cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
974
Views
10
Helpful
4
Replies

NSO 5.7.3 access-denied issue

sm000x
Level 1
Level 1

Need help. I have a simple yang but when I use restconf to POST the request, I got access-denied error.

curl -v -X POST -T Test573.xml -u sm000x:sm000x http://127.0.0.1:8080/restconf/operations/async-test:get-async-request

module async-test {

namespace "http://com/att/async-test";
prefix asyncT;

import tailf-common {
prefix tailf;
}

import tailf-ncs {
prefix ncs;
}

list test-entry {
key "service-name";
leaf count {
type int32;
}
leaf service-name {
type string;
}
}

list async-entry {
config false;
tailf:cdb-oper {
tailf:persistent true;
}
tailf:info "Track outstanding asynchronous notifications";
key "service-name";
leaf count {
type int32;
}
leaf service-name {
type string;
}
}

container test-api {
config false;
tailf:action get-test-request {
tailf:actionpoint test-action-point;
input {
leaf service-name {
type string;
}
}
output {
}
}
}

rpc get-async-request {
tailf:actionpoint test-action-point;
input {
leaf service-name {
type string;
}
}
}
}

The results:

curl -v -X POST -T Test573.xml -u sm000x:sm000x http://127.0.0.1:8080/restconf/operations/async-test:get-async-request
* About to connect() to 127.0.0.1 port 8080 (#0)
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
* Server auth using Basic with user 'sm000x'
> POST /restconf/operations/async-test:get-async-request HTTP/1.1
> Authorization: Basic c20wMDB4OnNtMDAweA==
> User-Agent: curl/7.29.0
> Host: 127.0.0.1:8080
> Accept: */*
> Content-Length: 555
> Expect: 100-continue
>
< HTTP/1.1 100 Continue
< Allow: GET, POST, OPTIONS, HEAD
< Content-Security-Policy: default-src 'self'; block-all-mixed-content; base-uri 'self'; frame-ancestors 'none';
< Strict-Transport-Security: max-age=15552000; includeSubDomains
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-XSS-Protection: 1; mode=block
* We are completely uploaded and fine
< HTTP/1.1 403 Forbidden
< Date: Thu, 03 Nov 2022 20:44:50 GMT
< Allow: GET, POST, OPTIONS, HEAD
< Cache-Control: private, no-cache, must-revalidate, proxy-revalidate
< Content-Length: 318
< Content-Type: application/yang-data+xml
< Content-Security-Policy: default-src 'self'; block-all-mixed-content; base-uri 'self'; frame-ancestors 'none';
< Strict-Transport-Security: max-age=15552000; includeSubDomains
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-XSS-Protection: 1; mode=block
< Pragma: no-cache
<

<errors xmlns="urn:ietf:params:xml:ns:yang:ietf-restconf">
<error>
<error-type>application</error-type>
<error-tag>access-denied</error-tag>
<error-path xmlns:asyncT="http://com/att/async-test">/asyncT:get-async-request</error-path>
<error-message>access denied</error-message>
</error>
</errors>

2 Accepted Solutions

Accepted Solutions

Nabsch
Spotlight
Spotlight

Hello , 

You are facing permission issue. I think you need to add a nacm rule to allow your user to execute the action.

 

View solution in original post

tohagber
Cisco Employee
Cisco Employee

Hi,

If you, on the NSO host, run
$ ncs_load -F p -p "/nacm" 

It will print the configured NACM config you have configured in NSO. If that output is empty or do not have any rules for the groups the "sm000x" user belongs it explain the problem. Then you have to add permit rules for this group the user belongs to.



View solution in original post

4 Replies 4

Nabsch
Spotlight
Spotlight

Hello , 

You are facing permission issue. I think you need to add a nacm rule to allow your user to execute the action.

 

Thank you for the help. Now I am able to run the rpc.

tohagber
Cisco Employee
Cisco Employee

Hi,

If you, on the NSO host, run
$ ncs_load -F p -p "/nacm" 

It will print the configured NACM config you have configured in NSO. If that output is empty or do not have any rules for the groups the "sm000x" user belongs it explain the problem. Then you have to add permit rules for this group the user belongs to.



sm000x
Level 1
Level 1

Thank you very much for the help. I am able to execute rpc after I added the NACM rule.