Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
815
Views
6
Helpful
3
Replies

How to define NACM paths for custom actions?

grundler
Level 1
Level 1

‎11-12-2021 11:58 AM

I have an action that I can invoke from the CLI without problems, e.g:

 

grundler@ncs> services foo my-action
some {
   name DATA
   other-stuff [ 1,2,3]
}

 

 

The intent is that "foo" actions will be used by software that is connecting to NSO via the netconf API, and I am trying to define a NACM rule that will limit the user associated with this process to only those actions defined below "/services/foo".  I've created a rule-list that I thought should work:

 

group [ foo ];
rule action {
    path              /ncs:services/foo:foo;
    action            permit;
}

However, I get an access-denied error when I attempt to invoke the action.  Enabling trace logging indicates the following error in netconf.log:

 

 

<DEBUG> 12-Nov-2021::13:34:10.082 ncs-2 ncs[3413]: devel-aaa User: foo[foo] rejected data access path /yangns:action op execute due to no rule matched and /nacm/exec-default is 'deny'

Changing the path to be more-specific, i.e. "/services/foo/my-action" results in the same error.  The payload I'm sending looks like this:

 

 

<action xmlns="urn:ietf:params:xml:ns:yang:1">
  <services xmlns="http://tail-f.com/ns/ncs">
    <foo xmlns="http://foo/ns">
      <my-action/>
    </foo>
  </services>
</action>

Changing the path in the rule to "/yangns:action" also has no effect, nor does appending it, i.e. "/yangns:action/ncs:services/...".  Things do work if I just remove the path entirely -- can someone clue me in on what I'm missing?

 

Labels:
0 Helpful
3 Replies 3

karlnewell
Level 1
Level 1

‎11-16-2021 09:09 AM

The rule needs to contain an `access-operations` leaf, and that rule must permit at least `exec`. See slide 53, https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKOPS-2700.pdf

 

It looks like `access-operations` accepts a comma separated list of permitted values (even though the contextual help doesn't indicate as much).

 

group [ foo ];
rule action {
    path              /ncs:services/foo:foo;
    access-operations exec;
    action            permit;
  

 

JamesHarr74967
Level 1
Level 1
In response to karlnewell

‎12-11-2025 12:43 PM

Just a follow-up note, we found that in some cases, you might need read & exec for a NACM rule. Why? Not really sure, but it seemed to fix our problem.

 

group [ foo ];
rule action {
    path              /ncs:services/foo:foo;
    access-operations read,exec;
    action            permit;

 

0 Helpful

jvikman
Cisco Employee
Cisco Employee
In response to JamesHarr74967

‎12-12-2025 12:43 AM

 

Yes you need both read and exec.

This is because an action can be anchored at a specific node. To find the exact action you need read access to all nodes along the way, including list instances.

If the user does not have read permission to a list instance, he/she should not be able to exec the action.

This is by design, and required by RFC8341: 

If the <action> operation defined in [RFC7950] is invoked, then
read access is required for all instances in the hierarchy of data
nodes that identifies the specific action in the datastore, and
execute access is required for the action node. If the user is
not authorized to read all the specified data nodes and execute
the action, then the request is rejected with an "access-denied"
error.

 I hope that helps explaining why this is needed.

0 Helpful
Customers Also Viewed These Support Documents