Solved: Alexander:

BRIAN SEKLECKI · ‎02-11-2016

All:

Is there an equivalent command to "describe" that allows enumeration of required taskgroup requirements, but for the XML API?

The CLI Command "admin show inventory" seems (to me, to be) analogous to the following XML query:

   <?xml version="1.0" encoding="UTF-8"?>
<Request>
<Get xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <AdminOperational>
    <PlatformInventory>
     <RackTable>
      <Rack>
       <Naming><Name Match="*"/ <.....>

If I run this XML query as the default XR users from group root-system, the query returns fine.

When I run it with a "Meta" user (setup for use by Cisco Prime) which has been given an XR tasklist, which for troubleshooting purposes, should seem to have every possible permission -- per the output below, I get an error:

"A user is attempting to carry out an unauthorized operation..."

IOS-XR-4.3.4 # show run formal taskgroup | include admin
Thu Feb 11 23:40:53.111 UTC
taskgroup prime task read admin
taskgroup prime task write admin
taskgroup prime task execute admin

I get the following error:

<?xml version="1.0" encoding="UTF-8"?>
<Response MajorVersion="1" MinorVersion="0">
    <Get ErrorCode="0x43679000" ErrorMsg="'XML Service Library' detected the 'warning' condition 'An error was encountered in the XML beneath this operation tag'" ItemNotFound="true">
        <AdminOperational>
            <PlatformInventory MajorVersion="0" MinorVersion="4">
                <RackTable>
                    <Rack>
                        <Naming>
                            <Name Match="*"/>
                        </Naming>
                        <Attributes ErrorCode="0x43689800" ErrorMsg="'XMLMDA' detected the 'warning' condition 'A user is attempting to carry out an unauthorized operation'"/>
                    </Rack>
                </RackTable>
            </PlatformInventory>
        </AdminOperational>
    </Get>
    <ResultSummary ErrorCount="1"/>
</Response>
XML>

xthuijs · ‎02-22-2016

that is interesting, didnt expect that from the permission details of the command itself.

I noticed that in your task list the task read inventory was not there (shouldn't be needed considering you have read sysmgr), but worth the final shot to see if that can carry out the command.

also verify if the cli command can be executed (this to separate it from beign an xml permission issue).

based on that you may want to request a DDTS for this, because this inventory command should not need this high permission level of root system, albeit you have a workaround now.

cheers

xander

View solution in original post

xthuijs · ‎02-21-2016

hi!

ah I see, the permission level needed for this command is not set correctly on the user.

you'd want to add read for sysmgr OR inventory added to the permission levels for the user prime.

root-system provides that task set hence succeeds from cli.

You'll likely see an error too when you log in with user prime and run this command.

cheers!

xander

BRIAN SEKLECKI · ‎02-21-2016

Nah the problem still happens eve if you grant the Prime tasklist every task every permission:

bash$ TGNAME=prime; for task in $(awk '{print $1}' < list_of_ios-xr_tasks.txt); do for perm in read write execute debug; do echo taskgroup $TGNAME task $perm $task; done ; done; taskgroup prime task read aaa
taskgroup prime task write aaa
taskgroup prime task execute aaa
taskgroup prime task debug aaa
taskgroup prime task read acl
taskgroup prime task write acl
taskgroup prime task execute acl
taskgroup prime task debug acl
taskgroup prime task read admin
taskgroup prime task write admin
taskgroup prime task execute admin
taskgroup prime task debug admin
taskgroup prime task read ancp
taskgroup prime task write ancp
taskgroup prime task execute ancp
taskgroup prime task debug ancp
taskgroup prime task read atm
taskgroup prime task write atm
taskgroup prime task execute atm
taskgroup prime task debug atm
taskgroup prime task read basic-services
taskgroup prime task write basic-services
taskgroup prime task execute basic-services
taskgroup prime task debug basic-services
taskgroup prime task read bcdl
taskgroup prime task write bcdl
taskgroup prime task execute bcdl
taskgroup prime task debug bcdl
taskgroup prime task read bfd
taskgroup prime task write bfd
taskgroup prime task execute bfd
taskgroup prime task debug bfd
taskgroup prime task read bgp
taskgroup prime task write bgp
taskgroup prime task execute bgp
taskgroup prime task debug bgp
taskgroup prime task read boot
taskgroup prime task write boot
taskgroup prime task execute boot
taskgroup prime task debug boot
taskgroup prime task read bundle
taskgroup prime task write bundle
taskgroup prime task execute bundle
taskgroup prime task debug bundle
taskgroup prime task read call-home
taskgroup prime task write call-home
taskgroup prime task execute call-home
taskgroup prime task debug call-home
taskgroup prime task read cdp
taskgroup prime task write cdp
taskgroup prime task execute cdp
taskgroup prime task debug cdp
taskgroup prime task read cef
taskgroup prime task write cef
taskgroup prime task execute cef
taskgroup prime task debug cef
taskgroup prime task read cgn
taskgroup prime task write cgn
taskgroup prime task execute cgn
taskgroup prime task debug cgn
taskgroup prime task read config-mgmt
taskgroup prime task write config-mgmt
taskgroup prime task execute config-mgmt
taskgroup prime task debug config-mgmt
taskgroup prime task read config-services
taskgroup prime task write config-services
taskgroup prime task execute config-services
taskgroup prime task debug config-services
taskgroup prime task read crypto
taskgroup prime task write crypto
taskgroup prime task execute crypto
taskgroup prime task debug crypto
taskgroup prime task read diag
taskgroup prime task write diag
taskgroup prime task execute diag
taskgroup prime task debug diag
taskgroup prime task read drivers
taskgroup prime task write drivers
taskgroup prime task execute drivers
taskgroup prime task debug drivers
taskgroup prime task read dwdm
taskgroup prime task write dwdm
taskgroup prime task execute dwdm
taskgroup prime task debug dwdm
taskgroup prime task read eem
taskgroup prime task write eem
taskgroup prime task execute eem
taskgroup prime task debug eem
taskgroup prime task read eigrp
taskgroup prime task write eigrp
taskgroup prime task execute eigrp
taskgroup prime task debug eigrp
taskgroup prime task read ethernet-services
taskgroup prime task write ethernet-services
taskgroup prime task execute ethernet-services
taskgroup prime task debug ethernet-services
taskgroup prime task read ext-access
taskgroup prime task write ext-access
taskgroup prime task execute ext-access
taskgroup prime task debug ext-access
taskgroup prime task read fabric
taskgroup prime task write fabric
taskgroup prime task execute fabric
taskgroup prime task debug fabric
taskgroup prime task read fault-mgr
taskgroup prime task write fault-mgr
taskgroup prime task execute fault-mgr
taskgroup prime task debug fault-mgr
taskgroup prime task read filesystem
taskgroup prime task write filesystem
taskgroup prime task execute filesystem
taskgroup prime task debug filesystem
taskgroup prime task read firewall
taskgroup prime task write firewall
taskgroup prime task execute firewall
taskgroup prime task debug firewall
taskgroup prime task read fr
taskgroup prime task write fr
taskgroup prime task execute fr
taskgroup prime task debug fr
taskgroup prime task read hdlc
taskgroup prime task write hdlc
taskgroup prime task execute hdlc
taskgroup prime task debug hdlc
taskgroup prime task read host-services
taskgroup prime task write host-services
taskgroup prime task execute host-services
taskgroup prime task debug host-services
taskgroup prime task read hsrp
taskgroup prime task write hsrp
taskgroup prime task execute hsrp
taskgroup prime task debug hsrp
taskgroup prime task read interface
taskgroup prime task write interface
taskgroup prime task execute interface
taskgroup prime task debug interface
taskgroup prime task read inventory
taskgroup prime task write inventory
taskgroup prime task execute inventory
taskgroup prime task debug inventory
taskgroup prime task read ip-services
taskgroup prime task write ip-services
taskgroup prime task execute ip-services
taskgroup prime task debug ip-services
taskgroup prime task read ipv4
taskgroup prime task write ipv4
taskgroup prime task execute ipv4
taskgroup prime task debug ipv4
taskgroup prime task read ipv6
taskgroup prime task write ipv6
taskgroup prime task execute ipv6
taskgroup prime task debug ipv6
taskgroup prime task read isis
taskgroup prime task write isis
taskgroup prime task execute isis
taskgroup prime task debug isis
taskgroup prime task read l2vpn
taskgroup prime task write l2vpn
taskgroup prime task execute l2vpn
taskgroup prime task debug l2vpn
taskgroup prime task read li
taskgroup prime task write li
taskgroup prime task execute li
taskgroup prime task debug li
taskgroup prime task read lisp
taskgroup prime task write lisp
taskgroup prime task execute lisp
taskgroup prime task debug lisp
taskgroup prime task read logging
taskgroup prime task write logging
taskgroup prime task execute logging
taskgroup prime task debug logging
taskgroup prime task read lpts
taskgroup prime task write lpts
taskgroup prime task execute lpts
taskgroup prime task debug lpts
taskgroup prime task read monitor
taskgroup prime task write monitor
taskgroup prime task execute monitor
taskgroup prime task debug monitor
taskgroup prime task read mpls-ldp
taskgroup prime task write mpls-ldp
taskgroup prime task execute mpls-ldp
taskgroup prime task debug mpls-ldp
taskgroup prime task read mpls-static
taskgroup prime task write mpls-static
taskgroup prime task execute mpls-static
taskgroup prime task debug mpls-static
taskgroup prime task read mpls-te
taskgroup prime task write mpls-te
taskgroup prime task execute mpls-te
taskgroup prime task debug mpls-te
taskgroup prime task read multicast
taskgroup prime task write multicast
taskgroup prime task execute multicast
taskgroup prime task debug multicast
taskgroup prime task read netflow
taskgroup prime task write netflow
taskgroup prime task execute netflow
taskgroup prime task debug netflow
taskgroup prime task read network
taskgroup prime task write network
taskgroup prime task execute network
taskgroup prime task debug network
taskgroup prime task read nps
taskgroup prime task write nps
taskgroup prime task execute nps
taskgroup prime task debug nps
taskgroup prime task read ospf
taskgroup prime task write ospf
taskgroup prime task execute ospf
taskgroup prime task debug ospf
taskgroup prime task read ouni
taskgroup prime task write ouni
taskgroup prime task execute ouni
taskgroup prime task debug ouni
taskgroup prime task read pbr
taskgroup prime task write pbr
taskgroup prime task execute pbr
taskgroup prime task debug pbr
taskgroup prime task read pkg-mgmt
taskgroup prime task write pkg-mgmt
taskgroup prime task execute pkg-mgmt
taskgroup prime task debug pkg-mgmt
taskgroup prime task read pos-dpt
taskgroup prime task write pos-dpt
taskgroup prime task execute pos-dpt
taskgroup prime task debug pos-dpt
taskgroup prime task read ppp
taskgroup prime task write ppp
taskgroup prime task execute ppp
taskgroup prime task debug ppp
taskgroup prime task read qos
taskgroup prime task write qos
taskgroup prime task execute qos
taskgroup prime task debug qos
taskgroup prime task read rcmd
taskgroup prime task write rcmd
taskgroup prime task execute rcmd
taskgroup prime task debug rcmd
taskgroup prime task read rib
taskgroup prime task write rib
taskgroup prime task execute rib
taskgroup prime task debug rib
taskgroup prime task read rip
taskgroup prime task write rip
taskgroup prime task execute rip
taskgroup prime task debug rip
taskgroup prime task read route-map
taskgroup prime task write route-map
taskgroup prime task execute route-map
taskgroup prime task debug route-map
taskgroup prime task read route-policy
taskgroup prime task write route-policy
taskgroup prime task execute route-policy
taskgroup prime task debug route-policy
taskgroup prime task read sbc
taskgroup prime task write sbc
taskgroup prime task execute sbc
taskgroup prime task debug sbc
taskgroup prime task read snmp
taskgroup prime task write snmp
taskgroup prime task execute snmp
taskgroup prime task debug snmp
taskgroup prime task read sonet-sdh
taskgroup prime task write sonet-sdh
taskgroup prime task execute sonet-sdh
taskgroup prime task debug sonet-sdh
taskgroup prime task read static
taskgroup prime task write static
taskgroup prime task execute static
taskgroup prime task debug static
taskgroup prime task read sysmgr
taskgroup prime task write sysmgr
taskgroup prime task execute sysmgr
taskgroup prime task debug sysmgr
taskgroup prime task read system
taskgroup prime task write system
taskgroup prime task execute system
taskgroup prime task debug system
taskgroup prime task read transport
taskgroup prime task write transport
taskgroup prime task execute transport
taskgroup prime task debug transport
taskgroup prime task read tty-access
taskgroup prime task write tty-access
taskgroup prime task execute tty-access
taskgroup prime task debug tty-access
taskgroup prime task read tunnel
taskgroup prime task write tunnel
taskgroup prime task execute tunnel
taskgroup prime task debug tunnel
taskgroup prime task read vlan
taskgroup prime task write vlan
taskgroup prime task execute vlan
taskgroup prime task debug vlan
taskgroup prime task read vpdn
taskgroup prime task write vpdn
taskgroup prime task execute vpdn
taskgroup prime task debug vpdn
taskgroup prime task read vrrp
taskgroup prime task write vrrp
taskgroup prime task execute vrrp
taskgroup prime task debug vrrp

BRIAN SEKLECKI · ‎02-21-2016

TAC Confirmed that XML query <AdminOperational> <PlatformInventory MajorVersion="0" MinorVersion="4"> <RackTable> <Rack> ... explicitly requires root-system perms

ios-xr# sh debug
#### debug flags set from tty ‘vty0’ ####
aaa task flag is ON with value 0
aaa authorization flag is ON with value 0
task basic flag is ON with value 0

[Run broken query <Request> <Get> <AdminOperational> <PlatformInventory> <RackTable … ]

P/0/RSP1/CPU0:MDS01-LABGDT#RP/0/RSP1/CPU0:Feb 17 05:57:58.038 UTC: xml_tty_agent[1122]: Created task table at 0x1004e108
RP/0/RSP1/CPU0:Feb 17 05:57:58.038 UTC: xml_tty_agent[1122]: Adding taskid admin of type 0 to table at 0x1004e108
RP/0/RSP1/CPU0:Feb 17 05:57:58.038 UTC: xml_tty_agent[1122]: Added a mask of: 40000000 0
RP/0/RSP1/CPU0:Feb 17 05:57:58.038 UTC: xml_tty_agent[1122]: Adding taskid root-system of type 0 to table at 0x1004e108
RP/0/RSP1/CPU0:Feb 17 05:57:58.038 UTC: xml_tty_agent[1122]: AAA authorization failed, status 0 (error '')No error
RP/0/RSP1/CPU0:Feb 17 05:57:58.038 UTC: xml_tty_agent[1122]: Added a mask of: 200 0

xthuijs · ‎02-22-2016

that is interesting, didnt expect that from the permission details of the command itself.

I noticed that in your task list the task read inventory was not there (shouldn't be needed considering you have read sysmgr), but worth the final shot to see if that can carry out the command.

also verify if the cli command can be executed (this to separate it from beign an xml permission issue).

based on that you may want to request a DDTS for this, because this inventory command should not need this high permission level of root system, albeit you have a workaround now.

cheers

xander

Jason Lixfeld · ‎11-03-2018

I've been trying to figure out how to get the proper taskid requirements for certain XML calls. This debug is gold. Thank you!

BRIAN SEKLECKI · ‎02-22-2016

Just to clarify: There is no work-around except to give Prime root-system or to "inherit root-system"

Both are unacceptable to any BOFH/INFOSEC group by and standard in any organization.

I do slightly have to admonish the Cisco IOS-XR and Prime Networking teams for not having found this bug in advance and/or published a document on best-practices for Prime meta-user security.

(Cisco can make it up to me by not taking 22 months to release a SMU to fix this!) >:}

~BAS

xthuijs · ‎02-22-2016

I agree with you on all points. And as mentioned a simple command like this should not require such high permission settings.

Hence wanted to recommend to have a DDTS filed for this, and yes when it is resolved we can definitely do a SMU for this on 533.

Could I ask if you can request the TAC engineer to file a ddts and get in touch with me so we can manage this through adequately in 21 months (see improving ;). Nah of course as fast as possible.

this is not a tricky thing and rather simple to take care of.

xander

BRIAN SEKLECKI · ‎03-03-2016

Alexander:

Thanks for being a Rock Star on this!

We will submit the DDTS today; actually, what we're going to do is have our Cisco Prime SE team submit the request on our behalf, which, based on the fact that it comes internally vs externally, will hopefully help the process along even more.

Your friends in PA/Virginia

~BAS

PS: I've got a 4+-bottle case of Copper Fox whiskey and Boyd & Blair vodka for the Cisco engineer who first publishes a signed SMU for us to test.

xthuijs · ‎03-03-2016

Hey Bas! found the issue. XML and CLI use different (permission) settings and the admin oper inventory reports root-system as its requirement!

Considering that very cool offer, I could not resist and pass on a test smu for you to play with on 5.3.3 :) This is what is called an engineering smu and is officially not supported, but for a lab test to proof the concept this is fine.

When you have a DDTS filed for this let me know the number so I can attach my diffs to it etc. Or have your SE contact me so I can help him close that off from his end.

cheers from your fan in MA! :)

xander

ps I didnt test/verify this myself, also I built the smu with the pre-computed restart type, it may be a process restart, but it possibly should be a reload because of the API change I had to make. But try it out, if it doesnt reload, and doesn't function give the chassis a reboot (assuming lab here :).

ps2 after download change filename to a .pie instead of that docx. md5 and file info is in the txt along with signature as requested!

Index:
===================================================================
invmgr_adminoper.sch 2016-03-03 12:01:13.000000000 -0500
***************
*** 11,17 ****
class-name: "Inventory",
class-category: container,
! task-name: root-system,
description: "Inventory operational data",
pathname: "inventory/";

--- 11,17 ----
class-name: "Inventory",
class-category: container,
! task-name: inventory,
description: "Inventory operational data",
pathname: "inventory/";

BRIAN SEKLECKI · ‎04-07-2016

Xander:

Tried to install the Engineering SMU. the XML Query is still requesting root-system task.

MDS01-LABGDT#admin show install active | include 12345
Thu Apr 7 12:32:55.828 UTC
      disk0:asr9k-px-5.3.3.CSCea12345-1.0.0
      disk0:asr9k-px-5.3.3.CSCea12345-1.0.0
      disk0:asr9k-px-5.3.3.CSCea12345-1.0.0
      disk0:asr9k-px-5.3.3.CSCea12345-1.0.0
      disk0:asr9k-px-5.3.3.CSCea12345-1.0.0

[Chassis Reload]

XML> <?xml version="1.0" encoding="UTF-8"?>
<Response MajorVersion="1" MinorVersion="0"><Get ErrorCode="0x43679000" ErrorMsg="'XML Service Library' detected the 'warning' condition 'An error was encountered in the XML beneath this operation tag'" ItemNotFound="true"><AdminOperational><PlatformInventory MajorVersion="0" MinorVersion="4"><RackTable><Rack><Naming><Name Match="*"/></Naming><Attributes ErrorCode="0x43689800" ErrorMsg="'XMLMDA' detected the 'warning' condition 'A user is attempting to carry out an unauthorized operation'"/></Rack></RackTable></PlatformInventory></AdminOperational></Get><ResultSummary ErrorCount="1"/></Response>

RP/0/RSP1/CPU0:Apr 7 12:31:28.925 UTC: xml_tty_agent[1150]: Added a mask of: 40000000 0
RP/0/RSP1/CPU0:Apr 7 12:31:28.925 UTC: xml_tty_agent[1150]: Adding taskid root-system of type 0 to table at 0x1000ffb0
RP/0/RSP1/CPU0:Apr 7 12:31:28.925 UTC: xml_tty_agent[1150]: Added a mask of: 200 0

xthuijs · ‎04-07-2016

Thanks for the test Bas. Ok let me look into this a bit more. I am researching if I probably need to rebuild the schema's before compiling the smu.

I'll be back in touch when I have some update smu for testing.

I got a note from the TAC engineer you're working with and he was going to file a ddts for this also. a fix in a new sw release will for sure take care of this with the fix I have here since it rebuilds the schemas as we want.

a smu on an existing release may need some trick work, apparently.

xander

XR Taskgroup permission for Cisco Prime: XML Get -> AdminOperational -> PlatformInventory