Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2792
Views
5
Helpful
7
Replies

Python Maapi Access Denied

Go to solution
yale.prince@leidos.com
Level 1
Level 1

‎01-14-2019 04:00 AM - edited ‎03-01-2019 04:15 AM

Hi all,

 

the below works fine on a local install i have running, but when issuing the same on a system install we get this error 

 

[root@localhost:/opt/ncs/ncs-4.7.2.1/src]# python
Python 2.7.5 (default, Feb 20 2018, 09:19:12)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-28)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import ncs
>>> import ncs.maapi as maapi
>>> import ncs.maagic as maagic
>>>
>>> m = maapi.Maapi()
>>> m.start_user_session('admin','test_context')
>>> t = m.start_write_trans()
>>> root = maagic.get_root(t)
>>> root.devices.device['r01']
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/opt/ncs/current/src/ncs/pyapi/ncs/maagic.py", line 1070, in __getitem__
self._backend._exists(self._path + keystr))):
File "/opt/ncs/current/src/ncs/pyapi/ncs/maagic.py", line 127, in _exists
return self.exists(path)
File "/opt/ncs/current/src/ncs/pyapi/ncs/maapi.py", line 945, in proxy
return real(self2.maapi, self2.th, *args, **kwargs)
File "/opt/ncs/current/src/ncs/pyapi/ncs/maapi.py", line 386, in exists
return True if _tm.maapi.exists(self.msock, th, path) else False
_ncs.error.Error: access denied (3): access denied
>>> quit ()

 

any suggestions on how i can resolve this 

 

Thanks

Regards

Yale

4 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vleijon
Cisco Employee
Cisco Employee
In response to yale.prince@leidos.com

‎01-14-2019 04:34 AM

It actually doesn’t matter which users exists where, all users exist in potentia (this is why ncs_cli -u nonexistent works). But, users without access rights can do nothing.

You can do show configuration nacm | details to see which rights have been assigned. In local install you have a lot of permissions by default for all users, but system install is meant to be used in production and is much stricter.

Make sure that whatever user you are using is mapped into a group and that the group has the appropriate permissions.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
vleijon
Cisco Employee
Cisco Employee

‎01-14-2019 04:04 AM

The most common cause of problems between local and system install is trying to use the “admin” user, it doesn’t exist by default on a system install. I would start by looking for any user sessions started with a static user.
0 Helpful

Go to solution
yale.prince@leidos.com
Level 1
Level 1
In response to vleijon

‎01-14-2019 04:26 AM

hmmmm ok our system install uses PAM for auth, and the linux host uses LDAP there is an AD account called admin yet this still does not work,

 

do i need to create the user via the ncs_cli ?

0 Helpful

Go to solution
vleijon
Cisco Employee
Cisco Employee
In response to yale.prince@leidos.com

‎01-14-2019 04:34 AM

It actually doesn’t matter which users exists where, all users exist in potentia (this is why ncs_cli -u nonexistent works). But, users without access rights can do nothing.

You can do show configuration nacm | details to see which rights have been assigned. In local install you have a lot of permissions by default for all users, but system install is meant to be used in production and is much stricter.

Make sure that whatever user you are using is mapped into a group and that the group has the appropriate permissions.

0 Helpful

Go to solution
yale.prince@leidos.com
Level 1
Level 1
In response to vleijon

‎01-14-2019 04:42 AM

where should i be running this show command from ??

admin@ncs# show configuration nacm | details
------------------------------^
syntax error: expecting
commit - Display configuration changes
rollback - Display configuration changes
admin@ncs#

0 Helpful

Go to solution
vleijon
Cisco Employee
Cisco Employee
In response to yale.prince@leidos.com

‎01-14-2019 05:02 AM

That is the right place, but you have to do it using a user that that has access rights. Try the user “private”, I think that is the default user, but I almost never do this.
0 Helpful

Go to solution
vleijon
Cisco Employee
Cisco Employee
In response to vleijon

‎01-14-2019 05:10 AM

Oops! Sorry, I missed that you were in Cisco mode, then it is show running-config nacm | details
0 Helpful

Go to solution
lmanor
Cisco Employee
Cisco Employee
In response to yale.prince@leidos.com

‎01-14-2019 10:51 AM

Hello,
 
First, some system-install information - different from local-install:
 
  • Installation Directory is created in /opt/ncs/<nso-version>
  • Symbolic link /opt/ncs/current is created, pointing to the newly installed version, in this example /opt/ ncs/<nso-version>
  • Configuration Directory is created in /etc/ncs/
    • ncs.conf 
  • Running Directory is created in /var/opt/ncs
  • Log Directory is created in /var/log/ncs.
 
During the system-install you get the following output (or something similar for your NSO version):
 
CentOS7-1 NCS]$ sudo ~/Desktop/Share/NCS/nso-4.5.3.linux.x86_64.installer.bin --system-install
INFO  Using temporary directory /tmp/ncs_installer.3964 to stage NCS installation bundle
INFO  Using /opt/ncs/ncs-4.5.3 for static files
INFO  Using /etc/ncs for configuration files
INFO  Using /var/opt/ncs for run-time state files
INFO  Using /var/log/ncs for log files
INFO  Unpacked ncs-4.5.3 in /opt/ncs/ncs-4.5.3
INFO  Found and unpacked corresponding DOCUMENTATION_PACKAGE
INFO  Found and unpacked corresponding EXAMPLE_PACKAGE
INFO  Generating default SSH hostkey (this may take some time)
INFO  SSH hostkey generated
INFO  Environment set-up generated in /opt/ncs/ncs-4.5.3/ncsrc
INFO  NCS installation script finished
INFO  Found and unpacked corresponding NETSIM_PACKAGE
INFO  Configuring installation for PAM authentication
INFO  Using PAM service system-auth for authentication
INFO  Generating self-signed certificates for HTTPS
INFO  Installed init script /etc/init.d/ncs
INFO  Installed user profile script ncs.sh in /etc/profile.d
INFO  Installed user profile script ncs.csh in /etc/profile.d
INFO  Installed 'logrotate' configuration file ncs in /etc/logrotate.d
 
INFO  The installation has been configured for PAM authentication,
INFO  with group assignment based on the OS group database
INFO  (e.g. /etc/group file). Users that need access to NCS must
INFO  belong to either the 'ncsadmin' group (for unlimited access
INFO  rights) or the 'ncsoper' group (for minimal access rights).
INFO  To create the 'ncsoper' group, use OS shell command:
 
  groupadd ncsoper
 
INFO  To add an existing user to one of these groups, use OS shell command:
 
  usermod -a -G <groupname> <username>
 
INFO  NCS installation complete
 
In order to allow a new or existing PAM user, say 'admin' it must be a member of group 'ncsadmin'
 
==> Either make an existing user a member of group ncsadmin or create a new user, say ‘admin’ that is member of group ‘ncsadmin'
 
See some further info in this community post : 
 
 
Once you do a 'ncs-cli -u admin' , enter a '?' , if your username has access, you should see many command, i.e. not just 'exit'.
 
-Larry
 
Customers Also Viewed These Support Documents