NSO NACM - path not working

Denis10 · ‎09-07-2023

Hello,

I want to block all modifications on interfaces that have "BL" in their description, only allow read access.

The NACM rule looks like this:

rule deny-interfaces-with-BL-description
module-name*
path /devices/device/config/configuration/interfaces/interface[contains(description,'BL')]/description
access-operations create,update,delete,exec
action deny

The rule has no effect, when I try to do a xpath eval I get the interfaces that need to have only read access.

admin@nso(config)# xpath eval /devices/device/config/configuration/interfaces/interface[contains(description,'BL')]/description
/devices/device[name='XXX']/config/junos:configuration/interfaces/interface[name='xe-0/0/0']/description :: BLXXX

When I use the path:

/devices/device[name='XXX']/config/junos:configuration/interfaces/interface[name='xe-0/0/0']

the rule is working, so it seems that the issue is with the description part. When I specify the exact description that is on the interface:

path /devices/device/config/configuration/interfaces/interface[contains(description,'BL')]/description='BLXXX'

the rule is still not working.

mvolf · ‎09-08-2023

Have a look here. In short, you cannot use full XPath expressions as rule paths, only XPaths where predicates, if present, must identify key values. So yes, “the issue is with the description part”, as you write, and there is hardly any simple NACM-only way to make that work.