Hello alexstev 

thank for your reply , i can explain my problem in more details till can understand this problem .

We have a package that is using 2 nano service components “vrf” and “ip” which use 2 actions “AssignVRF” and “AssignIP”, they are triggered by the RFM kickers when the cisco service is created.

After the 2 actions are completed, vrf_assigned=1 and ip_assigned =1, the nano service callback is called, which applies the XML template ‘obe-l3vpn-template’.

The only delta we see so far is that when the Cisco action “AssignVRF” is called by the Nano Service Component, it’s using a different session “from 0.0.0.0 with system”.

 audit.log:

<INFO> 29-Mar-2022::15:48:42.266 nso-virtual-machine ncs[19975]: audit user: [withheld]/0 local authentication failed via rest from 10.1.1.131:57112 with http: no such loca

l user

<INFO> 29-Mar-2022::15:48:42.287 nso-virtual-machine ncs[19975]: audit user: test1/0 pam authentication succeeded via rest from 10.1.1.131:57112 with http

<INFO> 29-Mar-2022::15:48:42.289 nso-virtual-machine ncs[19975]: audit user: test1/0 logged in via rest from 10.1.1.131:57112 with http using pamhandle authentication

<INFO> 29-Mar-2022::15:48:42.291 nso-virtual-machine ncs[19975]: audit user: test1/892 assigned to groups: ncsadmin,test1

<INFO> 29-Mar-2022::15:48:42.291 nso-virtual-machine ncs[19975]: audit user: test1/892 created new session via rest from 10.1.1.131:57112 with http

<INFO> 29-Mar-2022::15:48:42.292 nso-virtual-machine ncs[19975]: audit user: test1/892 RESTCONF: request with http: POST /restconf/operations/action/OBEAction HTTP/1.1

<INFO> 29-Mar-2022::15:48:42.519 nso-virtual-machine ncs[19975]: audit user: test1/893 assigned to groups: ncsadmin

<INFO> 29-Mar-2022::15:48:42.520 nso-virtual-machine ncs[19975]: audit user: test1/893 created new session via python from 127.0.0.1:0 with tcp.  <<<<<<<<< obe-action transaction

<INFO> 29-Mar-2022::15:48:42.849 nso-virtual-machine ncs[19975]: audit user: test1/894 assigned to groups: ncsadmin

<INFO> 29-Mar-2022::15:48:42.849 nso-virtual-machine ncs[19975]: audit user: test1/894 created new session via python from 127.0.0.1:0 with tcp

<INFO> 29-Mar-2022::15:48:46.872 nso-virtual-machine ncs[19975]: audit user: test1/894 terminated session (reason: normal)

<INFO> 29-Mar-2022::15:48:46.873 nso-virtual-machine ncs[19975]: audit user: test1/894 Logged out from maapi ctx=python (end_user_session)

<INFO> 29-Mar-2022::15:48:47.175 nso-virtual-machine ncs[19975]: audit user: test1/895 assigned to groups: ncsadmin

<INFO> 29-Mar-2022::15:48:47.175 nso-virtual-machine ncs[19975]: audit user: test1/895 created new session via python from 127.0.0.1:0 with tcp

<INFO> 29-Mar-2022::15:48:49.749 nso-virtual-machine ncs[19975]: audit user: test1/895 terminated session (reason: normal)

<INFO> 29-Mar-2022::15:48:49.750 nso-virtual-machine ncs[19975]: audit user: test1/895 Logged out from maapi ctx=python (end_user_session)

<INFO> 29-Mar-2022::15:48:56.535 nso-virtual-machine ncs[19975]: audit user: /896 terminated session (reason: normal)

<INFO> 29-Mar-2022::15:48:56.562 nso-virtual-machine ncs[19975]: audit user: /897 terminated session (reason: normal)

<INFO> 29-Mar-2022::15:48:56.562 nso-virtual-machine ncs[19975]: audit user: /898 terminated session (reason: normal)

<INFO> 29-Mar-2022::15:48:56.566 nso-virtual-machine ncs[19975]: audit user: /899 terminated session (reason: normal)

<INFO> 29-Mar-2022::15:48:59.418 nso-virtual-machine ncs[19975]: audit user: test1/900 assigned to groups: 

<INFO> 29-Mar-2022::15:48:59.418 nso-virtual-machine ncs[19975]: audit user: test1/900 created new session via python from 0.0.0.0:0 with system.  <<<<<<<<<< cisco Nano Service AssignVRF Action transaction

<INFO> 29-Mar-2022::15:48:59.444 nso-virtual-machine ncs[19975]: audit user: test1/900 terminated session (reason: normal)

<INFO> 29-Mar-2022::15:48:59.446 nso-virtual-machine ncs[19975]: audit user: test1/893 terminated session (reason: normal)

<INFO> 29-Mar-2022::15:48:59.454 nso-virtual-machine ncs[19975]: audit user: test1/893 Logged out from maapi ctx=python (end_user_session)

<INFO> 29-Mar-2022::15:48:59.485 nso-virtual-machine ncs[19975]: audit user: test1/892 terminated session (reason: normal)

<INFO> 29-Mar-2022::15:48:59.486 nso-virtual-machine ncs[19975]: audit user: test1/892 RESTCONF: response with http: HTTP/1.1 /restconf/operations/action/OBEAction 200 duration 17221194 ms

devel.log:

<DEBUG> 29-Mar-2022::15:48:59.443 nso-virtual-machine ncs[19975]: devel-aaa User: test1[] rejected data access path /obe:obe/obe-l3vpn{VT121557}/plan/component{obe-l3vpn:vrf-assignment ""}/state{obe-l3vpn:requested}/post-action-status op update due to no rule matched and /nacm/write-default is 'deny'

<DEBUG> 29-Mar-2022::15:48:59.443 nso-virtual-machine ncs[19975]: devel-c close_trans succeeded daemon id: 4 session id: 52178

<DEBUG> 29-Mar-2022::15:48:59.443 nso-virtual-machine ncs[19975]: devel-aaa User: test1[] rejected data access path /obe:obe op read due to no rule matched and /nacm/read-default is 'deny'

The RFM kicker is trying to execute the action using a user with no groups, and since the nacm default exec and write is deny, the action is not run. So we don't reach our line that opens the transaction using ncsadmin group.

         with ncs.maapi.single_write_trans(uinfo.username, uinfo.context, groups=['ncsadmin']) as trans:

When we modified nacm default write and execute to permit, the action can run, using a user without any groups, and then the transaction in the action is open with the correct group ncsadmin, as expected after the modification.

How can we make the nano service action run with the correct group rights ? 

Hello ,

i used Admin user to create the service , i used RESTCONF call Via postman to create my service .

the problem regarding the using of group ncsadmin when open the transaction , and other session when try to open the transaction with group nulls as i clarified in my pervious post in the audit.log & dev.log  .

so could you clarify how i can change the NACM rule to solve this problem .