Junos version 18.4R3-S2 does not authorize the "xml-mode netconf need-trailer" command

199 views
Skip to first unread message

mar...@tonusoo.xyz

unread,
Sep 1, 2021, 9:41:50 AM9/1/21
to junos-p...@googlegroups.com
Hi,

I have a very restricted local user account named "inventory" for a
script using PyEZ library in all my Juniper devices ranging from QFX
series switches to MX series routers. This user belongs to class named
"inventory" and this class has an "allow-commands" statement with value
"show chassis
hardware|exit|quit|xml-mode|.*netconf|.*need-trailer|.*close-session|show
cli authorization" and "deny-commands" statement with value ".*":

inventory@srx> show cli authorization
Current user: 'inventory ' class 'inventory'
Permissions:
view -- Can view current values and statistics
Individual command authorization:
Allow regular expression: show chassis
hardware|exit|quit|xml-mode|.*netconf|.*need-trailer|.*close-session|show
cli authorization
Deny regular expression: .*
Allow configuration regular expression: none
Deny configuration regular expression: none

inventory@srx>

Script calls the <get-chassis-inventory> and <close-session> RPCs, but
under the hood "xml-mode netconf need-trailer" command(or its equivalent
RPC) is executed when the NETCONF session is established and that's why
the "allow-commands" statement takes this into account as well. However,
in Junos version 18.4R3-S2 the "xml-mode netconf need-trailer" command
is no longer authorized. Example:

$ # NETCONF session to "srx" firewall running Junos 18.4R3-S2
$ ssh -b 10.10.10.141 srx -l inventory -s netconf

Password:

error: unknown command: xml-mode
$


There is no such issue with various other Junos releases ranging from
15.x to 18.x. Has anyone else encountered this problem? Is it a bug? Is
there a PR for this? If such change was intentional, then where is it
documented in the release notes?


PS. I hope it's not off-topic as the issue seems to be related to Junos
itself rather than to PyEZ. However, perhaps folks here have encountered
the described issue.


thanks,
Martin

mar...@tonusoo.xyz

unread,
Jan 20, 2022, 9:52:44 AM1/20/22
to junos-p...@googlegroups.com
Hi,

adding the "junoscript" to "allow-commands" statement authorizes the
"xml-mode netconf need-trailer" command in newer Junos versions required
for establishing the NETCONF session. Tested with 18.4R3-S2 and
19.4R2.6. In addition, one has to extend the ".*netconf" regex for
example to ".*netconf.*". Otherwise the authorization of the
"<close-session>" RPC fails.


Martin
Reply all
Reply to author
Forward
0 new messages