11-03-2022 01:42 PM
Need help. I have a simple yang but when I use restconf to POST the request, I got access-denied error.
curl -v -X POST -T Test573.xml -u sm000x:sm000x http://127.0.0.1:8080/restconf/operations/async-test:get-async-request
module async-test {
namespace "http://com/att/async-test";
prefix asyncT;
import tailf-common {
prefix tailf;
}
import tailf-ncs {
prefix ncs;
}
list test-entry {
key "service-name";
leaf count {
type int32;
}
leaf service-name {
type string;
}
}
list async-entry {
config false;
tailf:cdb-oper {
tailf:persistent true;
}
tailf:info "Track outstanding asynchronous notifications";
key "service-name";
leaf count {
type int32;
}
leaf service-name {
type string;
}
}
container test-api {
config false;
tailf:action get-test-request {
tailf:actionpoint test-action-point;
input {
leaf service-name {
type string;
}
}
output {
}
}
}
rpc get-async-request {
tailf:actionpoint test-action-point;
input {
leaf service-name {
type string;
}
}
}
}
The results:
curl -v -X POST -T Test573.xml -u sm000x:sm000x http://127.0.0.1:8080/restconf/operations/async-test:get-async-request
* About to connect() to 127.0.0.1 port 8080 (#0)
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
* Server auth using Basic with user 'sm000x'
> POST /restconf/operations/async-test:get-async-request HTTP/1.1
> Authorization: Basic c20wMDB4OnNtMDAweA==
> User-Agent: curl/7.29.0
> Host: 127.0.0.1:8080
> Accept: */*
> Content-Length: 555
> Expect: 100-continue
>
< HTTP/1.1 100 Continue
< Allow: GET, POST, OPTIONS, HEAD
< Content-Security-Policy: default-src 'self'; block-all-mixed-content; base-uri 'self'; frame-ancestors 'none';
< Strict-Transport-Security: max-age=15552000; includeSubDomains
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-XSS-Protection: 1; mode=block
* We are completely uploaded and fine
< HTTP/1.1 403 Forbidden
< Date: Thu, 03 Nov 2022 20:44:50 GMT
< Allow: GET, POST, OPTIONS, HEAD
< Cache-Control: private, no-cache, must-revalidate, proxy-revalidate
< Content-Length: 318
< Content-Type: application/yang-data+xml
< Content-Security-Policy: default-src 'self'; block-all-mixed-content; base-uri 'self'; frame-ancestors 'none';
< Strict-Transport-Security: max-age=15552000; includeSubDomains
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-XSS-Protection: 1; mode=block
< Pragma: no-cache
<
<errors xmlns="urn:ietf:params:xml:ns:yang:ietf-restconf">
<error>
<error-type>application</error-type>
<error-tag>access-denied</error-tag>
<error-path xmlns:asyncT="http://com/att/async-test">/asyncT:get-async-request</error-path>
<error-message>access denied</error-message>
</error>
</errors>
Solved! Go to Solution.
11-04-2022 12:17 AM
Hello ,
You are facing permission issue. I think you need to add a nacm rule to allow your user to execute the action.
11-04-2022 05:55 AM
Hi,
If you, on the NSO host, run
$ ncs_load -F p -p "/nacm"
It will print the configured NACM config you have configured in NSO. If that output is empty or do not have any rules for the groups the "sm000x" user belongs it explain the problem. Then you have to add permit rules for this group the user belongs to.
11-04-2022 12:17 AM
Hello ,
You are facing permission issue. I think you need to add a nacm rule to allow your user to execute the action.
11-04-2022 07:38 AM
Thank you for the help. Now I am able to run the rpc.
11-04-2022 05:55 AM
Hi,
If you, on the NSO host, run
$ ncs_load -F p -p "/nacm"
It will print the configured NACM config you have configured in NSO. If that output is empty or do not have any rules for the groups the "sm000x" user belongs it explain the problem. Then you have to add permit rules for this group the user belongs to.
11-04-2022 07:37 AM
Thank you very much for the help. I am able to execute rpc after I added the NACM rule.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide