11-11-2019 03:48 PM
Guys,
I've tried running sample Github external-id-allocation module, however its Python code throws an exception when the user has been authenticated with PAM. With local NSO user it works just fine. Both users have been assigned the ncsadmin group.
Here's the PAM user (fails):
rslaski@ncs# external-id-allocation request SRV1 allocate Error: Python cb_action error. access denied (3): access denied [rslaski@nso1 ~]$ groups rslaski wheel ncsadmin <ERROR> 05-Nov-2019::12:14:43.88 external-id-allocation ncs-dp-30450-external-id-allocation:redeploy-5-usid-24987-external-id-release-action: - access denied (3): access denied <ERROR> 05-Nov-2019::12:14:43.89 external-id-allocation ncs-dp-30450-external-id-allocation:redeploy-5-usid-24987-external-id-release-action: - Traceback (most recent call last): File "/opt/ncs/ncs-5.2.0.3/src/ncs/pyapi/ncs/dp.py", line 637, in wrapper ret = fn(self, uinfo, str(name), kp, input, output, trans) File "/opt/ncs/ncs-5.2.0.3/src/ncs/pyapi/ncs/dp.py", line 616, in fn2 return ofn(self, uinfo, name, kp, input, output) File "/var/opt/ncs/state/packages-in-use/1/external-id-allocation/python/external_id_allocation/external_id_release.py", line 46, in cb_action response = ncs.maagic.get_node(trans, kp) File "/opt/ncs/ncs-5.2.0.3/src/ncs/pyapi/ncs/maagic.py", line 1873, in get_node return cd(root, path) File "/opt/ncs/ncs-5.2.0.3/src/ncs/pyapi/ncs/maagic.py", line 1773, in cd node = node[child] File "/opt/ncs/ncs-5.2.0.3/src/ncs/pyapi/ncs/maagic.py", line 1088, in __getitem__ self._backend._exists(self._path + keystr))): File "/opt/ncs/ncs-5.2.0.3/src/ncs/pyapi/ncs/maagic.py", line 127, in _exists return self.exists(path) File "/opt/ncs/ncs-5.2.0.3/src/ncs/pyapi/ncs/maapi.py", line 1198, in proxy return real(self2.maapi, self2.th, *args, **kwargs) File "/opt/ncs/ncs-5.2.0.3/src/ncs/pyapi/ncs/maapi.py", line 406, in exists return True if _tm.maapi.exists(self.msock, th, path) else False Error: access denied (3): access denied
And here's the local user (succeeds)
ncs_local@ncs# external-id-allocation request SRV1 allocate ncs_local@ncs# System message at 2019-11-05 12:33:53... Commit performed by ncs_local via tcp using cli. nacm groups group ncsadmin user-name [ ncs_local private ] ! <INFO> 05-Nov-2019::12:14:50.710 external-id-allocation ncs-dp-30450-external-id-allocation:redeploy-5-usid-24984-external-id-release-action: - action name: release <INFO> 05-Nov-2019::12:14:50.783 external-id-allocation ncs-dp-30450-external-id-allocation:redeploy-5-usid-24984-external-id-release-action: - action release id: SRV1
Any ideas why?
11-11-2019 06:27 PM - edited 11-11-2019 06:43 PM
Yeah, I know why: The problem is the group assignments. If you look in audit.log you will see that there is a user that does not get assigned to the right groups. The call “with ncs.maapi.single_write_trans(uinfo.username, uinfo.context) as trans:” specifies only a user and no groups. In external authentication that is not enough, you need to explicitly give the groups argument for the user, unless you have explicit group mappings in the aaa subtree.
You can use a helper function like this to find the group:
def get_users_groups(trans, uinfo): # Get the maapi socket s = trans.maapi.msock auth = _maapi.get_authorization_info(s, uinfo.usid) return list(auth.groups)
Let me know if that makes sense or if you need a more explicit example.
Edit: I am actually not sure if this is enough for all the cases you need to cover, but it might be a start at least.
11-12-2019 10:52 AM
As the code in question is mine mabye I should give it a try too :).
Give this a try
with ncs.maapi.Maapi() as m:
with m.start_read_trans(usid=uinfo.usid) as trans:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide