cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
573
Views
0
Helpful
1
Replies

NSO NACM - path not working

Denis10
Level 1
Level 1

Hello,

I want to block all modifications on interfaces that have "BL" in their description, only allow read access.

The NACM rule looks like this:

rule deny-interfaces-with-BL-description
module-name*
path /devices/device/config/configuration/interfaces/interface[contains(description,'BL')]/description
access-operations create,update,delete,exec
action deny

 The rule has no effect, when I try to do a xpath eval I get the interfaces that need to have only read access.

admin@nso(config)# xpath eval /devices/device/config/configuration/interfaces/interface[contains(description,'BL')]/description
/devices/device[name='XXX']/config/junos:configuration/interfaces/interface[name='xe-0/0/0']/description :: BLXXX

When I use the path:

/devices/device[name='XXX']/config/junos:configuration/interfaces/interface[name='xe-0/0/0']

 the rule is working, so it seems that the issue is with the description part. When I specify the exact description that is on the interface:

path /devices/device/config/configuration/interfaces/interface[contains(description,'BL')]/description='BLXXX'

 the rule is still not working.

1 Reply 1

mvolf
Cisco Employee
Cisco Employee

Have a look here. In short, you cannot use full XPath expressions as rule paths, only XPaths where predicates, if present, must identify key values. So yes, “the issue is with the description part”, as you write, and there is hardly any simple NACM-only way to make that work.