NACM rule for custom service action

u.avsec · ‎12-19-2022

Hey,

I have a particular NACM rule issue. I have a service FOO (top level container) with an action on xpath: /FOO:FOO/get-config. Action returns bunch of text.

I have to allow people to read from FOO and be able to exec get-config. Restconf only.

nacm rule-list MYlist
 group [ rest_api ]
 rule read-access
  module-name       FOO
  path              *
  access-operations read
  action            permit
  context           rest
 !
 rule get-config
  path              /FOO:FOO/FOO:get-config
  access-operations read,exec
  action            permit
  context           rest
 !
!

I'm not that much concerned about the read-access rule, it has been around for a while and it works. I'm having tough time with get-config though. Ideally I would like to limit the rule to the action only with a path to it like above. Not working, I get:

<errors xmlns="urn:ietf:params:xml:ns:yang:ietf-restconf">
  <error>
    <error-type>application</error-type>
    <error-tag>malformed-message</error-tag>
    <error-path xmlns:FOO="http://fe.com/FOO">/FOO:FOO/FOO:get-config</error-path>
    <error-message>Python cb_action error. access denied (3): access denied</error-message>
  </error>
</errors>

The only way I can get it working is if I put wildcard under path:

rule get-config
  path *
  access-operations read,exec
  action permit
  context rest
!

If I would add 'module-name FOO' to this, it stops working too. Existence or absence of the other rule doesn't make a difference either, I tried.

We are on NSO 5.8.2.

What am I doing wrong?

u.avsec · ‎12-20-2022

We figured out the issue. Action is reading from a BAR service in the background. Adding read rule for BAR fixed the issue.

Python cb_action error was good enough of a lead but I just missed the obvious yesterday.