mar...@tonusoo.xyz
unread,Sep 1, 2021, 9:41:50 AM9/1/21Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to junos-p...@googlegroups.com
Hi,
I have a very restricted local user account named "inventory" for a
script using PyEZ library in all my Juniper devices ranging from QFX
series switches to MX series routers. This user belongs to class named
"inventory" and this class has an "allow-commands" statement with value
"show chassis
hardware|exit|quit|xml-mode|.*netconf|.*need-trailer|.*close-session|show
cli authorization" and "deny-commands" statement with value ".*":
inventory@srx> show cli authorization
Current user: 'inventory ' class 'inventory'
Permissions:
view -- Can view current values and statistics
Individual command authorization:
Allow regular expression: show chassis
hardware|exit|quit|xml-mode|.*netconf|.*need-trailer|.*close-session|show
cli authorization
Deny regular expression: .*
Allow configuration regular expression: none
Deny configuration regular expression: none
inventory@srx>
Script calls the <get-chassis-inventory> and <close-session> RPCs, but
under the hood "xml-mode netconf need-trailer" command(or its equivalent
RPC) is executed when the NETCONF session is established and that's why
the "allow-commands" statement takes this into account as well. However,
in Junos version 18.4R3-S2 the "xml-mode netconf need-trailer" command
is no longer authorized. Example:
$ # NETCONF session to "srx" firewall running Junos 18.4R3-S2
$ ssh -b 10.10.10.141 srx -l inventory -s netconf
Password:
error: unknown command: xml-mode
$
There is no such issue with various other Junos releases ranging from
15.x to 18.x. Has anyone else encountered this problem? Is it a bug? Is
there a PR for this? If such change was intentional, then where is it
documented in the release notes?
PS. I hope it's not off-topic as the issue seems to be related to Junos
itself rather than to PyEZ. However, perhaps folks here have encountered
the described issue.
thanks,
Martin