Re: nso user admin didn't get all access even already did "usermod -a -G 'ncsadmin' 'admin' "

jinlliu · ‎04-18-2019

nso version 4.7.2.1, system installation

we found nso user 'admin' get access error when call an action , but read/write service model is okay

we use pam as aaa, run cli usermod -a -G 'ncsadmin' 'admin' to grant all access to user admin according to installation guide

here is ncam output:

admin@ncs# show running-config nacm groups
nacm groups group ncsadmin
user-name [ private]
!
nacm groups group ncsoper
user-name [ public ]
!

if we add 'admin' into ncsadmin on nacm, then the issue will okay

can any nso expert explain this isse?

vleijon · ‎04-18-2019

The question is what groups were assigned when the user logged in. You didn’t mention if the user was using netconf or cli or some other interface, and you didn’t mention how authentication is setup, is it only local auth?

The easiest thing is to check audit.log for a line like this:

26-Jan-2018::17:41:45.937 VLEIJON-M-N1WC ncs[49510]: audit user: admin/52 assigned to groups: admin,staff,com.apple.sharepoint.group.1,everyone,localaccounts,_appserverusr,_appserveradm,_lpadmin,_appstore,_lpoperator,_developer,com.apple.access_ftp,com.apple.access_screensharing,com.apple.access_ssh

jinlliu · ‎04-18-2019

Hi

Thanks for your fast prompt response

The user we used to login is a linux user "admin", which belong to linux group "ncsadmin", the access issue came both cli or netconf way

And the authentication is using "PAM"

Acoording to below comments I found on NSO doc, it seems that I should have all access to network

"Given the default NACM authorization rules we should have three different types of users on the system
Users with shell access that are members of ncsadmin Linux group. These users are considered fully trusted. They have full access to the system as well as the entire network."

vleijon · ‎04-18-2019

Okay, the question is what groups are returned from PAM then, double check in devel.log what it actually gives though to make sure it is what you expect! It might be that for some reason PAM doesn’t return the ncsadmin group – this might be especially if pam authenticates in turn against a remote source such as LDAP.

jinlliu · ‎04-18-2019

We didn't see devel.log, but got output from audit.log

18-Apr-2019::21:53:14.656 uhn4blcsns000000 ncs[13828]: audit user: admin/7549 assigned to groups: ncsadmin

18-Apr-2019::21:53:59.174 uhn4blcsns000000 ncs[13828]: audit user: admin/7549 CLI 'rmno pod epc_openstack_vim os-services disable binary nova-compute hosts [ UHN7ttce1cvcm009 ]'

18-Apr-2019::21:53:59.177 uhn4blcsns000000 ncs[13828]: audit user: admin/7550 assigned to groups:

18-Apr-2019::21:53:59.180 uhn4blcsns000000 ncs[13828]: audit user: admin/7550 Logged out from maapi ctx=cli (closed)

CLI 'rmno pod epc_openstack_vim os-services disable binary nova-compute hosts [ UHN7ttce1cvcm009 ]' is an action we defined

BTW, there is no remote source existing in our envrionment

jinlliu · ‎04-18-2019

If we add admin into nacm from nso cli, this issue is gone, log like below show up

Please notice the red marked part, it's assigned to groups: ncsadmin this time, but if we delete admin from nacm settting, it will assigned to empty

18-Apr-2019::22:36:37.858 uhn4blcsns000000 ncs[13828]: audit user: admin/7553 CLI 'rmno pod epc_openstack_vim os-services disable binary nova-compute hosts [ UHN7ttce1cvcm009 ]'

18-Apr-2019::22:36:37.861 uhn4blcsns000000 ncs[13828]: audit user: admin/7560 assigned to groups: ncsadmin

18-Apr-2019::22:36:39.618 uhn4blcsns000000 ncs[13828]: audit user: admin/7560 Logged out from maapi ctx=cli (closed)

18-Apr-2019::22:36:39.618 uhn4blcsns000000 ncs[13828]: audit user: admin/7553 CLI done

vleijon · ‎04-18-2019

I am pretty sure I can tell you what is happening. I think that your action creates a fresh usersession, using startUserSession or something like that with an empty group list, that is the second line you see in the log.

Now calling that api doesn't use a password, so it doesn't do proper authentication, so it doesn't get any external groups.

You want to give a group list when you start the user session. To avoid hardcoding both username as groups you can look at the uinfo (userinfo) that you get when the action is called and making sure to pass that on to the new session.

jinlliu · ‎04-18-2019

Hi vleijon，

You are so professional, what you tell is very correct

Our action creates a fresh user session, using startUserSession that with user admin but an empty group list

Then seems it will get group assigned automatically if we add admin into ncsadm from nacm rule setting, why ?

And about the DpUserInfo userInfo you mentioned , it doesn’t include group info , so we can get its group list without hardcode

jinlliu · ‎04-18-2019

Sorry again,

Let me guess, In our case(User admin with shell access that are members of ncsadmin Linux group) , the first user session will get ncsadmin assigned as group when login by cli/netconf,

Then the following usersession will not get ncsadmin assigned if not specific , also no define under nacm rule setting, then it will failed since access issue.

Am I right ?

Thank again.

vleijon · ‎04-18-2019

Yes, that is exactly right in your understanding!

I am trying to look at a way of digging up the group, I was certain it was in the uinfo but it seems not. I’ll have to poke around a bit.