Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1019
Views
0
Helpful
2
Replies

NSO schedular task -info "access denied"

yale.prince@leidos.com
Level 1
Level 1

‎10-14-2020 03:41 AM

 

Hi can any one tell me where i can view more detailed log files for why a scheduler task won't run.

the only error i get is when i issue show scheduler task command and i can see the task started to run but get the output

info "access denied"

 

what user doe the task run as ?

 

where can i see detailed logs ? (can't see anything in /var/logs/ncs)

 

the scheduler is calling and an action with in one of our services. the action can be successfully run directly from the ncs_cli

 

Thanks

Regards

Yale

0 Helpful
2 Replies 2

hniska
Cisco Employee
Cisco Employee

‎10-16-2020 06:52 AM

The action is run as the user that configured the task. You can see the scheduler history under

 

#> show scheduler task sync history

 

Error info should be in the developer log and xpath stuff are as usual in the xpath log. 

0 Helpful

JamesHarr74967
Level 1
Level 1

‎03-11-2024 12:15 PM

By default it runs as the current user and if you use something like RADIUS to provide groups when the user logs in then NSO will have no clue what groups you're in and you'll wind up with this.

The fix we (NOW) use is to look at a hidden leaf in the NSO scheduler.

jharr@nso> show configuration scheduler task global-check-sync
schedule      "58 * * * *";
action-node   /devices;
action-name   check-sync;
action-params <suppress-positive-result/>;
enabled;
history {
    max-size 360;
}
jharr@nso.bldc> unhide full

jharr@nso> show configuration scheduler task global-check-sync
schedule      "58 * * * *";
action-node   /devices;
action-name   check-sync;
action-params <suppress-positive-result/>;
enabled;
local-user    jharr;             // <--- HIDDEN, jharr does not exist locally
history {
    max-size 360;
}

We created add a user called `cron` to an appropriate group to give it permissions.

jharr@nso> unhide full
jharr@nso> configure
jharr@nso% set nacm groups group ncsadmin user-name cron
jharr@nso% set scheduler task global-check-sync local-user cron
jharr@nso% commit

The user doesn't need to exist anywhere outside of `nacm groups`, it just needs permissions in there. IE: You do NOT need to create a user under `aaa authentication`.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the NSO Developer community:

Customers Also Viewed These Support Documents