Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
426
Views
5
Helpful
1
Replies

How to define NACM paths for custom actions?

grundler
Level 1
Level 1

‎11-12-2021 11:58 AM

I have an action that I can invoke from the CLI without problems, e.g:

 

grundler@ncs> services foo my-action
some {
   name DATA
   other-stuff [ 1,2,3]
}

 

 

The intent is that "foo" actions will be used by software that is connecting to NSO via the netconf API, and I am trying to define a NACM rule that will limit the user associated with this process to only those actions defined below "/services/foo".  I've created a rule-list that I thought should work:

 

group [ foo ];
rule action {
    path              /ncs:services/foo:foo;
    action            permit;
}

However, I get an access-denied error when I attempt to invoke the action.  Enabling trace logging indicates the following error in netconf.log:

 

 

<DEBUG> 12-Nov-2021::13:34:10.082 ncs-2 ncs[3413]: devel-aaa User: foo[foo] rejected data access path /yangns:action op execute due to no rule matched and /nacm/exec-default is 'deny'

Changing the path to be more-specific, i.e. "/services/foo/my-action" results in the same error.  The payload I'm sending looks like this:

 

 

<action xmlns="urn:ietf:params:xml:ns:yang:1">
  <services xmlns="http://tail-f.com/ns/ncs">
    <foo xmlns="http://foo/ns">
      <my-action/>
    </foo>
  </services>
</action>

Changing the path in the rule to "/yangns:action" also has no effect, nor does appending it, i.e. "/yangns:action/ncs:services/...".  Things do work if I just remove the path entirely -- can someone clue me in on what I'm missing?

 

Labels:
0 Helpful
1 Reply 1

karlnewell
Level 1
Level 1

‎11-16-2021 09:09 AM

The rule needs to contain an `access-operations` leaf, and that rule must permit at least `exec`. See slide 53, https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKOPS-2700.pdf

 

It looks like `access-operations` accepts a comma separated list of permitted values (even though the contextual help doesn't indicate as much).

 

group [ foo ];
rule action {
    path              /ncs:services/foo:foo;
    access-operations exec;
    action            permit;
  

 

Customers Also Viewed These Support Documents