cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
406
Views
2
Helpful
2
Replies

Action permissions

RichardD2
Level 1
Level 1

We have an action that is used to populate the list of available interfaces on a device. It was developed on a dev instance, i.e. local install where it runs with no issues. It doesn't work however in our lab/production environments which are system-installs. 

# -*- mode: python; python-indent: 4 -*-
import ncs
from ncs.dp import Action
from _ncs.dp import action_reply_completion
import re


class NokiaPortCompletionAction(Action):
    @Action.action
    def cb_action(self, uinfo, name, kp, input, output, trans):
        self.log.info("ActionCallback: ", "cb_action")

    def cb_completion(self, uinfo, cli_style, token, completion_char,
                        kp, cmdpath, cmdparam_id, simpleType, extra):
        self.log.info("ActionCallback: ", "cb_completion({},{},{},{},{},{},{},{},{})".format(
            uinfo, cli_style, token, completion_char, kp, cmdpath, cmdparam_id, simpleType,
            extra))
        # Open NCS transaction.
        with ncs.maapi.Maapi() as m:
            with ncs.maapi.Session(m, uinfo.username, uinfo.context):
                with m.start_read_trans() as t:
                    self.log.info(
                        f'Opened transaction for {uinfo.username} in context {uinfo.context}')
                    root = ncs.maagic.get_root(t)
                    self.log.info(f'Getting device keypath: {kp}')
                    device = re.findall(r'{.*?}', str(kp))[0].lstrip('{').rstrip('}').split(' ')[0]
                    self.log.info(f'Fetching all LAGs on {device}')
                    all_lags = root.ncs__devices.device[device].config.alu__lag
                    access_lags = [lag for lag in all_lags if lag.mode == 'access']
                    self.log.info(f'Fetching all ports on {device}')
                    all_ports = root.ncs__devices.device[device].config.alu__port
                    self.log.info(f'Device id: {device}')

 We see this error in the devel.log of our lab (not working):

<ERR> 25-Oct-2023::10:29:01.741 nso-lab ncs[<0.25658.352>]: devel-c action completion() error {application, "Python cb_completion error. access denied (3): access denied"} for callpoint 'nokia_port_completion_act-action'
<ERR> 25-Oct-2023::10:29:01.741 nso-lab ncs[<0.25658.352>]: ncs Return error {cs_error,undefined,misc,application,undefined,undefined,
                       <<"Python cb_completion error. access denied (3): access denied">>,
                       undefined,undefined,false}

We've checked the permissions on our action.py file and its the same as a working action, so that's not the issue. 
NACM config looks like this:

show running-config nacm
nacm read-default deny
nacm write-default deny
nacm exec-default deny
nacm rule-list [removed]
 group [ removed ]
 rule tailf-aaa-user
  module-name       tailf-aaa
  path              /user[name='$USER']
  access-operations create,read,update,delete
  action            permit
 !
 rule tailf-webui-user
  module-name       tailf-webui
  path              /webui/data-stores/user-profile[username='$USER']
  access-operations create,read,update,delete
  action            permit
 !
 rule tailf-aaa-alluser
  module-name tailf-aaa
  path        /user
  action      deny
 !
 rule tailf-aaa-aaa
  module-name tailf-aaa
  path        /aaa
  action      deny
 !
 rule nacm
  module-name ietf-netconf-acm
  path        /
  action      deny
 !
 rule sync-to-one
  path              /devices/device/sync-to
  access-operations exec
  action            deny
 !
 rule sync-to-all
  path              /devices/sync-to
  access-operations exec
  action            deny
 !
 rule network-mgmt
  path              /
  access-operations create,read,update,delete,exec
  action            permit
 !
 cmdrule c-logout
  command logout
  action  deny
 !
 cmdrule j-logout
  command "request system logout"
  action  deny
 !
 cmdrule sync-to-all
  command "request devices sync-to"
  action  deny
 !
 cmdrule any-command
  action permit
 !
!
nacm cmd-read-default deny
nacm cmd-exec-default deny

 Tried removing the last two lines of the nacm config and no change. Any suggestions on how to resolve would be appreciated.

2 Accepted Solutions

Accepted Solutions

jvikman
Cisco Employee
Cisco Employee

I don't see any aaa entries in the devel.log, is it possible to change the developer log level to "trace"? Then you should be able to see aaa entries into the log which should help.

View solution in original post

RichardD2
Level 1
Level 1

 That did it, I was able to see the rule that it was getting tripped up on. Thanks!

View solution in original post

2 Replies 2

jvikman
Cisco Employee
Cisco Employee

I don't see any aaa entries in the devel.log, is it possible to change the developer log level to "trace"? Then you should be able to see aaa entries into the log which should help.

RichardD2
Level 1
Level 1

 That did it, I was able to see the rule that it was getting tripped up on. Thanks!