12-19-2022 06:04 AM - edited 12-19-2022 06:20 AM
Hey,
I have a particular NACM rule issue. I have a service FOO (top level container) with an action on xpath: /FOO:FOO/get-config. Action returns bunch of text.
I have to allow people to read from FOO and be able to exec get-config. Restconf only.
nacm rule-list MYlist
group [ rest_api ]
rule read-access
module-name FOO
path *
access-operations read
action permit
context rest
!
rule get-config
path /FOO:FOO/FOO:get-config
access-operations read,exec
action permit
context rest
!
!
I'm not that much concerned about the read-access rule, it has been around for a while and it works. I'm having tough time with get-config though. Ideally I would like to limit the rule to the action only with a path to it like above. Not working, I get:
<errors xmlns="urn:ietf:params:xml:ns:yang:ietf-restconf">
<error>
<error-type>application</error-type>
<error-tag>malformed-message</error-tag>
<error-path xmlns:FOO="http://fe.com/FOO">/FOO:FOO/FOO:get-config</error-path>
<error-message>Python cb_action error. access denied (3): access denied</error-message>
</error>
</errors>
The only way I can get it working is if I put wildcard under path:
rule get-config
path *
access-operations read,exec
action permit
context rest
!
If I would add 'module-name FOO' to this, it stops working too. Existence or absence of the other rule doesn't make a difference either, I tried.
We are on NSO 5.8.2.
What am I doing wrong?
12-20-2022 06:48 AM - edited 12-20-2022 06:48 AM
We figured out the issue. Action is reading from a BAR service in the background. Adding read rule for BAR fixed the issue.
Python cb_action error was good enough of a lead but I just missed the obvious yesterday.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide