cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
528
Views
0
Helpful
5
Replies

User Group rights problem with use (Nano service with python action) 1

gkhaled
Level 1
Level 1

Hello 

 

I am having issues where my nano service action does not run with the correct group rights.

So could you please help , how i can solve this problem.

 

thanks in advance

5 Replies 5

Alexander Stevenson
Cisco Employee
Cisco Employee

 

Hello @gkhaled,

 

I couldn't find an answer for you. I hope someone else with this knowledge can reply.

 

I did find the Nano Services docs on DevNet: https://developer.cisco.com/docs/nso/guides/#!nano-services/nano-services

 

Hello alexstev 

 

thank for your reply , i can explain my problem in more details till can understand this problem .

 

We have a package that is using 2 nano service components “vrf” and “ip” which use 2 actions “AssignVRF” and “AssignIP”, they are triggered by the RFM kickers when the cisco service is created.

 

After the 2 actions are completed, vrf_assigned=1 and ip_assigned =1, the nano service callback is called, which applies the XML template ‘obe-l3vpn-template’.

 

The only delta we see so far is that when the Cisco action “AssignVRF” is called by the Nano Service Component, it’s using a different session “from 0.0.0.0 with system”.

 

 audit.log:

<INFO> 29-Mar-2022::15:48:42.266 nso-virtual-machine ncs[19975]: audit user: [withheld]/0 local authentication failed via rest from 10.1.1.131:57112 with http: no such loca

l user

<INFO> 29-Mar-2022::15:48:42.287 nso-virtual-machine ncs[19975]: audit user: test1/0 pam authentication succeeded via rest from 10.1.1.131:57112 with http

<INFO> 29-Mar-2022::15:48:42.289 nso-virtual-machine ncs[19975]: audit user: test1/0 logged in via rest from 10.1.1.131:57112 with http using pamhandle authentication

<INFO> 29-Mar-2022::15:48:42.291 nso-virtual-machine ncs[19975]: audit user: test1/892 assigned to groups: ncsadmin,test1

<INFO> 29-Mar-2022::15:48:42.291 nso-virtual-machine ncs[19975]: audit user: test1/892 created new session via rest from 10.1.1.131:57112 with http

<INFO> 29-Mar-2022::15:48:42.292 nso-virtual-machine ncs[19975]: audit user: test1/892 RESTCONF: request with http: POST /restconf/operations/action/OBEAction HTTP/1.1

<INFO> 29-Mar-2022::15:48:42.519 nso-virtual-machine ncs[19975]: audit user: test1/893 assigned to groups: ncsadmin

<INFO> 29-Mar-2022::15:48:42.520 nso-virtual-machine ncs[19975]: audit user: test1/893 created new session via python from 127.0.0.1:0 with tcp.  <<<<<<<<< obe-action transaction

<INFO> 29-Mar-2022::15:48:42.849 nso-virtual-machine ncs[19975]: audit user: test1/894 assigned to groups: ncsadmin

<INFO> 29-Mar-2022::15:48:42.849 nso-virtual-machine ncs[19975]: audit user: test1/894 created new session via python from 127.0.0.1:0 with tcp

<INFO> 29-Mar-2022::15:48:46.872 nso-virtual-machine ncs[19975]: audit user: test1/894 terminated session (reason: normal)

<INFO> 29-Mar-2022::15:48:46.873 nso-virtual-machine ncs[19975]: audit user: test1/894 Logged out from maapi ctx=python (end_user_session)

<INFO> 29-Mar-2022::15:48:47.175 nso-virtual-machine ncs[19975]: audit user: test1/895 assigned to groups: ncsadmin

<INFO> 29-Mar-2022::15:48:47.175 nso-virtual-machine ncs[19975]: audit user: test1/895 created new session via python from 127.0.0.1:0 with tcp

<INFO> 29-Mar-2022::15:48:49.749 nso-virtual-machine ncs[19975]: audit user: test1/895 terminated session (reason: normal)

<INFO> 29-Mar-2022::15:48:49.750 nso-virtual-machine ncs[19975]: audit user: test1/895 Logged out from maapi ctx=python (end_user_session)

<INFO> 29-Mar-2022::15:48:56.535 nso-virtual-machine ncs[19975]: audit user: /896 terminated session (reason: normal)

<INFO> 29-Mar-2022::15:48:56.562 nso-virtual-machine ncs[19975]: audit user: /897 terminated session (reason: normal)

<INFO> 29-Mar-2022::15:48:56.562 nso-virtual-machine ncs[19975]: audit user: /898 terminated session (reason: normal)

<INFO> 29-Mar-2022::15:48:56.566 nso-virtual-machine ncs[19975]: audit user: /899 terminated session (reason: normal)

<INFO> 29-Mar-2022::15:48:59.418 nso-virtual-machine ncs[19975]: audit user: test1/900 assigned to groups: 

<INFO> 29-Mar-2022::15:48:59.418 nso-virtual-machine ncs[19975]: audit user: test1/900 created new session via python from 0.0.0.0:0 with system.  <<<<<<<<<< cisco Nano Service AssignVRF Action transaction

<INFO> 29-Mar-2022::15:48:59.444 nso-virtual-machine ncs[19975]: audit user: test1/900 terminated session (reason: normal)

<INFO> 29-Mar-2022::15:48:59.446 nso-virtual-machine ncs[19975]: audit user: test1/893 terminated session (reason: normal)

<INFO> 29-Mar-2022::15:48:59.454 nso-virtual-machine ncs[19975]: audit user: test1/893 Logged out from maapi ctx=python (end_user_session)

<INFO> 29-Mar-2022::15:48:59.485 nso-virtual-machine ncs[19975]: audit user: test1/892 terminated session (reason: normal)

<INFO> 29-Mar-2022::15:48:59.486 nso-virtual-machine ncs[19975]: audit user: test1/892 RESTCONF: response with http: HTTP/1.1 /restconf/operations/action/OBEAction 200 duration 17221194 ms

 

devel.log:

<DEBUG> 29-Mar-2022::15:48:59.443 nso-virtual-machine ncs[19975]: devel-aaa User: test1[] rejected data access path /obe:obe/obe-l3vpn{VT121557}/plan/component{obe-l3vpn:vrf-assignment ""}/state{obe-l3vpn:requested}/post-action-status op update due to no rule matched and /nacm/write-default is 'deny'

<DEBUG> 29-Mar-2022::15:48:59.443 nso-virtual-machine ncs[19975]: devel-c close_trans succeeded daemon id: 4 session id: 52178

<DEBUG> 29-Mar-2022::15:48:59.443 nso-virtual-machine ncs[19975]: devel-aaa User: test1[] rejected data access path /obe:obe op read due to no rule matched and /nacm/read-default is 'deny'

 

The RFM kicker is trying to execute the action using a user with no groups, and since the nacm default exec and write is deny, the action is not run. So we don't reach our line that opens the transaction using ncsadmin group.

         with ncs.maapi.single_write_trans(uinfo.username, uinfo.context, groups=['ncsadmin']) as trans:

 

When we modified nacm default write and execute to permit, the action can run, using a user without any groups, and then the transaction in the action is open with the correct group ncsadmin, as expected after the modification.

 

How can we make the nano service action run with the correct group rights ? 

 

 

Nabsch
Spotlight
Spotlight

Hello,

 

Which user create your service instance ? Can you give us more detail ? Are you using CLI ? RESTCONF ? Python API ? to create your service ?

 

I think the issue can be fixed by justing a new rule in NACM.

 

 

Here something that might help you 

 

~/ncs-5.8/src/ncs/yang$ grep -i -n  -B 4 -A 4 user tailf-ncs-services.yang
800-      leaf latest-u-info {
801-        tailf:hidden full;
802-        type binary;
803-        description
804:          "Latest transactions user info is stored there, these are
805-           used in reactive-re-deploy actions that must be performed by
806:           a user with the same user info.";
807-      }
808-    }
809-  }

 

 

 

 

 

Hello ,

 

i used Admin user to create the service , i used RESTCONF call Via postman to create my service .

the problem regarding the using of group ncsadmin when open the transaction , and other session when try to open the transaction with group nulls as i clarified in my pervious post in the audit.log & dev.log  .

 

so could you clarify how i can change the NACM rule to solve this problem .

Nabsch
Spotlight
Spotlight

From your logs , it looks like you used the user test1 and not admin

 

 

<DEBUG> 29-Mar-2022::15:48:59.443 nso-virtual-machine ncs[19975]: devel-aaa User: test1[] rejected data access path /obe:obe/obe-l3vpn{VT121557}/plan/component{obe-l3vpn:vrf-assignment ""}/state{obe-l3vpn:requested}/post-action-status op update due to no rule matched and /nacm/write-default is 'deny'

<DEBUG> 29-Mar-2022::15:48:59.443 nso-virtual-machine ncs[19975]: devel-c close_trans succeeded daemon id: 4 session id: 52178

<DEBUG> 29-Mar-2022::15:48:59.443 nso-virtual-machine ncs[19975]: devel-aaa User: test1[] rejected data access path /obe:obe op read due to no rule matched and /nacm/read-default is 'deny'

 

 

If you are using the user test1 since from your logs test1 is not part of any group . 

 

<INFO> 29-Mar-2022::15:48:59.418 nso-virtual-machine ncs[19975]: audit user: test1/900 assigned to groups: 

You should add it to a group

 

nacm groups group test1
 user-name [ test1]
!
nacm rule-list authorize-test1
 group [ TEST1 ]
 rule /obe:obe/obe-l3vpn
  access-operations *
  action            permit
 !
!