cmdrule j-logout
command "request system logout"
action deny
!
cmdrule sync-to-all
command "request devices sync-to"
action deny
!
cmdrule any-command
action permit
!
!
nacm cmd-read-default deny
nacm cmd-exec-default deny
Tried removing the last two lines of the nacm config and no change. Any suggestions on how to resolve would be appreciated.
