10-26-2023 08:43 AM
We have an action that is used to populate the list of available interfaces on a device. It was developed on a dev instance, i.e. local install where it runs with no issues. It doesn't work however in our lab/production environments which are system-installs.
# -*- mode: python; python-indent: 4 -*-
import ncs
from ncs.dp import Action
from _ncs.dp import action_reply_completion
import re
class NokiaPortCompletionAction(Action):
@Action.action
def cb_action(self, uinfo, name, kp, input, output, trans):
self.log.info("ActionCallback: ", "cb_action")
def cb_completion(self, uinfo, cli_style, token, completion_char,
kp, cmdpath, cmdparam_id, simpleType, extra):
self.log.info("ActionCallback: ", "cb_completion({},{},{},{},{},{},{},{},{})".format(
uinfo, cli_style, token, completion_char, kp, cmdpath, cmdparam_id, simpleType,
extra))
# Open NCS transaction.
with ncs.maapi.Maapi() as m:
with ncs.maapi.Session(m, uinfo.username, uinfo.context):
with m.start_read_trans() as t:
self.log.info(
f'Opened transaction for {uinfo.username} in context {uinfo.context}')
root = ncs.maagic.get_root(t)
self.log.info(f'Getting device keypath: {kp}')
device = re.findall(r'{.*?}', str(kp))[0].lstrip('{').rstrip('}').split(' ')[0]
self.log.info(f'Fetching all LAGs on {device}')
all_lags = root.ncs__devices.device[device].config.alu__lag
access_lags = [lag for lag in all_lags if lag.mode == 'access']
self.log.info(f'Fetching all ports on {device}')
all_ports = root.ncs__devices.device[device].config.alu__port
self.log.info(f'Device id: {device}')
We see this error in the devel.log of our lab (not working):
<ERR> 25-Oct-2023::10:29:01.741 nso-lab ncs[<0.25658.352>]: devel-c action completion() error {application, "Python cb_completion error. access denied (3): access denied"} for callpoint 'nokia_port_completion_act-action'
<ERR> 25-Oct-2023::10:29:01.741 nso-lab ncs[<0.25658.352>]: ncs Return error {cs_error,undefined,misc,application,undefined,undefined,
<<"Python cb_completion error. access denied (3): access denied">>,
undefined,undefined,false}
We've checked the permissions on our action.py file and its the same as a working action, so that's not the issue.
NACM config looks like this:
show running-config nacm
nacm read-default deny
nacm write-default deny
nacm exec-default deny
nacm rule-list [removed]
group [ removed ]
rule tailf-aaa-user
module-name tailf-aaa
path /user[name='$USER']
access-operations create,read,update,delete
action permit
!
rule tailf-webui-user
module-name tailf-webui
path /webui/data-stores/user-profile[username='$USER']
access-operations create,read,update,delete
action permit
!
rule tailf-aaa-alluser
module-name tailf-aaa
path /user
action deny
!
rule tailf-aaa-aaa
module-name tailf-aaa
path /aaa
action deny
!
rule nacm
module-name ietf-netconf-acm
path /
action deny
!
rule sync-to-one
path /devices/device/sync-to
access-operations exec
action deny
!
rule sync-to-all
path /devices/sync-to
access-operations exec
action deny
!
rule network-mgmt
path /
access-operations create,read,update,delete,exec
action permit
!
cmdrule c-logout
command logout
action deny
!
cmdrule j-logout
command "request system logout"
action deny
!
cmdrule sync-to-all
command "request devices sync-to"
action deny
!
cmdrule any-command
action permit
!
!
nacm cmd-read-default deny
nacm cmd-exec-default deny
Tried removing the last two lines of the nacm config and no change. Any suggestions on how to resolve would be appreciated.
Solved! Go to Solution.
10-26-2023 11:26 PM - edited 10-26-2023 11:27 PM
I don't see any aaa entries in the devel.log, is it possible to change the developer log level to "trace"? Then you should be able to see aaa entries into the log which should help.
10-30-2023 11:55 AM
That did it, I was able to see the rule that it was getting tripped up on. Thanks!
10-26-2023 11:26 PM - edited 10-26-2023 11:27 PM
I don't see any aaa entries in the devel.log, is it possible to change the developer log level to "trace"? Then you should be able to see aaa entries into the log which should help.
10-30-2023 11:55 AM
That did it, I was able to see the rule that it was getting tripped up on. Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide