Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

edit-config permission denied after add username to NACM #143

Open
miaofenk opened this issue Nov 25, 2016 · 0 comments
Open

edit-config permission denied after add username to NACM #143

miaofenk opened this issue Nov 25, 2016 · 0 comments

Comments

@miaofenk
Copy link

miaofenk commented Nov 25, 2016
edited
Loading

Hi,

I created a new account "netconf" to do netopeer-cli operations. The account write access is modified in NACM using netopeer-configurator, following is NACM configurator status:

 Access control is ON  
 Using system groups is ALLOWED   
 Default action for read requests: PERMIT 
 Default action for write requests: PERMIT
 Default action for execute requests: PERMIT
 Add users with unlimited access        
 netconf
 Show current NACM rules.

The content of datastore-acm.xml:

 <?xml version="1.0" encoding="UTF-8"?>
 <datastores xmlns="urn:cesnet:tmc:datastores:file">
   <running lock=""/>
   <startup lock="">
     <nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
       <rule-list>
         <name>almighty</name>
         <group>almighty</group>
         <rule>
           <name>almighty</name>
           <module-name>*</module-name>
           <access-operations>*</access-operations>
           <action>permit</action>
         </rule>
       </rule-list>
       <write-default>permit</write-default>
       <groups>
         <group>
          <name>almighty</name>
          <user-name>netconf</user-name>
         </group>
       </groups>
       <enable-nacm>true</enable-nacm>
     </nacm>
   </startup>
   <candidate modified="false" lock=""/>
 </datastores>

However, the edit-config operation still failed due to permission issue.
The netopeer-server log:

 netopeer-server[11346]: Created session 33 for user 'netconf' (UID 1001)
 netopeer-server[11346]: New server session for 'netconf' with ID 33
 netopeer-server[11346]: Received message (session 33): <?xml version="1.0" encoding="UTF-8"?>
 <rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
   <edit-config>
     <target>
       <candidate/>
     </target>
     <config>
       <system xmlns="http://nokia.com/AA/csf" xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0">
         <nonvnfc>
           <configkey xc:operation="replace">
             <cfgPATH>config/BR/backup_ip_type</cfgPATH>
             <subdirname>config/BR</subdirname>
             <cfgvalue><![CDATA[IPv4]]></cfgvalue>
             <timestamp><![CDATA[<datetime>]]></timestamp>
           </configkey>
         </nonvnfc>
       </system>
     </config>
   </edit-config>
 </rpc>
 netopeer-server[11346]: Writing message (session 33): <?xml version="1.0" encoding="UTF-8"?>
 <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
   <rpc-error>
     <error-type>application</error-type>
     <error-tag>access-denied</error-tag>
     <error-severity>error</error-severity>
     <error-message>replacing "configkey" data node is not permitted.</error-message>
   </rpc-error>
</rpc-reply>

Could you please let me know what I did wrong to set access type for a new account?
Thanks a lot!

Best Regards,
Miaofeng
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@miaofenk