[j-nsp] "load replace" junoscript login class permissions

Mon Feb 29 11:32:57 EST 2016

This worked with a user whose login class only had "configure", and
allow-configuration"policy-options prefix-list AUTO-*".

policy-options {
  replace: prefix-list AUTO-SOMETHING {
    10.0.0.0/24;
  }
}

-Chris

On Fri, Feb 26, 2016 at 8:44 AM, Chuck Anderson <cra at wpi.edu> wrote:

> Can you please provide an example of what you are saying should work
> (in text format even)?
>
> This is what I was trying in XML (from perl) and it doesn't work with
> the permissions restricted to "policy-options prefix-list AUTO-.*",
> but it does work with the permissions widened to "policy-options .*":
>
> $jnx->load_configuration(
>         format => "xml",
>         action => "replace",
>         configuration => $replace);
>
> Where the contents of the $replace variable is:
>
> <configuration>
>   <policy-options>
>     <prefix-list replace="replace">
>       <name>AUTO-FOO</name>
>       <prefix-list-item>
>         <name>1.1.1.1/32</name>
>       </prefix-list-item>
>     </prefix-list>
>   </policy-options>
> </configuration>
>
> I believe I also tried applying the "replace" attribute on the <name>
> tag like this: <name replace="replace">AUTO-FOO</name>, but that isn't
> accepted as valid syntax.
>
> I ended up using a configuration group at Phil's suggestion.  That way
> I can restrict the permissions to "groups AUTO-PREFIX-LIST
> policy-options .*" to allow the replace operation to work but prevent
> the script from mucking with objects it isn't supposed to touch.
>
> Thanks.
>
> On Thu, Feb 25, 2016 at 12:05:36PM -0500, Chris Spears wrote:
> > Can you add a replace attribute in the container for the prefix-lists
> > matching /AUTO-*/, and see if the permissions work?   The equivalent
> > replace: tag in the text format works with a restricted login class when
> > using netconf.
> >
> >
> http://www.juniper.net/documentation/en_US/junos14.2/topics/reference/tag-summary/junos-xml-protocol-replace-attribute.html
> >
> >
> >
> >
> > On Mon, Feb 22, 2016 at 9:46 PM, Chuck Anderson <cra at wpi.edu> wrote:
> >
> > > On Mon, Feb 22, 2016 at 09:08:04PM -0500, Jared Mauch wrote:
> > > > > 1. "load replace" config with the new prefix list contents
> > > > > 2. commit
> > > >
> > > >
> > > > Try ‘load update’ first.
> > > >
> > > > That should be much faster than load replace.
> > >
> > > Yes, I see it is fast, but I can't figure out the right XML to do the
> > > equivalent of "load update relative" in the CLI.  If I leave off the
> > > "relative", then the entire configuration is replaced (deleted), not
> > > just the prefix-list.
> > >
> > > "show | compare | display xml" exists in 15.1, but not in 14.2 :-(
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>